IoT Security—A Controversial Item at the FCC?
The FCC has hit the pause button on several items including new set-top box and Broadband Data Services rules, but some question whether the agency will similarly discontinue its interest in pursuing rules for IoT security.
Republican leadership in the House and Senate Commerce Committees sent letters in November to FCC Chairman Tom Wheeler requesting that the agency stop all work on controversial items. Senate Commerce Committee Chairman John Thune’s letter urged the FCC “to avoid directing its attention and resources in the coming months to complex, partisan, or otherwise controversial items that the new Congress and new Administration will have an interest in reviewing.” House Commerce Committee Chairman Fred Upton and Communications Subcommittee Chairman Greg Walden (who will take over as House Commerce Committee Chairman in the next Congress) called on the FCC to focus only on “matters that require action under the law” and on the incentive auction. Both Commissioner Pai and Commissioner O’Reilly issued statements expressing their hope that the Chairman would honor their requests.
Yet in a letter to Virginia Senator Mark Warner earlier this month, Chairman Wheeler expressed his interest in pursuing “appropriate regulatory oversight” concerning matters of IoT security. Chairman Wheeler commented that assessing IoT threats remains a top priority and should not be delayed by the pending change in Administration. The Chairman attached to his letter a draft framework for a new program to address cyber threats, what he termed the 5G IoT Cybersecurity Risk Reduction Program Plan.
Chairman Wheeler’s IoT cybersecurity plan focuses on three areas: (1) Federal Advisory Committee/voluntary stakeholder engagement; (2) leveraging interagency relationships; and (3) regulatory/rulemaking activities. Among its regulatory and rulemaking activities, the Chairman proposes the FCC do the following:
- Develop reporting obligations to address “cybersecurity data gaps” during and after a communications disruption;
- Issue a Notice of Inquiry to develop a record on the state of IoT cybersecurity; and
- Issue a Notice of Proposed Rulemaking to examine potential regulatory oversight actions on cybersecurity, including potential changes to the agency’s existing equipment certification process, as well as adopting a new cybersecurity certification process and consumer labeling requirements.
The fate of these proposals remains uncertain, and with a little over one month until President-elect Donald Trump takes office and an interim Chairman is appointed to lead the FCC, many are wondering what—if anything—the Chairman will do on cybersecurity. President-elect Trump’s FCC transition team members Jeff Eisenach and Mark Jamison are known advocates of marketplace competition and have historically been critical of agency interference. And many have called for other agencies, such as DHS, to take the lead on coordinating cybersecurity activity generally and on IoT specifically. The President’s Commission on Enhancing National Cybersecurity recently made several recommendations related to IoT, and none involved the FCC.
The U.S. has developed cybersecurity policy to date using public-private partnerships, voluntary standards and best practices, and information sharing. To ensure security in this continuously evolving IoT market, the FCC and other agencies may choose vital partnerships and industry-led efforts instead of static and potentially counterproductive rules.
Any further activity on IoT security by the FCC at this stage would require bipartisan support, and much remains to be seen how things will evolve under the incoming Trump Administration.