President Donald Trump signed a cybersecurity executive order Thursday that also aims to jump-start White House efforts to modernize federal IT. The EO mirrored aspects of previous drafts, including those from the original version that direct the Office of Management and Budget and the Department of Homeland Security to assess all federal agencies' cybersecurity risks and required agencies to manage their risk using the National Institute of Standards and Technology's Cybersecurity Framework. The White House ditched its original plan for Trump to sign in January (see 1701310066).
The FCC offered additional details Thursday on a proposal to scrap Title II broadband classification under the Communications Act and revisit net neutrality rules, building on a speech by Chairman Ajit Pai Wednesday (see 1704260054). Pai, as promised, released the draft NPRM. A senior FCC official said on a call with reporters that even if there's significant public blowback against the NPRM the FCC doesn’t make decisions based on taking the public's temperature. By our count, the draft asks for responses to more than 150 questions. It proposes a deadline of July 17 for initial comments, Aug. 16 for replies.
President Barack Obama’s signing into law of the National Defense Authorization Act (NDAA) for FY 2017 (S-2943) Friday sets up next steps for the administration on both the Broadcasting Board of Governors and cybersecurity policy. The White House announced opposition to what’s widely known as dual-hat leadership of the National Security Agency and U.S. Cyber Command. The new law also includes language on spectrum, initially negotiated in the House version earlier this year and re-emerging in the conference report several weeks ago (see 1612050042).
FCC Chairman Tom Wheeler had to “postpone some of the next steps in this combined approach” on cybersecurity -- addressing “a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively” -- due to the “impending change in Administrations,” he told Sen. Mark Warner, D-Va., in a Dec. 2 letter released Wednesday. Warner will be ranking member of the Senate Intelligence Committee starting next year. “Addressing loT threats remains a National imperative and should not be stalled by the normal transition of a new president,” Wheeler told Warner. “I've attached an outline of a program that I believe would reduce the risk of cyber threats to America's citizens and businesses. This program includes collaborative efforts with key Internet stakeholder groups; increased interagency cooperation; and consideration of regulatory solutions by the Commission to address residual risk that cannot be addressed by market forces alone due to market failure.” That attached plan, a page and a half in length, is titled the 5G/IoT Cybersecurity Risk Reduction Program Plan and has three sections: one on Federal Advisory Committee/voluntary stakeholder engagement; one on leveraging interagency relationships; and final one on regulatory and rulemaking activities. The FCC should issue a notice of inquiry “to develop a record and identify residual risk in the IoT commons, with the goal of determining where market failure may exist in the ISP, network element manufacturer, and device manufacturer community” and nail down best practices, the plan recommended. Then the agency should issue an NPRM “to examine regulatory measures the FCC could take to help address cyber risks that cannot be addressed through market-based measures,” it said. “The NPRM could examine changes to the FCC's equipment certification process to protect networks from loT device security risks. … Explore the potential of a cybersecurity certification (possibly self-certification) to create a floor and identifiable risk relevant levels above the floor for device cybersecurity and a consumer labeling requirement to address any asymmetry in the availability of information and help consumers understand and make better decisions regarding the potential cyber risks of a product or service.” This month, an NOI sought comment on cybersecurity for 5G devices (see 1612160063), and the agency's Communications Security, Reliability and Interoperability Council met (see 1612210060). Wheeler had been seen as backing off of pursuing a vote on a draft that would set up framework for the commission to hold confidential meetings with communications sector executives aimed at providing assurances on the firms’ cybersecurity practices (see 1611300063). Wheeler also told Warner the FCC’s authority over broadband empowers its cybersecurity initiatives, and staffers are “actively examining cyber challenges presented by today's end-to-end Internet environment.” A senior Republican staffer for the Senate Commerce Committee recently questioned the FCC’s approach to cybersecurity under Wheeler (see 1612060074).
FCC Chairman Tom Wheeler anticipates the Enforcement Bureau tiger teams “should be up and running” by early 2017, he told House Communications Subcommittee Chairman Greg Walden, R-Ore. That was one of the many written answers Wheeler supplied in a 40-page document sent to the House Commerce Committee this month. He and the other four commissioners were responding to questions for the record that lawmakers submitted after a July 12 FCC oversight hearing.
Federal officials highlighted the need for improved metrics on industry use of cyber-risk management best practices, and restated their commitment to using public-private partnerships to address cybersecurity issues. Deputy Assistant Secretary of Commerce Bruce Andrews emphasized metrics development, during an Internet Security Alliance (ISA) event Thursday. He announced that the National Institute of Standards and Technology was releasing a draft version of its Baldrige Cybersecurity Excellence Builder voluntary cyber-risk management self-assessment tool for industry. ISA released a cybersecurity policy plan for the next administration and Congress aimed at streamlining the federal regulatory process and increasing incentives for the private sector to improve their cyber practices.
The FCC adopted an order approving a contentious Telcordia contract to be the next local number portability administrator, a commission spokesman told us Thursday. A draft order to approve the Telcordia master services agreement with North American Portability Management (charged with LNPA oversight by the FCC) had been under consideration by commissioners for over three months (see 1604080062). The spokesman said the commission also approved an order denying an April appeal (application for review) by LNPA incumbent Neustar seeking public release of the MSA (see 1604120038), which was partially unredacted later in April (see 1604260049).
The FCC approved by 5-0 Thursday most of Chairman Tom Wheeler's proposal for opening high-frequency spectrum for 5G. The order and Further NPRM got a few tweaks -- the agency will now ask about spectrum bands above 95 GHz -- but it largely tracks the proposal laid out in a June fact sheet (see 1606240026). All commissioners said the order puts the U.S. ahead of the rest of the world in the race to 5G.
The 2016 draft Republican Party platform says Republicans don’t want government to be a “meddlesome monitor” on tech policy and attacked the FCC net neutrality order and broadband policies generally. The Republican National Convention platform committee began meeting Monday in Cleveland, the site of the GOP convention beginning next week, to start debating the GOP draft platform.
The FCC Communications Security, Reliability and Interoperability Council unanimously approved recommendations from five working groups Wednesday on 911 call rerouting and the security of communications systems. FCC Public Safety Bureau Chief David Simpson assigned CSRIC the task Wednesday of forming an additional working group on security best practices for services using the Wi-Fi spectrum band. Four other CSRIC working groups reported progress toward completing recommendations due before the current CSRIC mandate ends in March 2017.