WASHINGTON — Federal Communications Commission chairman Tom Wheeler is not letting up on Internet-service providers as his tenure draws to a close.
In a letter to members of Congress released last week, Wheeler said the marketplace alone is not sufficient to police Internet of Things-related cybersecurity threats, given what he said are the incentives for ISPs not to fully address such risks. He has outlined what he would have done had not the pending change in administration “postponed” some of the next steps in the FCC’s ongoing cybersecurity review, which include a potential cybersecurity device certification process.
Wheeler laid out his views in a letter to Sen. Mark Warner (D-Va.), who is a former wireless network executive. The chairman has long signaled he saw ISPs as the potential snake in the virtuous garden of Internet content consumed by Web users. NCTA: The Internet & Television Association had no comment on the latest characterization by the chairman.
In response to questions from Warner about how to combat insecure IoT devices, Wheeler said: “We cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities. As private actors, ISPs operate in economic environments that pressure them to not take those steps, or to take them minimally.
“Given the interconnected nature of broadband networks, protective actions taken by one ISP against cyber threats can be undermined by the failure of other ISPs to take similar actions,” Wheeler said. “This weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore requires a combination of marketbased incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”
Wheeler outlined a plan for Internet of Things cyberprotection, suggesting the FCC should issue a rulemaking to determine measures it could take on matters the marketplace isn’t addressing. That included considering using the FCC’s existing authority to protect networks from device security risks and “exploring” a cybersecurity device certification process, adding that perhaps such a process could be self-certification.
Warner called that a foundation that President-elect Donald Trump could build on.
“The commission’s proposal for a device-certification process, either by the agency or through industry self-certification, deserves strong consideration,” Warner said last week.
“I strongly urge the incoming Trump administration to make cybersecurity a top priority, because we simply must move forward with responsible new initiatives to better engage consumers, manufacturers, retailers, Internet sites and service providers in improving our nation’s cybersecurity posture,” Warner said.
Trump has pledged “an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure” once he takes over in January.