Congressional Democrats have introduced legislation to expand the Federal Communications Commission’s role in protecting U.S. networks from cyberattacks, a responsibility the new Republican chairman of the agency may oppose.
House Democrats introduced three bills Thursday to expand the FCC’s role in cybersecurity guidance, investigating hacks and certifying Internet of Things (IoT) device security. The bills have the backing of New Jersey Rep. Frank Pallone, the ranking Democrat on the House Energy and Commerce Committee charged with overseeing the FCC.
“Our networks and devices are the hub of our digital lives,” Pallone said. “They can make our lives better and our economy stronger, but only when they are secure.”
The Cybersecurity Responsibility Act would require the agency to set down new cybersecurity rules for U.S. networks.
“It has become clear that we need to have a comprehensive policy on cybersecurity that protects personal information, from the pin number for your debit card to your email password to your medical records,” said New York Rep. Yvette Clarke, the bill’s author.
Clarke cited the election season hack of the Democratic National Committee “to benefit Donald Trump” and others against Target and J.P. Morgan Chase as evidence “existing cybersecurity programs were insufficient to protect highly-sensitive information.”
New York Rep. Eliot Enge’s Interagency Cybersecurity Cooperation Act requires all federal agencies to report cyberattacks to the FCC. The agency then reviews and investigates cyber incidents via an interagency committee and publishes findings and policy recommendations.
“Following Russian tampering in last November’s election it is imperative that we redouble our efforts when it comes to cybersecurity,” Enge said.
The third from California Rep. Jerry McNerney gives the FCC and the National Institute of Standards and Technology the responsibility of establishing cybersecurity standards for IoT devices and certifying devices meet those standards throughout their life cycle.
“Security vulnerabilities in IoT devices are likely to pose threats to our national security and endanger our nation’s economy,” McNerney said. “This is especially concerning given that at least 20 billion devices are anticipated to be in use by 2020.”
Hijacked IoT devices were used in the DDoS takedown of DNS provider Dyn in October, which knocked major websites Twitter, Spotify, Reddit and others offline. Shortly after Democrats asked the FCC what the agency can do to prevent future cyberattacks.
Former Democratic Chairman Tom Wheeler responded positively, laying out a number of ways for the FCC to take a larger role in cybersecurity and declaring it a first priority for the agency moving forward.
But his Republican successor doesn’t share his view. Republican Chairman Ajit Pai, who’s been leading the FCC for just over a month, described the FCC’s cybersecurity role as “relatively circumscribed” and “consultative” as opposed to one that should establish “uniform rules that would apply to an entire industry.”
“There are other agencies that have a more well-defined space, legally speaking, and more well established expertise,” he said after voting against FCC privacy rules passed under Wheeler. The rules set down stronger requirements for internet service providers to report cyberattacks to authorities and users.
Pai and Republican Commissioner Michael O’Rielly voted this week to stay those rules, scheduled to take effect Thursday, until the agency can readdress them. Republicans in Congress are working on a repeal of their own via the Congressional Review Act.
Commissioner Mignon Clyburn, the FCC’s only remaining Democrat, criticized the move as one that will hurt consumer privacy.
“If a provider simply decides not to adequately protect a customer’s information and does not notify them when a breach inevitably occurs, there will be no recompense as a matter of course,” Clyburn said.
Republicans have yet to comment on the bills introduced Thursday.