On March 2nd, Democratic members of the House Energy and Commerce Committee introduced three pieces of legislation that would expand the Federal Communications Commission’s (FCC) authority over the cybersecurity practices of communications network providers.
The first bill, the “Securing IoT Act of 2017” (introduced by Rep. Jerry McNerney (D-CA)), would expand the FCC’s certification authority by amending Section 303 of the Communications Act of 1934 to require that radio frequency equipment meet certain cybersecurity standards. Such cybersecurity standards would be established by the FCC, in consultation with the National Institute of Standards and Technology (NIST), no later than 180 days after the date of the Security IoT Act’s enactment, and would cover cybersecurity standards “throughout the lifecycle of the equipment” (from design and installation to retirement). The standards would apply to equipment for which certification is submitted at least one year after the bill’s enactment.
The second bill, the “Interagency Cybersecurity Cooperation Act” (introduced by Rep. Eliot Engel (D-NY)), would require the FCC to establish an advisory committee known as the “Interagency Communications Security Committee.” The Committee’s eight members would be tasked with reviewing communications security reports submitted to the Committee, recommending investigation into any such security reports to relevant agencies, and issuing reports containing the results of any investigation, findings following each security incident, and any policy recommendations that may arise to the House and Senate Commerce, Intelligence, Armed Services, Homeland Security, and Foreign Affairs committees. The bill requires the head of each agency to submit to the Committee a report of each communications security incident every three months, but notes that the Committee will consider security reports from communications network providers, as well.
In addition, the Interagency Cybersecurity Cooperation Act would amend the Homeland Security Act of 2002 to designate “Communications Networks” as “Critical Infrastructure” and the FCC as a “covered federal agency” capable receiving Critical Infrastructure information pertaining to communications networks under the same protections currently afforded to information received by the Department of Homeland Security (DHS). “Communications Networks” is defined broadly, and includes any network for providing “wireline or mobile telephone service, Internet access service, radio or television broadcasting, cable service, direct broadcast satellite service, or any other communications service.”
Finally, the third bill, the “Cybersecurity Responsibility Act” (introduced by Rep. Yvette Clarke (D-NY)), would direct the FCC, in consultation with the Secretary of Homeland Security, to issue rules to secure Communications Networks “through managing, assessing, and prioritizing cyber risks and actions to reduce such risks.” The rules would include provisions regarding the treatment of Critical Infrastructure information relating to Communications Networks and, like the Interagency Cybersecurity Cooperation Act, would designate Communications Networks as “Critical Infrastructure” and provide the same protections to the sharing of cybersecurity information with the FCC as is currently provided to the sharing of such information with DHS.
The future of these three Democrat-sponsored bills in the current Republican Congress is unclear. Further, unlike former FCC Chairman Tom Wheeler, who published a white paper detailing the FCC’s cybersecurity priorities, then-Commissioner Pai has opined that the FCC’s role in the cybersecurity realm is meant to be “consultative,” rather than one that involves actively regulating the cybersecurity practices of communications providers. Chairman Pai has yet to comment on the three pieces of legislation in the House, which would not only enable, but also require, the FCC to take on a more active regulatory role when it comes to cybersecurity and the communications sector.