FCC Wants More Cybersecurity Collaboration, Less Regulation

Government Data + Maps: 10 Great Examples

FCC Chairman Tom Wheeler on Thursday laid out his vision of the Federal Communications Commission's role in network security, calling for a more market-based approach, with industry assuming responsibility and leadership.

The new approach he described would be based on collaboration rather than regulation, but Wheeler noted that the FCC still has regulatory authority to back up its goals. "We believe there is a new regulatory paradigm where the commission relies on industry and the market first while preserving other options if that approach is unsuccessful," he said in a speech to the American Enterprise Institute.

In his talk, Wheeler said that changes in technology have outpaced the ability of legislation and regulation to keep up with the new functionality of the world's communications networks and the threats facing them.

[Drones overhead? Read FAA Approves First Commercial Drone Flight Over Land.]

The companies operating those networks "must step up to assume new responsibility and market accountability for managing cyber risks," he said. "This begins with private sector leadership that recognizes how easily cyberthreats cross corporate and national boundaries."

Although the FCC's charter is to promote public safety and the national defense through protection of the nation's communications systems, the rapid evolution of the Internet is being driven by commercial incentives and innovation, and these same drivers are more readily adapted to meeting rapidly evolving threats, Wheeler said. "This new paradigm must be based on private sector innovation, and the alignment of private interests in profit and return on investment with public interests like public safety and national security."

Although the chairman took pains to assure listeners that he was not advocating new regulations for the Internet, he said that the Commission already has authority under existing law to exercise its responsibilities, even if the technology has changed since the law was written.

The technology has changed. The Communications Act was last updated in 1996, an Internet lifetime ago, and the traditional "prescriptive regulatory approach" no longer is adequate to address advances such as mobile Internet-connected devices and all-IP communications, Wheeler told the audience. But the traditional approach remains an option if the new paradigm fails.

Spearheading development of a collaborative security framework for the FCC will be chief of the Public Safety and Homeland Security Bureau Admiral Dave Simpson and chief counsel for cyber security Clete Johnson. The effort will build on existing efforts, such as the Framework for Improving Critical Infrastructure Cybersecurity, released earlier this year by the National Institute of Standards and Technology, which will be adapted for the communications sector. The commission also will leverage its work with existing Information Sharing and Analysis Centers and examine legal and practical barriers to sharing threat and attack information.

Wheeler said FCC cyber security policy will be guided by four broad principles:

"We will oppose any efforts by international groups to impose Internet regulations that could restrict the free flow of information in the name of security," Wheeler said.

Programs established under the new policy must be "demonstrably effective," which will require transparency and the ability to show that policies and actions work in the real world, he said. "Companies must have the capacity to assure themselves, their shareholders and boards -- and their nation -- of the sufficiency of their own cyber risk management practices."

New standards, new security, new architectures. The Cloud First stars are finally aligning for government IT. Read the Cloud Hits Inflection Point issue of InformationWeek Government Tech Digest today.