Witnesses Cite FCC Cyber Push, Rip-and-Replace Funding Ahead of House Hearing
A Thursday House Communications Subcommittee hearing on communications infrastructure cybersecurity issues is expected to include the FCC’s Secure and Trusted Communications Networks Reimbursement Program and the thus far unsuccessful push to allocate another $3.08 billion to fully pay back participants (see 2311070050). However, just one of four scheduled witnesses mentions the matter in written testimony. Other items the House Commerce Committee identifies in a memo ahead of the hearing include the FCC’s NPRM seeking to establish a schools and libraries cybersecurity pilot program, the commission’s voluntary Cyber Trust Mark cybersecurity labeling effort for smart devices (see 2308100032) and concerns about Chinese telecom equipment manufacturers’ potential threat to U.S. IoT devices. The hearing is scheduled to begin at 10 a.m. in 2123 Rayburn.
House Communications separately plans a Jan. 17 hearing focused on using open radio access networks to strengthen U.S. wireless leadership, Commerce said Wednesday. “In order to win the future, we must ensure networks are secure and that America -- not communist China -- is leading the innovation, developing the technology, and deploying it,” said House Commerce Chair Cathy McMorris Rodgers, R-Wash., and Communications Chairman Bob Latta, R-Ohio. ORANs “are a key part of achieving this goal.” The panel will begin at 10 a.m. in 2123 Rayburn.
Clete Johnson, a Center for Strategic and International Studies senior fellow, is the only witness who mentions the FCC’s rip-and-replace program in his written testimony. “Full funding” of the initiative is needed to ensure “smaller networks” jettison “untrusted equipment” from Huawei and ZTE, Johnson says. House Commerce’s memo notes the rip-and-replace program’s funding shortfall and the FCC’s mandate to prorate payment of participants’ reimbursement claims at 39.5% absent additional appropriations from Congress. The FCC told Congress last week just five participating entities filed certification indicating they completed or were in the process of completing rip-and-replace work, with many others citing funding issues as a reason for delays (see 2401080075).
Johnson and other witnesses praised the FCC’s Cyber Trust Mark program’s potential to improve IoT devices’ security. “This new program can leverage extraordinarily powerful global market drivers to ensure security throughout the product development and operation of consumer IoT devices” and “devices earning the Mark will gain significant legal protections and security credibility,” Johnson says. Fortinet believes the program “could serve as a model for enabling more informed decision making in other parts of the cybersecurity marketplace as well,” Cyber Policy Head Jim Richberg's testimony says.
The Connectivity Standards Alliance believes the Cyber Trust Mark program will provide consumers a “new tool that will give them confidence that the products they are purchasing meet baseline cybersecurity requirements,” CEO Tobin Richardson writes. “They can just look for the new FCC label. And manufacturers will have a cost-effective way to check once that they comply with IoT security rules in the US and other countries.” The program “will be most effective if it remains voluntary and focused on IoT devices,” he adds. “We also recommend the FCC structure the program to allow it to [be] strong enough to meaningfully address IoT security” and “flexible enough to incentivize private sector adoption.”
The Electronic Privacy Information Center says it believes the FCC “should adopt a dual-layer labeling solution” for the program that “would include an easily glanceable primary label and a secondary label that displays additional cybersecurity and privacy information, empowering consumers to make an informed purchase,” Executive Director Alan Butler says. EPIC supports the FCC’s proposal to “require data minimization” as part of its criteria for the Cyber Trust Mark, limiting a qualifying device to “collect only the data necessary to provide its essential functions and services.” The group opposes device manufacturers’ bid for a “safe harbor that would provide a shield against liability for insecure devices,” he says.
Fortinet supports the FCC’s E-rate cybersecurity funding pilot proposal (see 2312280050), which is an example of “connectivity and security” matters converging, Richberg says. “Adding networking capability without addressing security provides connections that can both compromise users and enable these compromised devices and accounts to be used to attack others.” Schools and libraries “can use these funds immediately to strengthen their networks and provide a stronger position to fend off future cyber attack,” he says: Including cybersecurity as an “allowable” element of NTIA’s broadband equity, access and deployment program would likewise “benefit both the intended users and the nation.”
Johnson highlights the FCC’s 2022 notice of inquiry seeking comment about cybersecurity vulnerabilities of the internet’s border gateway protocol global routing system (see 2202250062) as part of a broader “whole of government” and "whole of internet" approach to handling cybersecurity issues that “has shown significant positive impact in its early months.” This “collaborative effort on routing security represents an especially effective approach to security,” he says. “I believe this approach is more dynamic and effective than a prescriptive compliance approach, which I fear would lead to companies replacing proactive solutions-oriented engineers with skittish lawyers hedging against regulatory risk.”