In recent months, the Federal Communications Commission has quietly worked to expand its role among federal agencies charged with protecting the nation's networks from cyberattack. On Thursday, the agency sought to take the lead again, unveiling a new regulatory model aimed at helping phone companies and other telecommunications firms defend themselves from malicious hackers.
Under the plan, companies such as AT&T, Verizon, Sprint and others are being asked to voluntarily shore up their networks and to develop a system for ensuring the work is done on schedule. The FCC is also exploring how to bring companies together to research new technologies to thwart hackers and to study the state of the nation's cybersecurity workforce.
The FCC's job is not to regulate cybersecurity but to create a "new paradigm" that moves faster than the traditional rulemaking process, FCC Chairman Tom Wheeler said Thursday.
"Companies large and small within the communications sector must implement privacy-protective mechanisms to report cyber threats to each other, and, where necessary, to government authorities," Wheeler said. "We cannot continue on a path that lets individual networks put other networks, American businesses and consumers at risk. We need to develop market accountability that doesn’t currently exist."
The FCC's new initiative comes months after another federal agency, the National Institute of Standards and Technology (NIST), rolled out a set of recommendations for businesses looking to bolster their cyberdefenses. National security officials have warned that if companies fail to strengthen their protections for infrastructure and customer data, the nation's economy could grind to a halt.
NIST's cybersecurity guidelines were unveiled in March. But senior administration officials at the time acknowledged that there was no way to determine whether companies were actually adopting the framework. The FCC's new procedure may partially address those concerns: Companies would voluntarily commit to adopting cybersecurity safeguards and take self-designed corrective measures when those standards are not met.
"It is crucial that companies develop methodologies that give them a meaningful understanding of their risk exposure and risk management posture that can be communicated internally and externally," said Wheeler. "That is what we are asking our stakeholders to do."
Industry officials welcomed Wheeler's call to action.
"Broadband providers must work collaboratively with government and across various sectors to develop sound industry practices," said Comcast senior vice president Myrna Soto. "Comcast will continue working with the chairman, his fellow commissioners, and the dedicated staff at the FCC to help achieve these important goals."
Wheeler was the keynote speaker at a Washington conference on cybersecurity — an indication of the FCC's growing assertiveness in the area of public safety and national security. To date, such events have been largely dominated by defense and homeland security officials. But under Wheeler, a former top lobbyist for the wireless and cable industries, the FCC has claimed that protecting communications networks falls squarely within its jurisdiction.
Other agencies have sought to stake out their own claims on cybersecurity. The Federal Trade Commission said Thursday that it has pursued more than 100 cases against companies that have allegedly made deceptive statements about privacy, and 50 cases in which companies have caused "substantial harm" to consumers by improperly collecting, storing and using customer information.
But Wheeler has filled his agency with officials with national security experience with the express intent to weigh in on cybersecurity. Among them are Adm. David Simpson, a former vice director of the Defense Information Systems Agency, and Clete Johnson, a top former staffer on the Senate Intelligence Committee.
"The FCC’s responsibility to promote public safety and network security is fundamental," Wheeler said. "Agency-wide,