The Federal Communications Commission released a white paper this week calling for more regulation of cybersecurity requirements for communications networks, arguing companies have little incentive to invest in areas like cyber when they don’t make immediate bottom line returns.
“As private actors, [internet service providers] ISPs operate in economic environments that pressure against investments that do not directly contribute to profit,” the agency said in the paper released Wednesday. “Protective actions taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections.”
“Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively,” the agency added.
The paper out of the FCC’s Public Safety & Homeland Security Bureau said providers are more inclined to spend that money on lowering the cost of services. While that makes them more competitive and appeases shareholders, it also means internalizing more risk for providers and their users, who may not be “aware of the risk they are being asked to bear.”
As a result, the bureau writes, the current market can incentivize providers to forego cybersecurity. At the same time, companies willing to spend on cyber and “internalize less risk expose themselves to a loss of market share.”
To combat those perverse incentives the FCC suggests taking companies’ implementation of cybersecurity best practices into account when handing out subsidies. Requirements that providers disclose network outages could also be updated to include cyber intrusions “irrespective of whether they cause a disruption to communications,” the paper reads.
Cybersecurity requirements like those the agency imposed on the Charter-Time Warner Cable merger are also cited.
The future interconnectivity of wired, wireless, cable, satellite, virtual networks and other packet-based communication technology makes providers primary targets for disruption by malicious actors, the agency contends.
“These interdependencies will be inviting targets for threat actors from nation-states, to criminals, to hacktivists wishing to exploit or disrupt critical infrastructure,” the report states.
The paper, likely the last to come under the direction of Democratic FCC Chairman Tom Wheeler, echoes the chairman’s previous comments that cybersecurity should be an “all hands on deck,” “top priority” for the FCC.
“[I]f market forces do not result in a tolerable risk outcome, the commission has tools available to make adjustments to restore the balance,” the paper concludes.
Wheeler’s parting comments on cybersecurity reflect rules he proposed for 5G networks last year. They also respond to questions from lawmakers about what the FCC can do to mitigate cyberattacks like the massive distributed denial of service attack against domain name service provider Dyn in October. The attack knocked Twitter, Spotify, Reddit and other sites offline by hijacking poorly secured Internet of Things devices like webcams, smart thermostats and DVRs.
Unfortunately for the chairman the recommendations also come days after reports President-elect Donald Trump has signed off on a plan to move competition and consumer protection, the hallmarks of Wheeler’s chairmanship that featured rules like net neutrality, to the Federal Trade Commission.
Wheeler said that would be a “tragic” concession to larger incumbent telecom providers in a Wednesday interview with C-SPAN.
“They have to deal with everything from computer chips to bleach, and now we’re going to add telecom into that?” Wheeler said according to Politico. “I think since 1934 there’s been an expert agency in telecommunications and it makes sense to stay that way.”
Wheeler gave a last defense of his record and a final plea for Republicans to keep net neutrality in place last week.