Two weeks ago we highlighted the cable industry’s continuing commitment to cybersecurity. This ongoing work reached a new milestone yesterday with the adoption of the communications sector’s ground-breaking report on Cybersecurity Risk Management and Best Practices by the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC). With the participation of over 100 subject matter experts from the cable, wireline, wireless, satellite and broadcasting segments, the Working Group 4 report culminated a year-long collaborative, multi-stakeholder effort to build on the Cybersecurity Framework developed by the National Institute of Science and Technology (NIST).
Last year FCC Chairman Tom Wheeler challenged industry to create a “new regulatory paradigm” of business-driven cybersecurity risk management that eschews a top-down, prescriptive regulatory approach. The working group’s charge was to develop “voluntary mechanisms” to give the FCC and the public assurance that communications providers are taking necessary steps to manage cybersecurity risks, tailored to their unique needs and characteristics and based on meaningful indicators of success. The FCC also looked to the working group to demonstrate how communications providers can reduce cyber risks through application of the Framework, as well as develop guidance on how to use and adapt the Framework to their enterprise. This was accomplished through, among other things, the development of detailed operational and technical resources and guidance to implement the NIST Framework by communications companies, the identification of known attacks and vectors across the Internet ecosystem, and a process flow to update measurements of success.
With regard to cable, the guidance focuses on the core network where an attack would have the greatest national or regional impact on service availability and identifies the highest priority best practices and anticipated outcomes for the cable industry.
Going forward, companies represented on the CSRIC working group agreed to provide information on the cybersecurity of critical communications network infrastructure in an annual report under the auspices of the U.S. Department of Homeland Security (DHS), the sector-specific agency for the communications sector. The sector also committed to develop a series of webinars and other reference materials to advance use of the Framework based on the guidance in the report. Finally, interested companies will participate in confidential company-specific meetings with the FCC and DHS regarding their risk management practices, as well as share information regarding their efforts to address cyber threats and vulnerabilities – all aimed at providing the government with increased visibility into what’s happening on the cyber threat landscape.
“Guidance focuses on the core network where an attack would have the greatest national or regional impact on service availability”
Admiral David Simpson, FCC Public Safety and Homeland Security Bureau Chief, described the report’s foundational work as a “win-win-win” for industry, the FCC and state and local public safety partners.
Cable engineers, security and policy folks devoted countless hours to this project. We thank the cable companies that participated, including Cablevision, Charter, Comcast, Cox, and Time-Warner Cable. In particular, we commend the efforts of the cable representatives on the CSRIC leadership team: CSRIC Council Chair John Schanz, Comcast; CSRIC Council member, William Check, NCTA; WG4 Co-Chair Brian Allen, Time Warner Cable; WG4 Cable Segment Lead, Matt Tooley, NCTA; WG4 Measurement Sub-Group Co-Lead Chris Rosenraad, Time Warner Cable; WG4 Cyber Threats Sub-Group Co-Leads Russell Eubanks, Cox and Joe Viens, Time Warner Cable; and WG4 Mid/Small Entities Sub-Group Co-Lead Susan Joseph, CableLabs.
We urge every company, large and small, to review the report, available here, and share it with your network operations, security, legal and risk management personnel. Cybersecurity should be a key component of every company’s risk management.
Our cybersecurity work is not done. The FCC will continue to have an oversight role on implementation of the best practices and will soon issue a public notice seeking comment on the report’s recommendations. And the next CSRIC, CSRIC V, launches today with network security still front and center. So stay tuned.