In its recently released Cybersecurity Risk Reduction White Paper, the Federal Communications Commission (“FCC”) expressed serious concerns about the “burgeoning and insecure IoT market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.” Noting that insecure wireless devices have shut down service to millions of users by attacking critical control utilities that are not FCC-regulated, the FCC is advocating “cyber accountability” – a combination of market-based incentives and regulatory oversight – to reduce cyber risk in the communications sector.
While the FCC seeks to apply cyber accountability to many communications carriers (including Internet service providers and submarine cable operators), in the Internet of Things (“IoT”) world, device manufacturers and vendors would bear a large portion of responsibility. The FCC proposes that IoT equipment suppliers should implement “security by design” practices to build cybersecurity into their products before marketing them. As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards, and adherence to best [cybersecurity] practices.”
The FCC avers that regulatory oversight of this process would likely be required, in part because of the “large and diverse numbers of IoT vendors – who are driven by competition to keep prices low – hinders coordinated efforts to build security by design into the IoT on a voluntary basis.” Accordingly, the FCC states that, among other things, changes to its equipment certification rules may be necessary to protect networks from IoT device security risks.
As detailed in a previous article on 5G security issues, the FCC has commenced a proceeding in which IoT stakeholders can opine on various cybersecurity matters and help shape future rules as to whether and to what extent IoT device suppliers should be responsible for securing their products, and their potential liability to third parties for breaches. Comments may include, for example, information as to market practices and conditions that mitigate the need for regulatory oversight. Comments are due by April 24, 2017 and reply comments are due by May 23, 2017.
The CommLaw Group has IoT specialists that are available to answer any questions you may have regarding cybersecurity and equipment authorization best practices, pertinent regulatory proceedings (including this FCC proceeding and a companion Department of Commerce proceeding), as well as any related issues. We deal regularly with pertinent regulatory agencies and can assist you with compliance matters. We have published a Comprehensive Guide to Compliance with FCC and FTC Privacy Regulations that is an invaluable resource for IoT and telecommunications firms that are subject to privacy requirements. We have also published a Global Guide to Radio Frequency Equipment Authorization, detailing what you need to know to ensure that your RF devices are compliant with applicable regulations before bringing them to market in the U.S. and internationally.
IoT Attorney Ronald E. Quirk Jr., is a Senior Managing Attorney at Marashlian & Donahue PLLC, The CommLaw Group, where he focuses his practice on federal, state and international telecommunications regulation and policy, with a particular expertise in assisting clients in navigating the complex labyrinths of RF equipment authorization and enforcement processes around the world. His career has spanned more than 20 years, including several years at AMLAW 100 firms and the FCC. He can be reached at req@commlawgroup.com or (703) 714-1305.