The FCC has backed down from planned rules on IoT security
The FCC “had to postpone some of the next steps in this combined approach in light of the impending change in administrations.” IoT security plans have been shelved for now.
The plan, which lays out the FCC’s “risk reduction program” for IoT, says the agency should “Issue a [notice of proposed rule making] to examine regulatory measures the FCC could take to help address cyber risks that cannot be addressed through market-based measures.” The work plan was attached to a letter sent to Sen. Mark Warner, D-Va., by FCC Chairman Tom Wheeler.
It’s the first time the agency has publicly disclosed that it was working on regulations for IoT device cybersecurity. Previously, agency officials have stressed that, as Wheeler’s letter states, FCC’s net neutrality rules “enable Internet Service Providers (ISPs) to take measures to protect their networks, and those with which they interconnect, from harmful devices” — for instance by disconnecting them en masse.
Nonetheless, Warner urged the incoming Trump transition team to take up where the outgoing administration left off. “The commission’s proposal for a device certification process, either by the agency or through industry self-certification, deserves strong consideration,” he wrote. Similarly, he said FCC consumer labeling requirements “will empower and educate consumers.
“I strongly urge the incoming Trump Administration to make cybersecurity a top priority, because we simply must move forward with responsible new initiatives to better engage consumers, manufacturers, retailers, internet sites and service providers in improving our nation’s cybersecurity posture,” he concluded in a statement Monday.
In his letter published Monday, Wheeler shared the key points of what he titled a “5G/IoT cybersecurity risk reduction plan program.”
It states that the FCC should develop risk reduction standards, which would be adopted and implemented by internet service providers (ISPs).
Under the Open Internet Order, ISPs are responsible for taking measures to protect networks from harmful devices, ensure network security and integrity, as well as address denial of service attacks (DoDs), like those that happened in October.
“I do, however, share your concern that we cannot rely solely on the market incentives of ISPs to fully address the risks of malevolent cyber activities,” Wheeler wrote.
He said the Notice of Proposed Rule Making should be issued to examine regulatory measures that his agency could take to help address cyber risks.
The plan proposes that the NPRM include “a cybersecurity certification (possibly self-certification)” and “a consumer labeling requirement to address any asymmetry in the availability of information and help consumers understand and make better decisions regarding the potential cyber risks of a product or service.”
“The NPRM could examine changes to the FCC’s equipment certification process to protect networks from IoT device security risks,” Wheeler suggested.