March 2, 2017–Three bills introduced in the House today would direct the FCC to take actions broadly aimed at improving cybersecurity in the communications sector as well as in the Internet of things arena. All three measures were introduced by Democratic members of the House Energy and Commerce Committee. The Cybersecurity Responsibility Act of 2017 would direct the FCC to issue within 180 days “rules to secure communications networks through managing, assessing, and prioritizing cyber risks and actions to reduce such risks,” according to the text of the bill introduced by Rep. Yvette Clark (D., N.Y.)
“The Commission, in consultation with the Secretary of Homeland Security, shall include in such rules provisions relating to the treatment of critical infrastructure information relating to such networks that is submitted to the Commission,” the bill says, adding that communications networks would be treated as critical infrastructure.
The bill defines communications networks as those providing wireline, mobile phone, Internet access, cable, and direct broadcast satellite service, and radio and television broadcasters, as well as “any other communications service.”
“It has become clear that we need to have a comprehensive policy on cybersecurity that protects personal information, from the PIN number for your debit card to your e-mail password to your medical records,” said Rep. Clarke in a statement. “With the authority to regulate international and interstate communications in the interest of the public, the FCC should collaborate with experts in cybersecurity to develop best practices that will allow internet providers and other companies to protect themselves and their customers from the threat of hacking. We have to fight any attack on our personal privacy – as well as the institutions of our democracy – from cyberterrorists.”
A second bill – the Interagency Cybersecurity Cooperation Act – was introduced by Rep. Eliot Engel (D., N.Y.) and would direct the FCC to establish within six months an Interagency Communications Security Committee that would review communications security “incident” reports submitted communications service providers, recommend investigation of those reports to any of several government agencies, and issue “regular reports” on the results of the investigations and “policy recommendations” that might arise from them. The frequency of reporting would be not less than three months.
The proposed interagency committee would have eight members including one FCC appointee who is not a member of the Commission and who will serve as chair of the committee, and one appointee each from the Defense Department, the Department of Homeland Security, the Justice Department, the National Institute of Standards and Technology, the National Telecommunications and Information Administration, and the Office of Management and Budget, and a member of the intelligence community to be appointed by the Director of National Intelligence.
The bill defines a “communications security incident” as “any compromise, whether electronic or otherwise, of any telecommunications system” that the FCC has reason to believe resulted in “government-held or private information, including passwords and other similar means of access, being viewed or extracted,” or that “resulted in the presence of outside programming on an agency computer or other electronic device.”
The reports generated by the proposed commission would be provided to the House Energy and Commerce Committee, the Senate Commerce, Science, and Transportation Committee, the House and Senate Intelligence, Armed Services, Homeland Security committees, the House Foreign Affairs Committee and the Senate Foreign Services Committee. “Following Russian tampering in last November’s election it is imperative that we redouble our efforts when it comes to cybersecurity,” Rep. Engel said in a statement. He continued, “This bill is critical to both national security and the preservation of our personal information. Cybersecurity reforms like these must be a priority in this Congress.”
And a third bill offered by Rep. Jerry McNerney (D., Calif.) and entitled the Securing IoT Act of 2017 would amend the Communications Act “to provide for the establishment of cybersecurity standards for certain radio frequency equipment.”
The measure would require radio frequency equipment for which certification is currently required under federal law to meet “cybersecurity standards” to be developed by the FCC in consultation with NIST. “Such standards shall address cybersecurity throughout the lifecycle of the equipment, including design, installation, and retirement,” the bill says. The bill would give the FCC 180 days to issue relevant rules, and would apply to equipment produced one year after the bill’s approval. “The proliferation of IoT devices creates immense opportunities for our society, including new jobs and efficiencies in all aspects of our everyday lives. However, the security of these devices has not kept up with the rapid pace of innovation and deployment,” said Rep. McNerney in a statement. “Security vulnerabilities in IoT devices are likely to pose threats to our national security and endanger our nation’s economy. This is especially concerning given that at least 20 billion devices are anticipated to be in use by 2020. . . . The legislation will help strengthen this market and protect consumers, business, and all the benefits that IoT devices offer.”
“Our networks and devices are the hub of our digital lives. They can make our lives better and our economy stronger, but only when they are secure,” said committee ranking minority member Frank Pallone Jr. (D, N.J.). “I commend my Democratic colleagues for proposing new approaches to protecting consumers from the growing barrage of cyber-attacks, especially from state-funded actors,” said Rep. Pallone. “These bills would ensure that Americans do not have to choose between innovation and security,” he said.
A spokesman for the FCC said the agency had no immediate comment on the bills. – John Curran, firstname.lastname@example.org