Enter Stage Right – a New Cyber Regulator Steps into the Spotlight
The Chairwoman of the Federal Communications Commission recently articulated a new vision of that agency’s role in the nation’s cybersecurity. The FCC, as an independent agency with a relatively discrete set of regulatory mandates (as compared to, for example, the Federal Trade Commission), has not historically played a central role on cybersecurity. While this was cause for some consternation on the part of at least one past Chairman, it was consistent with the general focus of past Presidents and national security policy on collaboration in lieu of regulation, and on empowering certain executive branch agencies, with their relatively more nimble authorities and history of public private partnerships.
The U.S. Department of Homeland Security has long been the “sector specific agency,” in the lingo of President Obama’s key Executive Order. Several longstanding partnerships operate with the new Cybersecurity and Infrastructure Security Agency (CISA), which the communications sector has lauded and supported. Recent Executive Orders make scant or no reference to the Federal Communications Commission, directing myriad workstreams on cybersecurity to be led by other agencies.
Nonetheless, the Rosenworcel FCC is aggressively claiming a broader role for the FCC, asserting some novel authorities along the way. She is building on her own past calls for a bolder FCC approach to cybersecurity. Perhaps empowered by recent agency victories (in the DC Circuit and in the Fifth Circuit, as well as in Congress) in the move to address particular Chinese companies that pose national security risks, the FCC is not stopping there. The tech sector, telecoms, cable, wireless, broadcast and device manufacturers—domestically and abroad--face new regulatory risks. Recent remarks by the Chairwoman confirm the direction suggested by a series of regulatory proceedings before the agency: the FCC is going to try to invigorate its baseline authorities with a broad cybersecurity mandate in order to regulate the communications sector.
The Chairwoman rests the security imperative, as she sees it, on 5G and its future potential—and risk. She said “5G networks connecting so much more in our lives will mean a broader attack surface for cyber events” and described some of the major things she has been promoting. She lauded several longstanding cornerstones of key partnerships and collaboration, including what she called “one of the FCC’s most forward-leading public private partnerships—the Communications Security, Reliability, and Interoperability Council.”
But she also articulated a more regulatory agenda, which is reflected in several proposals from the FCC for new rules. These proposals raise important—and sometimes hard—questions about the role of this particular agency in shaping the direction of federal security policy.
Here are some of the key developments to watch:
- Possible new and more burdensome data security and incident reporting obligations. The FCC has proposed updating its regulations covering customer proprietary network information (CPNI), but has also proposed a far broader foray into regulation of data that has traditionally been beyond the FCC’s oversight, which is presently subject to FTC, state, and other agency regulation and oversight. These proposals are predicated on new and evolving cyber threats that the agency believes are insufficiently addressed by its current rules.
- Possible direct regulation of connected devices, either narrowly for updates and patching, or more broadly, as articulated in a 2021 Notice of Inquiry that asked how the Commission could “encourage manufacturers who are building devices that will connect to U.S. networks to consider cybersecurity standards and guidelines.” The agency received numerous comments suggesting a high degree of caution was appropriate before it tasked its Office of Engineering and Technology, or the associated Telecommunications Certification Bodies with developing rules and policing the vast and quickly changing landscape of connected devices. The Chairwoman touted this inquiry and also noted that she is “working with colleagues across the government to explore how commercial labeling efforts can help improve security for the internet of things.” This refers to work underway pursuant to Executive Order 14028, to pilot a consumer labeling initiative, which responds to several calls for mandatory security labeling by some members of Congress and the former Cyberspace Solarium
- A bevy of specific cyber rules targeting discrete services or operations. In the Chairwoman’s remarks she called for increased resilience to attacks and suggested that several pending rulemakings will advance those goals. “Late last year, following reports that the Nation’s emergency alerting systems were susceptible to serious security vulnerabilities, we launched a rulemaking to require broadcast Emergency Alert System and Wireless Emergency Alert System participants to have a cybersecurity risk management plan and deploy the most recent security patches.” Comments to the Commission on these issues suggest that overlapping and service-specific regulation may not be the best path forward, but the agency clearly believes it has the authorities needed to head down this regulatory road.
- Increased reviews by the FCC and Team Telecom of past regulatory authorizations to companies that are perceived to present security risks, and to companies with foreign investment. The Chairwoman lamented the lack of ongoing review of companies after they receive authorizations, and agreed with a past Congressional Subcommittee report that “recommended requiring some review of Section 214 authorizations to account for evolving national security risks.” She committed soon to “share with my colleagues a rulemaking to explore this concept. I believe we can modernize our process to address these concerns while ensuring that the United States honors the expectations of Section 214 license holders so that the United States remains a safe and attractive place to do business.” This portends increased and ongoing scrutiny of companies with authorizations, despite and perhaps in addition to the regular oversight of many such companies by “Team Telecom,” which was more formally recognized in Executive Order 13913 as the Committee to “assist the FCC in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.”
When all is said and done, we are in the first act of what promises to be a substantial new era of FCC regulation in the name of national security and cybersecurity. This more muscular approach will raise numerous questions about the prudence and efficacy of certain choices, but also about the limits of the role given to the FCC by Congress. Should the FCC be positioning itself as a cyber and national security regulator, particularly where Congress has not directed it to take on such a role? Recent laws like the Secure Networks Act and the Secure Equipment Act require particular FCC actions, but tend to suggest that the agency may not have plenary national security authority. Likewise, Congress placed DHS as the center of a new cybersecurity incident reporting regime in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Recent Executive Orders and strategy documents make scant reference to the FCC as an actor in cybersecurity. In addition, several proposals beg important questions of institutional capacity and expertise – facing a well-recognized shortage of cybersecurity expertise, will it be possible to build at the FCC the sort of depth and breadth of knowledge that will support sound policy and reasonable enforcement? While courts have recently been deferential to the FCC in its efforts to tackle national security issues, significant questions remain about the outer boundaries of its authority, and some of these recent aggressive proposals will likely face legal challenge.
In a period of such substantial cyber and national security activity across government (including the SEC, FTC, CFPB, DHS, TSA), it will be imperative, as the Chairwoman notes, to promote harmonization and cooperation. Domestic and overseas companies should heed the message from the Chairwoman and watch for further developments.