FCC to IoT Device Vendors: Implement Cybersecurity Now or We May Force You To

The agency is advocating cyber accountability to reduce cyber risk in the communications sector.
Published: January 30, 2017

In its recently released white paper “Cybersecurity Risk Reduction,” the Federal Communications Commission (FCC) expressed serious concern about the “burgeoning – and insecure IoT market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.” Noting that insecure wireless devices have shut down service to millions of users by attacking critical control utilities that are not FCC-regulated, the agency is advocating “cyber accountability”—a combination of market-based incentives and regulatory oversight—to reduce cyber risk in the communications sector.

Background
As required by 2013’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” in February 2014 the National Institute of Standards and Technology (NIST) published its “Framework for Improving Critical Infrastructure Cybersecurity,” setting out voluntary cybersecurity standards, guidelines and practices for applicable industries.

Acknowledging its responsibility to protect the United States’ communications networks, the FCC issued a new paradigm in 2014 for cybersecurity in the telecommunications industry, aligned with the principles of the NIST framework. This new paradigm looks first to market incentives to address cybersecurity, but when market failures occur, the FCC will impose necessary regulations. The FCC has undertaken many studies since the paradigm was declared, and has determined that it would impose cyber accountability on appropriate entities that fall under its jurisdiction.

RF Equipment Suppliers Must Implement Security by Design
While the FCC seeks to apply cyber accountability to many communications carriers (including internet service providers and submarine cable operators), in the IoT world and wireless industry in general, radio frequency (RF) device manufacturers and vendors would bear a large portion of responsibility. This includes RFID equipment suppliers, as RFID readers and related devices are subject to authorization under parts 2 and 15 of the FCC’s rules. The FCC proposes that RF equipment suppliers should implement “security by design” practices to build cybersecurity into their products before marketing them. As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards, and adherence to best [cybersecurity] practices.”

The FCC avers that regulatory oversight of this process would likely be required, in part because of the “large and diverse numbers of IoT vendors – who are driven by competition to keep prices low – hinders coordinated efforts to build security by design into the IoT on a voluntary basis.” Accordingly, the FCC states that, among other things, changes to its equipment certification rules may be necessary to protect networks from IoT and other RF devices’ security risks.

Federal Cybersecurity Regulatory Proceedings
Just prior to release of the white paper, the FCC published a notice of inquiry, kicking off a regulatory proceeding in which a wide variety of IoT stakeholders, including RF equipment suppliers, can opine on various cybersecurity matters and help shape the future rules. For RFID equipment suppliers, a key issue is whether and to what extent RF device suppliers should be responsible for securing their products, and their potential liabilities to third parties for breaches. Comments may include, for example, information as to market practices and conditions that mitigate the need for regulatory oversight. Comments are due by Apr. 24, 2017, and reply comments are due by May 23, 2017.

The U.S. Department of Commerce (DoC) is conducting a companion regulatory proceeding that solicits comments on proposed federal government IoT cybersecurity guidelines. IoT privacy issues are also teed up for comment in the DoC proceeding. Comments are due on or before Feb. 27, 2017.

UPDATE, Feb. 6, 2017: The FCC has rescinded the white paper in question, but the comment period for the Notice of Inquiry is still in effect.

IoT attorney Ronald E. Quirk is the head of the Internet of Things & Connected Devices Practice Group at Marashlian & Donahue PLLC, The CommLaw Group, where he focuses his practice on serving the comprehensive needs of the burgeoning and complex Internet of Things industry, including contracts and commercial law, privacy and cybersecurity, spectrum access, equipment authorization, tax, regulatory compliance planning and more. His career has spanned more than 20 years, including several years at AMLAW 100 firms and the FCC. He can be reached at [email protected] or (703) 714-1305. Mr. Quick recently published the “Global Guide to Radiofrequency Equipment Authorization,” detailing what you need to know to ensure that your RF devices are compliant with applicable regulations before bringing them to market in the United States and internationally. This guide is available at RFID Journal’s online store.