US communications agency plans cybersecurity boost to protect Internet of Things

The Federal Communications Commission has not officially shared measures it pland to take to protect Americans, but Chairman Tom Wheeler has outlined a program he thinks would “reduce the risk.”  

READ MORE: Internet of Things believed to be targeted in massive DDoS attacks

Chairman Wheeler wrote a response to Senator Mark Warner (D-Virginia), addressing concerns about efforts the federal government is making to stand up to cyber attacks. After a mass cyber-attack crippled a vast swath of the internet in October, Warner asked the FCC, Federal Trade Commission (FTC) and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center (NCCIC) about tools to fix “weak security.” 

In his letter published Monday, Wheeler shared the key points of what he titled a “5G/IoT cybersecurity risk reduction plan program.”

It states that the FCC should develop risk reduction standards, which would be adopted and implemented by internet service providers (ISPs).

Under the Open Internet Order, ISPs are responsible for taking measures to protect networks from harmful devices, ensure network security and integrity, as well as address denial of service attacks (DoDs), like those that happened in October.

“I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risks of malevolent cyber activities,” Wheeler wrote. 

He said the Notice of Proposed Rule Making should be issued to examine regulatory measures that his agency could take to help address cyber risks.

The plan proposes that the NPRM include “a cybersecurity certification (possibly self-certification)” and “a consumer labeling requirement to address any asymmetry in the availability of information and help consumers understand and make better decisions regarding the potential cyber risks of a product or service.”

“The NPRM could examine changes to the FCC’s equipment certification process to protect networks from IoT device security risks,” Wheeler suggested.

He stressed that the FCC could also consider “existing legal authorities” to protect networks from IoT device security risks.

Wheeler’s plan also proposes issuing a “notice of inquiry” to keep record and identify residual risk in the IoT commons.

There should also be a “Cybersecurity Forum for Independent and Executive Branch Regulators to coordinate regulatory approaches to address loT residual risks across the broader regulatory environment,” he wrote.

However, Wheeler said the FCC has to postpone “some of the next steps in light of the impending change in administrations,” while stressing that “the normal transition of a new president” should not stall the process.

Senator Warner’s statement said he “applauded” the response of the FCC, stressing that it “offers a plan to reduce risks from insecure devices, provides the incoming Trump Administration with a roadmap for additional work in this area.”

“The Commission’s response to my questions validates my concerns about the risk of crippling cyberattacks made easier through connected consumer appliances and wirelessly connected household devices,” Warner said. “The FCC chairman confirms that internet service providers already have the authority – if not the responsibility – to protect their networks by blocking malicious and harmful traffic. I also am pleased to learn the FCC also has been discussing improved tools, including setting security standards for IoT devices, to better protect consumers as well as the broader internet.”