March 15, 2017–Several working groups of the FCC’s Communications Security, Reliability, and Interoperability Council today received approval from CSRIC members for recommendations to be forwarded to the FCC on a number of topics including cybersecurity information sharing, cybersecurity workforce issues, priority services, Wi-Fi security, and legacy systems risk reduction. Today’s meeting of the council concluded the activities of the fifth iteration of CSRIC.
The working group on cybersecurity workforce issues provided several recommendations to the FCC, including that the agency support a process for the communications industry to support the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE) program. “We want ongoing engagement in that space,” said Drew Morin of T-Mobile US, co-chair of the cybersecurity workforce working group. The group also recommended that the FCC support a range of other cybersecurity educational efforts including K-12 education, work-study internships, scholarship-for-service programs, training of people with autism, distance learning programs for rural areas, and engagement in development of cybersecurity curriculum guidelines at colleges.
The working group on cybersecurity information sharing recommended that the FCC make efforts to expand the “breadth and depth” of sharing programs between government and industry, and that the government create a grant program that will allow small and medium sized business to better participate in information sharing programs.
The working group recommended that the communications industry expand on its pilot program looking at whether the STIX (Structured Threat Information eXpression) standardized language used to present cyber threat data and the TAXII (Trusted Automated eXchange of Indicator Information) technology used to share that data meet the industry’s needs, and also further evaluate the Department of Homeland Security’s “portal” mechanism for sharing threat data with the private sector.
The working group also recommended that the communications industry enhance its information sharing and analysis center by developing a private website in which information can be shared with industry peers, and that the government and the private sector work to promote cyber education awareness among parties including small and medium sized businesses. It also recommended that the government consider policies that support the private sharing of threat data by Internet service providers and other parties, as that business provides resources that allow research to be conducted on better ways to share threat data.
The working group on priority services said that the use of priority services will increase greatly with the deployment of Internet of things devices, and recommended that the FCC assess allowing certain levels of service preemption as priority services use grows. It also recommended that the FCC look at scenarios under which traffic from the First Responder Network Authority (FirstNet) will be carried on private networks, look at how to prioritize IoT traffic, and put in place an application framework to cover those scenarios. It also recommended the extension of protocols on robocalls and spoofed calls.
The working group on Wi-Fi security recommended that the FCC resolve policy and legal issues for use of deauthentication technologies by service providers to deter cybersecurity threats, and that service providers be allowed to implement “authenticable network” technologies that would help in the fight against “evil twin” and “man in the middle” cyber attacks.
The working group on legacy systems and services risk reduction recommended that the next iteration of CSRIC continue working on security issues for interconnection protocols for 5G and other network standards. It also recommended, among other steps, that industry encourage the use of available encryption technologies for voice and data services.
“We are not trying to get into the encryption debate,” said John Kimmins of iconectiv, a co-chair of the working group, who added, “But the network can only go so far in terms of protecting the subscriber.” – John Curran, firstname.lastname@example.org