25 January 2017

FCC Warns of National Security Risks From IoT, Private Networks


By Tony Ware

The Federal Communications Commission has released a white paper on cybersecurity risk reduction that surveys the increasingly larger “exposed attack surface” created by connected consumer devices on privately owned and managed communications networks.

Issued by the FCC’s Public Safety and Homeland Security Bureau, the report draws the conclusion that the country’s 30,000 private sector communications service providers and their vendor base operate under the pressure to prioritize profit over protective actions. The residual risk left from the market’s failure to supply and reinforce secure systems poses an increasing threat to emergency services and national security as more devices lead to co-mingled control elements for many service providers.

“Cyber-accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively,” the paper states.

The paper describes programs and puts forth several actions to address the gap between the low return on cyber investment and the safety and resilience of networks as factors such as the expanding internet of things increase potential attack vectors.

Recognizing prescriptive regulations can’t keep up with cybersecurity challenges, the paper sets forth a strategy of voluntary efforts, oversight and accountability for vulnerability mitigation of threats like denial of service attacks, IP-route hijacking and address spoofing.

It recommends working with industry and external partners to develop standards and best practices. It promotes incorporating cybersecurity during development phases of products and services requiring licensees for 5G wireless networks to submit cybersecurity plans before commencing operations. It lays out strengthening network outage and data breach reporting, as well as real-time cyber threat information sharing with federal partners and private carriers. And it identifies cybersecurity as a consideration of merger reviews.

Exploits and countermeasures are addressed in the context of these larger issues, as well as small and medium providers, supply chain, workforce and convergent technologies.

The paper suggests the adjustments can best be implemented through public-private partnerships, an “all hands on deck” approach, but the FCC has the resources and authority to “restore the balance” between corporate and consumer interests if the connections and interconnections between commercial networks prove to be exposed, inviting targets.

The entire document can be accessed in PDF form on FCC’s transition website.


No comments: