Bipartisan Congressional Members Ask FCC How Proposed Set-Top Box Rule Affects Cybersecurity

WASHINGTON — Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee,  with Sen. Tom Carper (D-Del.), the committee’s ranking member, as well as Rep. Michael McCaul (R-Texas), chairman of the House Committee on Homeland Security, and Rep. Bennie Thompson (D-Miss.), the committee’s ranking member, sent a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler asking how the FCC’s proposed rule on set-top boxes will affect cybersecurity.

The members of Congress asked Wheeler to provide information on safeguards included in the proposed rule to provide strong levels of cybersecurity and urged further attention in this area. It is important that cybersecurity is fully addressed in any final rule.

“As more and more devices become directly connected to the Internet, it is imperative that they be developed with adequate levels of security in mind.  Vulnerabilities in software and hardware can allow malicious actors to infect consumers’ devices and carry out cyberattacks,” the members wrote. “These attacks could allow criminals from across the globe to access networks and steal sensitive data.  Further, without the right cybersecurity protections across networks, a vulnerable device could allow cybercriminals entry.”

The members also highlighted the National Institute of Standards and Technology Cybersecurity Framework. While its adoption is voluntary, many communications providers are actively using it to complement or support existing security programs.  “It is unclear how some of the FCC’s proposed rulemaking aligns with the framework’s recommended practices or how existing cable and satellite providers can adequately inventory devices attached to their network.” 

The letter can be found here and below:

May 23, 2016

The Honorable Thomas Wheeler

Chairman

Federal Communications Commission

445 12th Street, SW

Washington, DC 20554

Dear Chairman Wheeler:

The Federal Communications Commission’s (FCC) rules and regulations for the communications sector can have a significant effect on the security of individual Americans, our critical infrastructure, and our national and economic security.  Given our committees’ past work on cybersecurity, we have an interest in the Commission’s current Notice of Proposed Rulemaking related to set-top boxes (MB Docket No. 16-42).  In particular, we are interested in learning more about the cybersecurity proposals within the rulemaking and urge further attention in this area.  It is important that cybersecurity is fully addressed in any final rule.

As more and more devices become directly connected to the Internet, it is imperative that they be developed with adequate levels of security in mind.  Vulnerabilities in software and hardware can allow malicious actors to infect consumers’ devices and carry out cyberattacks.  These attacks could allow criminals from across the globe to access networks and steal sensitive data.  Further, without the right cybersecurity protections across networks, a vulnerable device could allow cybercriminals entry.

The communications sector has invested significant resources in the development and use of the NIST Cybersecurity Framework.  While the Framework itself is voluntary, many current communications providers are actively using it today to complement or support their existing security programs.  It is unclear how some of the FCC’s proposed rulemaking aligns with the Framework’s recommended practices or how existing cable and satellite providers can adequately inventory devices attached to their network, including devices owned by a third party.  For example, a core function of the Framework is to identify a firm’s information technology assets and connections with other organizations and devices in order to ensure that it fully understands its risk posture and develops an associated cybersecurity risk management program.   

            To better understand how the Commission’s current proposed rule-making related to set-top boxes impacts cybersecurity, we respectfully request the following information:

1. How did the FCC consider cybersecurity when developing the proposed rulemaking?

2. The FCC requires self-certifications related to a number of issues, how will the FCC enforce this? 

3. How does the proposed rulemaking ensure that third-party device manufacturers and software developers are meeting an adequate level of software and hardware security, including supply chain risks? 

4. Did the FCC consider the NIST Cybersecurity Framework risk management approach in the proposed rule-making? 

        a, If yes, please describe how and cite the references in the proposed rulemaking?

        b, If no, can you assure us the Framework will be considered as you draft final rules?

5. Does the proposed rulemaking address potential economic harm to content creators or businesses that may be impacted from the potential for cyberattacks or potential harm to infrastructure? 

Please provide this information as soon as possible, but no later than 5:00 p.m. on June 10, 2016.

###

Print
Share
Like
Tweet