Report Stops Short of Backing ISP Cyber-Security Rules
An FCC advisory group has released a report with recommendations for how communications companies can best handle cyber-security threats, but ISPs were reportedly successful in getting some of those suggestions watered down before publication.
The Communications, Security, Reliability, and Interoperability Council (CSRIC) this month released a report that basically covers the best practices companies might implement to guard against hackers.
A working group inside the independent CSRIC included representatives from top tech firms like Sprint, AT&T, Cox, Verizon, Comcast, and Microsoft, in addition to state telecom officials and industry groups. The group was charged with taking the “20 Critical Security Controls for Effective Cyber Defense” and seeing which bits could be applied to the communications sector.
According to the Wall Street Journal, an original draft of the report seen by the paper backed the 20 controls, but the final report did not.
Indeed, the report found that “there is not a consensus within Working Group 11 regarding the extent to which the FCC should encourage the communications industry to use the 20 Controls.”
The group found that “the 20 Controls have been effective in guiding security management in enterprise and government institutions,” but when it comes to the communications sector, there should be “additional evaluation in order to determine the extent to which the 20 Controls protect network infrastructure directly; as well as, to determine the applicability of the 20 Controls to communications sector.”
As the Journal noted, “the development may be indicative of the tensions to come as the government looks at tougher oversight of the private sector’s cyber-security defenses.”
Just prior to his State of the Union address, President Obama released an executive order that is intended to improve the security of Internet-based critical infrastructure. Obama’s plan would allow federal agencies to notify private companies if they detect any sort of cyber intrusion that would harm operations or the security of company data.
In Congress, a bill known as CISPA includes that provision, but goes one step further to allow private companies to turn over data about cyber attacks to the feds. The White House has voiced concern about that aspect, and while CISPA passed the House during the last Congress, it failed to make any headway in the Democratic-controlled Senate.
In the CSRIC report, it mentioned that “the FCC should encourage the industry, working with experts from other areas of cyber security, to share threat information, to continue to define prioritized controls and to develop, prioritize, and refine associated best practices consistent with the ever evolving cyber-attacks and exploits.”
Last year, the FCC used recommendations from the CSRIC to craft a plan that called on ISPs to take specific steps to combat online threats – specifically, botnets, domain name fraud, and IP hijacking.
By Chloe Albanesius, PCMag