FCC Chairman Tom Wheeler made remarks on Thursday, June 12 at the American Enterprise Institute where he explained the FCC’s vision of how it will improve the communications sector’s cyber readiness. He announced a “new regulatory paradigm” where the FCC “relies on industry and the market first while preserving other options if that approach is unsuccessful.” Wheeler recognized that industry-led action on cybersecurity can be “more dynamic than traditional regulation” but at the same time all stakeholders’ efforts must be “real and meaningful” for the paradigm to work. The FCC is developing a risk assessment tool, based on the NIST Cybersecurity Framework, to assist communications sector companies in assessing their cyber risk and developing methodologies to close any cybersecurity gaps. As part of the new regulatory paradigm, the FCC recognized that it will be responsible for ensuring there is “market accountability” among the industry as a whole. The FCC is working to develop a method of measuring how effectively companies are assessing, and managing, their cyber risk.
Chairman Wheeler underscored that while the potential benefits of a non-regulatory industry action are great, such industry-led efforts must coincide with a high degree of communication and transparency. Because of the fast “pace of threat technology,” the Chairman recognized that the industry “cannot hope to keep up if we adopt a prescriptive regulatory approach.” While private sector innovation can provide the type of dynamic, fluid approach that is necessary to combat the cyber threat, the FCC’s approach must “be more demonstrably effective than blindly trusting the market.” Wheeler noted that for the FCC to determine whether its approach is “demonstrably effective” there must be a “level of transparency that may take some time to get used to.” Indeed, he stressed that “tackling the challenges of cybersecurity will require a joint effort” including strong collaboration between and among the federal government and private sector.
The FCC is leveraging the NIST Cybersecurity Framework to develop a cybersecurity risk management tool that is specific to the communications sector. Using that tool, companies are expected to analyze their exposure to cyber risks, assess their current readiness to combat the risks, identify gaps in their security and make targeted investments to mitigate their cyber risk. In requesting that its stakeholders conduct such risk assessments, the FCC is essentially asking its stakeholders to voluntarily comply with the NIST Cybersecurity Framework. Wheeler recognized that each company’s approach to assessing its risk will be different, but “it is crucial that companies develop methodologies that give them a meaningful understanding of their risk exposure and risk management posture that can be communicated internally and externally.”
The FCC made it clear that it believes “industry-based solutions are the right approach” to combating the cyber threat, but recognized that if such an approach is unsuccessful, the agency “must be ready with alternatives.”