Rosenworcel Seen Likely to Embrace Simington's Calls for Security Rules
FCC Commissioner Nathan Simington’s calls last week for the agency to take a deep dive on potential rules requiring OEMs to provide security updates for wireless devices authorized by the agency for sale in the U.S. (see 2206280072) appears likely to be picked up, said Chairwoman Jessica Rosenworcel, industry executives and agency officials.
Rosenworcel previously worked with Simington on receiver performance, which led to a notice of inquiry (see 2204210049). More recently, Rosenworcel embraced Commissioner Brendan Carr’s calls for wireless resiliency rules (see 2205160067).
Security has become one of Simington’s biggest focuses as a commissioner, and he started to work with Rosenworcel’s office on next steps, officials said. Simington hired as his wireline aide Marco Peraza, who was a software engineer at Microsoft before attending law school, with a focus on operating system security and data protection. The FCC didn't comment.
The biggest challenge isn’t smartphones but routers and other gear that don’t offer automatic security downloads, said Jonathan Cannon, R Street fellow-technology and innovation and a former acting adviser to Simington. Cannon said most industry players would probably welcome the focus. Other experts agreed smart devices other than smartphones are the biggest challenge.
It would be a “bipartisan accomplishment of the commission to research and look into a crucial part of network security … but to do so in a pro-market way that does not overly burden companies and providers of this type of equipment,” Cannon said. “The way that you’ve got foreign actors being so much more willing to engage in attacks and nefarious conduct you want to really patch that our as best you can,” he said.
A requirement that device vendors provide security updates is “very basic” and “absolutely necessary,” emailed Carri Bennet, Rural Wireless Association general counsel. “There is concern over unfunded government mandates for small carriers,” she said: “These could be handled by allowing broadband funding to be extended to cover basic cybersecurity and cyberhealth costs.” Bennet said the FCC could start with a Further NPRM building on other work it has done, though an NOI is also possible.
“CCA shares Commissioner Simington’s emphasis on security,” emailed Steve Berry, president of the Competitive Carriers Association: “As the FCC looks into these issues, it is critical that OEMs take steps to make sure that wireless devices work -- securely and with the full functionality as designed -- with networks operated by carriers of all sizes.”
Simington is “absolutely right” and the FCC needs to take the lead on security, said Public Knowledge Senior Vice President Harold Feld, noting that in the past Republican commissioners have questioned the FCC’s role on cybersecurity. “I expect that the chairwoman will welcome the opportunity for bipartisan cooperation on an important and highly technical issue,” he said: “Rosenworcel has generally emphasized finding common ground with her Republican colleagues, and has always been eager to embrace the important technical areas of the FCC's jurisdiction. This fits well with her general priorities on public safety, [next-generation] 911 and network resilience.”
Even if industry players don't want rules, “they can hardly come out against cybersecurity,” Feld said. But an inquiry would raise the same legal questions raised in the receiver NOI, he said. “You could make it the responsibility of the carriers under Section 303” of the Communications Act “and the carriers would require that manufacturers of devices they allow on their network need to require the manufacturers of the devices provide a security update mechanism or the device isn't allowed on the network,” he said. Feld said the FCC should start with a Further NPRM since industry rarely brings it’s “’A’ game” in responding to an NOI.
“Cybersecurity lurks in the background of a lot of what the FCC does, so I expect there will be interest,” said Joe Kane, Information Technology and Innovation Foundation director-broadband and spectrum policy. Kane expects “a lot more back-and-forth and record building before anything concrete gets imposed.” Even based on Simington's remarks “there are many blanks to be filled in, especially with regard to the extent of required updates and the duration of support required,” he said.
Simington’s proposal builds on work done by the Broadband Internet Technical Advisory Group in a 2016 security study, emailed network architect Richard Bennett. “Many network devices -- including smartphones -- ship with out-of-date software and lack mechanisms to address newly emerging vulnerabilities degrading users’ security and privacy,” he said: “Given the end-to-end structure of the Internet, devices play a vital role in maintaining the integrity of the overall network. This requirement would be a new direction for the FCC, but it’s absolutely necessary in a world where smartphones have replaced traditional handsets.”
Simington “means well, but having a requirement for companies to fix later-discovered flaws could have some unintended consequences,” said Recon Analytics’ Roger Entner. Would startups be part of the rules and “what happens when the company goes out of business?” he asked. Would a bankrupt company have to put reserves aside to “take care of the later-discovered flaws or do we accept uneven consumer protection?” The biggest problem isn’t that equipment makers don’t provide fixes but that consumers often refuse to install them, Entner said.