CSRIC Working Group Agendas Highlight Cybersecurity Issues

Several of the eight working groups of the Communications Security, Reliability and Interoperability Council – an advisory committee that provides the FCC with recommendations to ensure communications systems security, reliability, and interoperability and that is now in its fifth iteration –  highlighted the need to dig into cybersecurity issues as part of their planned efforts through 2017.

At a meeting of CSRIC held September 21 at the FCC’s headquarters in Washington, Jeffery Goldthorp, associate chief of the FCC’s Public Safety and Homeland Security Bureau and the FCC’s designated federal officer to CSRIC, said today’s second meeting of the current iteration of CSRIC is “where we are really getting the business started.”  He said that all CISRIC working groups had chairpersons, and membership “enough to start work.”

Working Group 1, which is looking at evolving 911 services, is tasked with reviewing public safety and industry best practices on legacy and next-generation 911 services with a view toward optimizing best practices on call rerouting, and is scheduled to issue a report on that subject in March 2016, said group co-chair Susan Sherwood of Verizon Wireless.   The group also plans to make recommendations on location-based routing including the reliability and accuracy of location data sources and the transition from location path to location-based routing, and to offer recommendations by September 2016, she said.

Francisco Sanchez, of the Harris County, Texas, Office of Homeland Security and Emergency Management, said that CISRIC Working Group 2, which is looking at emergency alerting platforms and which he co-chairs, will focus some of its efforts on platform security including security best practices and recommendations to protect against vulnerabilities in systems, and new and evolving technologies that can “reduce cyber risk” in issuing emergency alerts.  He said the group plans to issue those recommendations by March 2016.

Mr. Sanchez said Working Group 2 also will look at “how we use alerting platforms,” ways to improve public safety outcomes, and ways to better coordinate use of alerting platforms by state and local officials, with a target date of September 2016 for recommendations.

Working Group 3 will study the emergency alert system (EAS), which, noted group co-chair Kelly Williams of the National Association of Broadcasters, is distinct from emergency alerting platforms.  He said the group’s overall objectives includes continued improvements of EAS, how to better secure EAS,  issuing alerts in languages other than English, and drafting a new version of the EAS handbook.  On the security front, he said some of the group’s efforts would involve application of the National Institute of Standard and Technology’s voluntary cybersecurity framework for critical infrastructure sectors, but also indicated it may be challenging to apply some portions of that framework to EAS.

Working Group 4A, which is looking at submarine cable resiliency, will examine how a lack of coordination between federal, state, and local authorities on marine activities can increase the risk of damage to undersea cables, said Kent Bressie, a partner at Wilshire & Grannis LLP and outside counsel to the North American Submarine Cable Association, and co-chair of the working group.  He said the group will also look at how clustering cables under the sea or at landing points can increase the chances of damage from fishing boats, dredging operations, and storms.

Catherine Creese of the U.S. Navy, who also co-chairs the working group, said the group plans reports on improving coordination among various regulatory authorities without increasing regulatory burdens on cable operators, and noted the FCC’s recent action (TRDaily, Sept. 17) to propose outage reporting mandates for undersea cable licensees.  “We very much welcome that particular proposal,” she said.

Working Group 4B, which is looking at network timing and is chaired by Jennifer Manner, vice president-regulatory at EchoStar Corp., will be considering the current reliance on a single standard for synchronized network timing, how that creates a potential “single source of failure,” and how the resiliency of backup systems can be improved.  The group expects to offer its final report in March 2017.

Working Group 5, which is dealing with cybersecurity information sharing, will look into what the communications sector is doing to share information to protect against cyber attacks, and ways to remove barriers to further sharing of data, said Chris Boyer, assistant vice president-global public policy at AT&T, Inc., and one of the working group’s three “tri-chairs.”  Part of those efforts, he said, will include use cases, barriers to sharing information, creation of “trust pools” to optimize sharing, and different sharing conduits such as Information Sharing and Analysis Organizations (ISAOs).  The group will have its final report ready by March 2017, and may have reports on smaller components of its work before then.

Working Group 6, which is focused on security by design, aims to develop best practices and recommendations for improving hardware and software used in public communications networks, and develop voluntary mechanisms for equipment makers to show that they are using those best practices, said Joel Molinoff, chief information security officer at CBS Corp., and co-chair of the working group.  He said the group will have a report by March 2016 on the best practices for hardware and software, and a report by December 2016 on the voluntary mechanisms for equipment makers to show they are using the best practices.

Working Group 7, which is exploring cybersecurity workforce issues, will look at what has already been done by NIST through its National Initiative for Cybersecurity Education (NICE) initiative, and how that effort can be further leveraged in cooperation with the private sector.   The group will also look at how evolving skill sets – driven by changes to cyber threats – impact workforce development.  The group will create sub-groups to look at more discrete issues, and will issue its final report by March 2017.

David Simpson, chief of the FCC’s Public Safety and Homeland Security Bureau, discussed the mission of Working Group 8, which is focused on priority services, which he said are “very important to the Commission . . . from national security scenarios to emergency services scenarios.”

CSRIC is set to hold its next public meeting on Dec. 3. – John Curran, john.curran@wolterskluwer.com

Courtesy TRDaily