A Federal Communications Commission report on Cybersecurity Risk Reduction tells the agency to make cybersecurity a focus of its mission by enforcing stronger breach reporting requirements and pilot a program for companies to learn how to mitigate data breaches.
The report, written by David Simpson, chief of the FCC’s Public Safety and Homeland Security Bureau, is intended to provide guidance for the FCC as it wrestles with striking the right balance between allowing market forces to drive security improvements and performing its regulatory and oversight functions. One of the most critical areas of concern is in the realm of private sector reporting of cyber incidents.
Customers might not realize when data breaches occur that don’t affect the ability of Internet service providers to continue functioning normally; however, consumer information could still be stolen.
The report also told the FCC to enforce reporting rules to include any broadband-based communications. This will enable the FCC to analyze trends in breaches and identify recurring vulnerabilities.
The report said that the FCC could tie subsidies to cyber risk reduction efforts made by small business service providers. This would encourage the technology sector to build security into their products from the ground up instead of considering it an afterthought. The FCC should also sponsor a pilot Information Sharing and Analysis Organization program to give small and medium-sized communications providers experience with how to handle cyber breaches.
In September, senators questioned Yahoo on whether it promptly and accurately reported on a data breach that affected 500 million accounts. The senators requested that Yahoo brief its staff on those questions to help Congress and the public better understand what happened. Tighter reporting requirements would hold companies to a higher standard.
“The FCC, with [the Department of Homeland Security] and industry, should seek to change the corporate culture from one where fear of liability from sharing is replaced,” the report stated.
The FCC is expected to hear recommendations in March about how information about cyber breaches can be shared more effectively between industry and government.
The report suggested that the FCC find out what types of cyber talent is needed in the communications and public safety industries and communicate that to universities.
The FCC oversees Internet service providers and makes decisions on topics such as net neutrality rules and privacy protections for online consumers. The report said that the agency could focus on the cybersecurity part of its mission by working with industry to develop best practices, promoting security by design, adopting rules requiring licensees for 5G wireless networks to submit a cybersecurity plan before commencing operations, strengthening data breach reporting requirements, improving information sharing, and establishing cybersecurity as a factor in merger reviews.
“The holistic nature of the interdependent services and exposed attack surface suggest that an ‘all hands on deck’ approach for residual risk, utilizing the full range of government expertise and authorities working with commercial providers, is appropriate,” stated the report.