FCC to Focus on Mobile Security Issues, Cybersecurity Official Says
DALLAS -- The FCC didn’t go far enough when it started an initiative for a voluntary anti-bot code of conduct for ISPs and domain name system best practices, said Jeff Goldthorp, associate Public Safety Bureau chief for cybersecurity and communications reliability. “We were singlemindedly focused more on the tethered environment, less on the tetherless environment,” he said on a panel at the Telecommunications Industry Association conference on Wednesday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"We were a little narrowminded about” the ISP initiative, Goldthorp said. “We have to revisit this, I think, because there’s no reason to believe that mobile devices aren’t going to get botted just as easily.” That’s especially since there aren’t as many legacy security solutions currently available for mobile devices, he said. “That is a particular problem that we're going to start to focus on more at the commission.”
The commission also wants to raise the level of awareness of the user community. “They're holding computers in their hand,” he said. “It’s not a phone anymore, and a lot of folks still think of them as phones."
"Obviously our jurisdiction in this area is a little bit weak right now,” Goldthorp said of some wireline cybersecurity issues. “Our jurisdiction is stronger in wireless,” because wireless devices emit RF radiation. “We can do almost -- I mean, we really have a lot of authority.” In contrast, on wireline “our authority is extremely circumspect,” he said. “Since wireless is the growing area, would we then say, ‘okay, we really do need some stronger regulation in these areas. Let’s take advantage of the fact that we've got stronger authorities in wireless and pass some rules'?” That’s “a dangerous question for me to answer,” Goldthorp said.
Based on what the FCC has seen the industry do voluntarily, “we have every reason to believe” that voluntary industry action will work,” Goldthorp said. Industry has also agreed to put forth metrics to measure the performance of the security steps it’s taking. “If the voluntary actions are working, there’s no reason for us to do anything else,” Goldthorp said. “If things change and we find ourselves in a different situation, we would not foreclose any use of our authorities to deal with the issues that come up."
Voluntary agreements are important because currently there “really isn’t much in the way of federal regulation” of ISPs when it comes to security issues, Goldthorp said. There are no rules requiring ISPs to implement DNSSEC. “Nobody has to do any of this,” he said. “ But there’s a lot of force that comes to bear when you get everybody together.” It helps with the large first-mover disadvantage, he said. “If you can get everybody to take the first step together, it makes it a lot easier for even one person to act.”