Until now, fighting hackers has mainly been the domain of law enforcement, intelligence services and the military. But the Federal Communications Commission, an agency better known for approving wireless mergers and regulating phone companies, intends to create a vastly expanded role for itself on cybersecurity, current and former agency officials say.
The exact nature of that role has yet to be decided, the officials said. Options range from helping telecommunications companies implement a major cybersecurity framework released Wednesday by the Obama administration to writing new rules on network reliability. In addition, the commission may lean on a recent federal court decision on net neutrality to pursue other forms of national security-related oversight.
Recent attacks on retailers, banks and other institutions have drawn regulators' attention to the security of servers, networks and industrial systems. In the case of the FCC, cybersecurity means maintaining the integrity of the telecom links between those systems, as well as making sure first-responder communications remain functional in a crisis. At the same time, other technological advances have made regulating some communications companies more difficult. By staking a claim on cybersecurity, the FCC stands to reclaim some of its bureaucratic authority.
The FCC's interest in network security dates back to 2009, when then-chairman Julius Genachowski appointed James Barnett, a retired Navy rear admiral, to head the commission's public safety bureau. Barnett created the FCC's Cybersecurity and Communications Reliability Division and launched three programs in coordination with broadband providers to, among other things, fight botnets and prevent e-mails from being hijacked and rerouted to foreign countries.
But what's coming next under FCC chairman Tom Wheeler will be an even broader effort to secure the nation's communications from online attack, said Barnett in an interview.
"Chairman Wheeler told me, 'I do not intend to be sitting in the chairman's seat when a major cyber attack occurs, having done nothing,'" said Barnett.
Wheeler has been hinting as much for several months. In July, the commission appointed David Bray, a top official from the Office of the Director of National Intelligence, as its chief information officer.
"For those of us who use the Internet to engage in public and personal transactions," Bray wrote in an FCC blog post, "it is a quality assurance concern that our digital communications on the public infrastructure be kept both secure and private."
The staffing surge continued with Adm. David Simpson, whom the FCC named as chief of the public safety bureau in November. Simpson is a former vice director of the Defense Information Systems Agency, a Pentagon unit that builds and maintains communications systems for the White House and armed services.
Then last month, Wheeler created an entirely new position known as the chief counsel for cybersecurity. Filling that post is Clete Johnson, a top Senate Intelligence Committee staffer who played a key role drafting cybersecurity legislation under Sen. Jay Rockefeller (D-W. Va.).
Much of the coming cybersecurity push will be led by Simpson, who will be in charge of expanding the cybersecurity agenda "across all bureaus" of the agency, according to Barnett. As the head of the public safety and homeland security bureau, Simpson has already played a key role in developing trials for advanced 911 services.
But Simpson is also expected to consult heavily with the private sector. Last month, wireless industry representatives met with Simpson to discuss the presidential cybersecurity framework. There's also CSRIC, a public-private working group that makes security recommendations to the FCC. CSRIC would be the organization most likely to handle the White House framework, according to an FCC official.
The FCC's plan risks creating tensions with other federal agencies, such as the Department of Homeland Security. But according to Barnett, the FCC's considerable technical expertise on communications will smooth over any conflict.
"Whether it's cable, wireless or wireline, there is a tremendous body of knowledge at the FCC that just does not exist at DHS," said Barnett. "They collaborate with us. We collaborate with them. The FCC is consulted on networks."
The growing focus on cybersecurity at the FCC comes at a time when advances in technology risk eroding some of its power. The country is in the early stages of abandoning its old, copper telephone networks. Phone companies are increasingly moving to new infrastructure based on Internet Protocol. Few regulations have been established in that area, and experts say telecom companies are partly motivated by the prospect of escaping the old rules that governed the copper system. The D.C. Circuit court also recently dealt a blow to the commission when it ruled against the FCC's net neutrality regulations (although some experts believe the agency can recover a great deal of authority through another loophole).
By seizing the mantle of cybersecurity, the FCC has an opportunity to become one of a number of key governmental players in national security. The FCC has not traditionally had a role in IT security, though it has tried on occasion to find one.
"When I was at the White House 10 years ago, you'd be at their event and they'd be trying to pick over these issues to stick a toe in," said Jason Healey, the former director for cyber infrastructure protection in the George W. Bush administration. "It hasn't been easy for them."
Others say there has never been any question of the commission's authority, especially when it comes to protecting critical telecommunications infrastructure.
"If there's anything we have jurisdiction over, it's the security of our networks," said the FCC official.