Federal Communications Commission Chairman Tom Wheeler said Thursday cybersecurity throughout the private sector must improve significantly beyond what existing voluntary frameworks have so far been able to deliver, but he stopped short of calling for new government regulations to get there.
In what some experts are calling one of the most substantive policy statements on cybersecurity in years, Wheeler said the nation must “develop market accountability in cybersecurity that doesn’t currently exist” and that while new regulations are not the answer to improving security, the government must be ready to adopt alternative approaches if the free market fails.
“The network ecosystem must step up to assume new responsibility and market accountability for managing cyber risks,” Wheeler said, speaking June 12 at a cybersecurity event hosted by the American Enterprise Institute in Washington, D.C. “The challenge is that the private sector-led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country.”
“We believe in a new regulatory paradigm where the commissioner relies on industry and the market first while preserving other options if that approach is unsuccessful.” – FCC Commissioner Tom Wheeler, speaking June 12 at the American Enterprise Institute.For some who have been following the many twists and turns that critical infrastructure cybersecurity has made since the formation of the Department of Homeland Security in 2003, Wheeler’s speech was a watershed moment.
“Chairman Wheeler ‘s measured yet bold call for a new market-based cybersecurity paradigm is one of the clearest policy statements on cyber in years,” said retired Rear Adm. Jamie Barnett, a partner in Venable LLP’s cybersecurity practice and a former chief of the FCC’s Public Safety and Homeland Security Bureau.
“He is saying to carriers and ISPs that the FCC will work with you but that cybersecurity must improve past what the market has been willing to bear so far. He said the word ‘accountability’ a half dozen times at least, so while no heavy-handed regulations are expected, I expect changes in what the FCC expects to hear from ISPs on cybersecurity status—that means some sort of voluntary reporting schema,” Barnett said.
And perhaps most important, Wheeler “preserved his options if cybersecurity does not improve measurably,” Barnett said.
“We believe in a new regulatory paradigm where the [FCC] commissioner relies on industry and the market first, while preserving other options if that approach is unsuccessful,” Wheeler said.
That market-based voluntary approach to improving cybersecurity is the centerpiece of the Obama administration’s recently released Framework for Improving Critical Infrastructure Cybersecurity. But there has been no verifiable data on industry’s adoption rate of the framework and no proof it is actually improving cybersecurity across the nation’s critical infrastructures — the vast majority of which are owned and operated by private companies.
Jeffrey Eisenach, a visiting scholar at AEI, characterized Wheeler’s comments as part of “a very important agenda” that is trying to strike the proper balance between what the market is willing and able to do on its own and the mission of the FCC to protect the public’s interest.
“What you have here is the chairman [of the FCC] laying out a larger strategy,” Eisenach said. “It was a process-oriented speech, which is appropriate.”
“The underlying message today was that the FCC is willing to go along [with the voluntary framework], however they’re going to decide if it’s sufficient and if additional actions are needed,” said Bob Dix, vice president at Juniper Networks, in an interview with FedScoop.
Dix, who also took part in a panel discussion at the AEI event, said the government’s voluntary framework and its leadership of national cybersecurity matters overall suffers from inefficiencies and duplication of effort.
“While I think there are a lot of good and decent men and women working in the Department of Homeland Security and other agencies of the government, the complete lack of coordination that exists today is doing damage to our country,” Dix said during the panel session. “We need a better model of coordination that gets us all heading in the right direction. And we need it today.”
