An FCC panel appears to be backing down from recommending strict cybersecurity controls to US telecoms, submitting a watered-down list of recommendations instead, reports The Wall Street Journal. The final report is scheduled to be released Monday evening.
It doesn't have regulatory authority, but its recommendations inform industry best practices
The Communications, Security, Reliability, and Interoperability Council (CSRIC) is tasked with making recommendations to the FCC for how to protect US communications systems. It doesn’t have regulatory authority, but its recommendations inform industry best practices. For instance, last year, the CSRIC unanimously recommended a code of conduct to mitigate botnet attacks, which was promptly implemented by many in the industry. This time around, the recommendations included a list known as the 20 Critical Security Controls. The list was created by a security training firm called the SANS institute, along with the National Security Agency, the Department of Defense, incident response firms like Mandiant, and companies with major security breach experience like McAfee and Lockheed. The controls include precautions like limiting which employees get administrator privileges on company networks, requiring regular backups and testing of company data, and restricting access to network ports and protocols.
An early draft of the CSRIC report obtained by The Journal included the recommendations, but they’ve apparently been excised from the final version. Instead, the panel states that it couldn’t form a consensus on how to safeguard telecommunications networks — a consensus that was apparently blocked by industry organization The United States Telecom Association, which includes representatives from AT&T, Verizon, and others.
The telecoms argue that sticking to a checklist is too rigid in practice
So why the aversion to making networks more secure? Working group co-chair and SANS founder Allan Paller says that "any connection between the FCC and any statement of what needs to be done in cybersecurity appears to be poison to these companies that control the internet." In contrast, the telecoms argue that sticking to a checklist is too rigid in practice and could place an undue burden on small companies that can’t afford to implement the safeguards. They are also concerned that with the regimented controls in place, failing to prevent cyberattacks could possibly expose them to legal liability.
Update: The full text of the report is now available online. The working group concludes that while representatives from the user community supported the controls, industry participants need "additional evaluation" to determine their applicability to the communications sector.