FCC under fire for trying to ditch cybersecurity
Light touch regulation philosophy runs up against political reality
Analysis The ideological goal of "light touch regulation" as proposed by the new head of the US FCC has hit a barrier: cybersecurity.
As the federal regulator of all things telecom, the FCC has been increasingly pulled into efforts to secure the United States' online infrastructure against attacks, just as have many other federal agencies.
However, chairman Ajit Pai and his fellow Republican commissioner Michael O'Rielly have made it plain that they don't believe the FCC should be playing any role in cybersecurity – and that has started creating some problems.
When former FCC chairman Tom Wheeler put out a white paper in January that walked through the regulator's cybersecurity plans and priorities, Pai criticized it by arguing that the FCC's role should only be "consultative" rather than active.
Pai previously said he was opposed to creating "uniform rules that would apply to an entire industry" and argued there are other agencies that should take on the task because their remits were more closely defined and they had "more well-established expertise."
O'Rielly made a similar point when he voted against rules to impose privacy rules on ISPs, saying that "while cybersecurity is important, the act does not provide the FCC with any authority in this space," and argued that they "should not presume to freelance in this area."
This week, O'Rielly told a Senate committee the same thing, arguing that the FCC's authority was "extremely limited" when it came to cybersecurity.
Both commissioners have also put their money where their mouths are, putting a stop to several FCC rules and proposals due to go into effect.
Pai stopped an order that was intended to tackle flaws in the Emergency Alert System, and he has pulled cybersecurity out of IPTV proposals under consideration. When he stopped the privacy rules on ISPs from taking effect earlier this month, he also removed its cybersecurity provisions over data security. And a notice of inquiry that was intended to bring in the public's input on cybersecurity risks associated with next-gen wireless network has also been ended.
In response to all this, Democrats in the House of Representatives have this month started proposing legislation – three bills introduced so far – that would obligate the FCC to adopt some level of responsibility for cybersecurity. And thereby remove the argument that the FCC doesn't have statutory authority to look at the matter.
The Securing IoT Act of 2017 would require equipment using certain frequencies (the FCC's remit) to meet new cybersecurity standards, defined by the FCC and NIST.
The Interagency Cybersecurity Cooperation Act would require the FCC to create a new interagency committee to look at security reports as they purport to telecom, and produce recommendations to be sent to Congress and/or other government departments as required.
It would also define communications networks as part of the US' "critical infrastructure" – meaning that all sorts of new regulations to do with security would come into force. As part of that, the FCC would be pulled into the country's broader security apparatus.
And a third bill, the Cybersecurity Responsibility Act, would require the FCC to put out rules on how to secure communication networks, as well as define them as critical infrastructure.
It is notable that the bills have been proposed by Democrats. As such, it is all too likely that they will be opposed by Republicans, who hold majorities in both houses. The introduced legislation is, right now, in the hands of committees to scrutinize, amend, or kill.
However, it is also the case that Republicans like to be seen as being firm on security, so voting against bills focused on national security may not sit well, especially given the recent furore over hacking of emails and phone calls.
If Congress does decide to pass a law obligating the FCC to take these roles on, it is irrelevant what Commissioner Pai or O'Rielly believe they want to do with respect to light-touch regulation – they will be obligated to do what the law says.
Of course there are plenty of arguments against Congress prescribing what semi-autonomous federal regulators should do, not least of which is that it is very hard to unravel decisions once they are made. That results in the FCC doing a lot of work that sometimes isn't very useful, or doing parallel work, or preventing the regulator from taking a different or more effective approach.
However, the question now is: which do Congressional Republicans dislike the most – Democrats or looking weak on national security? This being Congress, the likely approach will be to create a complex and unworkable solution that saves face, quashes the Democrats and fails miserably to address what is a very serious issue. ®