Communications sector members no longer just have to worry about protecting their system infrastructures from storms, hurricanes and other natural disasters that can impede reliability. They now must deal with ill-intentioned actors using clever and multi-faceted attack strategies on their systems. To address these new security challenges, Federal Communications Commission (FCC) Chairman Tom Wheeler last year called for a new paradigm for cyber readiness led by the private sector which would be “real and meaningful.”
Over the past year, the communications sector has collaborated extensively through discussions with the FCC and government to meet this challenge, which focused on two main missions:
- Develop voluntary mechanisms which give public assurance that communications providers are taking the necessary steps to manage cybersecurity risks across the enterprise;
- Develop implementation guidance to help communications providers use and adapt the national cybersecurity framework developed last year by the National Institute of Standards and Technology (NIST).
Through ongoing work in public-private partnership with government, over 100 cybersecurity professionals in the broadcast, cable, wireline, wireless and satellite industries produced a groundbreaking report for the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC). The result is a new model for cybersecurity based upon the NIST framework that can be effectively used by companies of all sizes in the communications sector and serve as a paradigm for other critical infrastructure sectors.
The work group collaborated through dozens of face-to-face meetings, phone calls and workshops to analyze unique industry risk environments, and develop pragmatic tools and guidance to protect the security and privacy of customers and the integrity of networks. It became clear through these discussions that this approach was more workable than imposing a universal set of mandates and metrics, which would divert key resources toward tasks that may not be relevant or workable to thwart specific attacks.
The report provides guidance for how the communications sector can use the framework to enhance cybersecurity risk management capabilities across the sector and broader ecosystem. It maps the common cyberthreats and attacks to every layer of the TCP/IP communication model, and against every identified category of the Internet and communications ecosystem. It also includes recommendations on how the FCC, Department of Homeland Security, NIST and other government agencies can work with the Communications Sector Coordinating Council (CSCC) to obtain metrics on the impact of cybersecurity threats to communications infrastructure and the sector’s cyber risk management practices.
Among the report’s key recommendations:
- A sector-wide annual report from the CSCC that offers aggregate information and metrics on the resilience and integrity of communications critical infrastructure;
- Confidential company-specific meetings similar to the highly successful Protected Critical Infrastructure Information (PCII) program administered by the Department of Homeland Security (DHS); and
- Active participation in the DHS Critical Infrastructure Cyber Community C3 Voluntary Program, which aims to support industry in increasing cyber resilience and advance awareness and use of the framework.
The communications sector is deeply committed to continuing its efforts to enhance cybersecurity capabilities and work will continue in this area. We believe continued inter-agency and federal/state coordination with industry in advancing the framework will be needed to avoid fragmentation of industry and government resources. The voluntary mechanisms included in the report’s recommendations represent a new level of industry commitment intended to promote additional transparency and dialogue with government partners and our regulators in the area of cybersecurity risk management.
For more information, see the CSRIC Final Report and related presentation. And check out USTelecom's recent National Cybersecurity Policy Forum webcast to hear more about the report's conclusions and recommendations from industry and government representatives.