The US communications sector has adopted first-ever cybersecurity measures for the industry. On March 18, 2015, the Federal Communications Commission’s (FCC) Communications Security, Reliability, and Interoperability Council (CSRIC) unanimously adopted a 415-page report with guidance and recommendations for voluntary cybersecurity protections for the communications sector in the United States: “Cybersecurity Risk Management and Best Practices Working Group 4: Final Report” (Final Report). The Final Report follows from President Obama’s February 2013 Executive Order identifying 16 Critical Infrastructure sectors, one of which is the communications sector. The Executive Order also directed the creation of a voluntary public-private partnership with the National Institute of Standards and Technology (NIST) of the US Department of Commerce. Subsequently, in February 2014, NIST released its “Framework for Improving Critical Infrastructure Cybersecurity” (Cybersecurity Framework). In 2013, the FCC created a multidisciplinary group (Working Group 4) under the CSRIC to examine the cybersecurity risks to the communications sector. FCC Chairman Wheeler has also called for the communications sector to take a lead in improving cybersecurity risk management practices.
Working Group 4’s charge included developing voluntary mechanisms for that communications sector that would provide assurances to the FCC and the public that the sector is taking the appropriate steps to address cybersecurity risk. Importantly, these “macro-level” assurances should enable organizations in the sector to conduct “meaningful” assessments internally as well as with external partners and vendors. The assurances should also be based on meaningful measures of successful and unsuccessful efforts to combat cybersecurity (in other words outcome-based rather than process requirements). The adopted voluntary mechanisms are: (1) sector participation in FCC-initiated confidential company-specific meetings or other similar communications formats to share information; (2) sector preparation of an annual sector cybersecurity report; and (3) sector participation in Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program.
In addition, the Final Report includes “immediate and practical” implementation guidance for the communications sector. Consistent with the NIST Cybersecurity Framework, it is recommended that organizations implement a dedicated, organization-wide cybersecurity risk governance process. However, the Final Report notes that how each company implements such a cybersecurity risk management program will vary based on identified potential risk, risk tolerance and other factors. Finally, the Final Report includes appendices for each of five industry segments – broadcast, cable, satellite, wireless and wireline – and use cases to suggest how cybersecurity risk management protocols and practices can be implemented.