Before the Federal Communications Commission Washington, D.C ) ) ) ) ) COMMENTS OF AMERICAN CABLE ASSOCIATION CONTENTS

Transcription

1 Before the Federal Communications Commission Washington, D.C In the Matter of CSRIC IV Cybersecurity Risk Management and Assurance Recommendations ) ) ) ) ) PS Docket No COMMENTS OF AMERICAN CABLE ASSOCIATION CONTENTS I. INTRODUCTION...2 II. DISCUSSION...3 Cyber Incidents Are on the Rise...3 A. ACA Members Are Taking Steps to Promote Cybersecurity in Their Networks...4 Types and Frequency of Attacks...7 Forward-Looking Steps to Prevent and Mitigate Future Incidents...8 B. Improving on the CSRIC IV Report for Small and Medium Sized Cable Operators...10 Company-Specific Meetings Development of the Communications Sector-Specific Annual Report...16 Commission Participation in the C3 Voluntary Program...17 Barriers That Inhibit Cybersecurity Risk Management...17 III. CONCLUSION

2 I. INTRODUCTION The American Cable Association (ACA) submits these comments in the above-captioned proceeding, in which the Public Safety and Homeland Security Bureau (PSHSB) of the Federal Communications Commission (Commission) has sought comment on the report on Cybersecurity Risk Management and Best Practices developed by the fourth Communications Security, Reliability and Interoperability Council (CSRIC IV Report). 1 Overall ACA believes the CSRIC IV Report as it relates to cable providers and small to medium sized businesses provides valuable tools in managing the risks posed in this ever-evolving space. 2 With respect to certain recommendations contained in the CSRIC IV Report, ACA offers comments to provide additional insight into how they might be tailored to best apply to its member companies. We begin by offering information gathered through conversations with a small crosssection of member companies that we engaged recently regarding their experiences prior to the issuance of the CSRIC IV Report in dealing with cybersecurity attacks and their implementing cybersecurity risk management processes, including their challenges as smaller entities. In these conversations, we also solicited feedback from these members about the CSRIC IV Report to understand better the opportunities it provides for them and operators like them. 3 Based on these conversations, we then provide more specific comment on the questions posed by the Public 1 FCC s Public Safety and Homeland Security Bureau Requests Comment on CSRIC IV Cybersecurity Risk Management and Assurance Recommendations, Public Notice, PS Docket No , DA (Mar. 19, 2015) (CSRIC IV Report Public Notice); The Communications Security, Reliability and Interoperability Council, Cybersecurity Risk Management and Best Practices Working Group 4: Final Report (Mar. 2015). (CSRIC IV Report) Most of these companies had representatives who listened to a recent ACA webinar on the CSRIC IV Report that the FCC s Jeffrey Goldthorp participated in, which helped our members to understand better the opportunities it provides. 2

3 Notice on the CSRIC IV Report regarding how those recommendations might be tailored to meet the needs of small and medium-sized cable operators. II. DISCUSSION The Commission charged the CSRIC IV Working Group 4 (CSRIC IV) with recommending voluntary mechanisms to provide what it terms macro-level assurances to the public and the Commission that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks. 4 The Commission also charged the CSRIC IV with developing implementation guidance to help communications providers use and adapt the NIST Cybersecurity Framework. The Public Notice seeks comment generally on the cybersecurity risk management recommendations of the CSRIC IV. 5 Cyber Incidents Are on the Rise. As the Commission knows all too well, cybersecurity incidents are ever increasing and the trends show no signs of slowing. A recent PwC survey, Global State of Information Security Survey (PwC Survey), found that the total number of security incidents detected showed a 48 percent increase over the 2013 rate and the trend shows a 66 percent increase year over year since The PwC Survey found that 74 percent of telecommunications companies in North America experienced security incidents in 2014, over 50 percent of them experiencing 10 or more attacks and 35% experiencing over 50 incidents in 4 CSRIC IV Report Public Notice at 1. 5 Id. at 2. 6 PwC, Global State of Information Security Survey 2015, 3

4 the last year. 7 The increases are across all types of attacks including distributed denial of service (DDOS), various types of phishing, malware, and ransomware to cite a few. 8 Symantec s Annual Report for 2014 found a similar increase in the level of attacks as the PwC Survey and as Symantec noted, 2014 was a year with far-reaching vulnerabilities, faster attacks, files held for ransom, and far more malicious code than in previous years. 9 Symantec notes that attackers are using increased levels of deception and, in some cases, hijacking companies own infrastructure and turning it against them. 10 It concludes its Annual Report noting that almost no company, whether large or small, is immune from attack. 11 A. ACA Members Are Taking Steps to Promote Cybersecurity in Their Networks ACA represents more than 800 smaller and medium-sized independent cable operators, many of whom are quite small. Our members provide a full suite of services, including broadband, cable and phone service, with some offering wireless services. Our member companies networks pass nearly 19 million homes and serve nearly 7 million with video and broadband services primarily in rural and smaller suburban markets across the United States. As noted above, in developing these comments, between May 11 and May 18, ACA and its attorneys conducted a series of individual discussions with a small cross-section of the ACA membership to update our understanding of the type and level of cyber-attacks member companies are facing, how they are fighting back against those attacks, and what tools they have 7 Id. 8 Sean Michael Kerner, DDOS Attack Volume on the Rise, eweek, Jan , 9 Symantec, 2015 Internet Security Threat Report, dcytaaa&mc=189346&oc=80555&ot=wp&wpn=133&tt=ps&om_sem_cid=biz_sem_s pc rid pmt b plc pdv c. 10 Id. at Id. at 7. 4

5 put in place to prevent and mitigate the effects of future attacks on their cable networks. We also discussed with these companies their perspective so far on the NIST Cybersecurity Framework and recommendations contained in the CSRIC IV Report. 12 The cross-section of companies that we spoke with ranged from companies with a few thousand subscribers and less than a couple of dozen of employees to companies with a half million subscribers and a couple of thousand employees. Some of these companies were publicly-owned entities and others were privately held. Each of the companies offers a full complement of services including voice, video, and broadband. They each offer services to residential and business customers in their community. And they have each been subjected regularly to cyber-attacks. Through these discussions, ACA gained valuable information about the threats and obstacles faced by these members, and believe this information is reflective of the membership as a whole. As integral members of their communities, ACA companies that were spoken to displayed strong incentives to ensure they address and improve their cybersecurity protections. These incentives come in part from the unfortunate reality our members face regular cyberattacks of various kinds. As noted in the NIST Cybersecurity Framework, cybersecurity risks can not only drive up costs and impact revenue in many ways, hurt customers limit the availability of the company s services, distract and consume a very limited workforce, and adversely impact an organization s ability to gain and maintain customers, but also can adversely impact a company s ability to operate. 13 This is a point the companies we spoke with understand 12 Communications Security, Reliability and Interoperability Council, Cybersecurity Risk Management and Best Practices Working Group 4: Final Report (Mar. 2015). (CSRIC IV Report). 13 As noted in the NIST Cybersecurity Framework, similar to financial and reputational risk, cybersecurity risk affects a company s bottom line. It can drive up costs and impact revenue. It can harm an organization s ability to innovate and to gain and maintain customers. The National Institute of Technology and Standards, Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 (Feb. 12, 2014), upload/cybersecurity-framework pdf (NIST Framework). 5

6 well. The publicly-traded companies we spoke with also mentioned that they have incentives based on their status as such, including Sarbanes-Oxley, and potential liability issues. While the companies we spoke with have incentives to counter cybersecurity risk, their resources to address such measures are not unlimited. Smaller companies often cannot dedicate an employee, let alone a team of employees, to perform cybersecurity risk management as their sole task. They often have little opportunity or direct access to training and expert workers. One of the smaller providers we spoke with, for example, mentioned to us that they rely on an outside vendor to be their primary tool in identifying attacks. They use the vendor in conjunction with a couple of company engineers, whose primary job is to ensure good network performance, to respond when there is an incident. Another provider we spoke with mentioned that they have a person designated to oversee cybersecurity risk management, but the provider noted that it is impractical for them to make it that person s 24/7 job. In addition, smaller providers have to target investments in their networks, so cybersecurity risk management needs often are part of a limited pool of dollars that providers have available to make all of their network upgrades, which includes deployment of broadband in new areas and offering higher performance services. Each of the companies we spoke with cited limited investment dollars as a constraint on their ability to do more with regards to cybersecurity management. Notwithstanding real barriers faced by our members, which ACA appreciates that the CSRIC IV Report recognizes, 14 the member companies we spoke with have taken steps as detailed below to enhance their ability to detect, respond, and protect their networks from cyberattacks and implement some level of planning against future attacks. However, these operators 14 CSRIC IV Report at

7 could do more if the financial and resource barriers associated with implementing appropriate cybersecurity measures are lowered, and towards the end of these comments, we offer suggestions on how the Commission and other agencies may be able to help in that regard. Types and Frequency of Attacks. In responding to our questions about whether and what kinds of cyber-attacks they had experienced, each of the companies indicated that an attack on their Cable Core Network had occurred. 15 Among the smaller companies we talked with, each had experienced DDOS attacks and some had also experienced ransomware attacks to their networks. 16 In fact, one of the smaller companies we spoke with had experienced two incidents of ransomware attacks. These entities explained to us that the attacks had on occasion affected their ability to serve their customers by degrading some of the performance of their networks and one of the small companies that had experienced a ransomware attack involving CryptoLocker had to resort to backup data to overcome the attack. 17 For these entities, attacks that significantly impacted the network occurred fairly infrequently, less than a few incidents in a year. The medium-sized cable providers interviewed not only experienced DDOS attacks and ransomware attacks, but also reported experiencing numerous malware and phishing attacks. In fact, one of the companies we spoke with noted that it sees primarily phishing attacks, though it too experiences DDOS attacks. Another of the medium-sized providers we spoke with mentioned that one of its biggest risks comes from attempts to get malware into its system. The 15 Id. at 72 (defining the Cable Core Network as a core network that links their access network(s) to the communications core infrastructure for voice and data services. Cable systems core network includes the operational support system (OSS) that are used to provision, monitor, and maintain the cable network. Included in the OSS are the billing systems; authentication, authorization and access (AAA) systems, provisioning, monitoring systems, and number lookup systems like domain name servers (DNS) The core network is also the gateway to the third party providers, commercial data centers for services such as cloud based services, and access to other networks like the PSTN and Internet. ). 16 PC World, Ransomware Authors Streamline Attacks, Infections Rise, article/ /ransomware-authors-streamline-attacks-infections-rise.html (Feb. 10, 2015). 17 The company said that it performs a backup daily, so very little data was lost. 7

8 threat comes from both the end-user side and the network side making it very difficult to manage. The provider also noted that there are new variants monthly. As this provider said to us, cyber-attacks are a business and they pay highly-skilled people to launch attacks. As with the attacks against the smaller providers with whom we spoke, the attacks experienced by the medium-sized providers we spoke with had on occasion resulted at least briefly in degrading of some of the performance on their networks. Forward-Looking Steps to Prevent and Mitigate Future Incidents. In the CSRIC IV Report, the Small and Medium Size Business Feeder Group evaluated the 98 subcategories contained in the NIST Cybersecurity Framework and developed guidance on how small and medium-sized businesses can digest and apply the NIST Cybersecurity Framework. 18 They reduced their guidance into three basic questions that a small and medium-sized business should consider in developing their own unique plan: what does a small or medium-sized business need to protect; who has the responsibility for a given task; and how will a small or medium-sized business protect its core network. 19 The companies we spoke with had dealt with cyber-attacks prior to the time of the CSRIC IV Report. In responding to these attacks, these companies took various steps to mitigate the problem at the time that they then incorporated into their own strategies to better respond to future cyber-attacks. 20 By taking these steps, the companies reported that they were able to realize significant reductions in the amount of time to detect and respond to later attacks. 21 The 18 CSRIC IV Report at Id. 20 Some of the companies we spoke with mentioned that they operate their networks in compliance with the Payment Card Industry Data Security Standard (PCI DDS), which includes requirements for maintaining a secure network as well as penetration testing. 21 CSRIC IV Report at

9 companies we spoke with adopted varying plans on how to manage cybersecurity risks to their networks. For example, one of the smaller companies we talked with hired an outside firm to audit its systems and to assist it in identifying vulnerabilities. After completing that process, the company s Chief Information Security Officer (CISO) and systems engineers coordinated with the firm and, based on their recommendation, the company took a number of remedial steps, including, for example: hardening its firewall, upgrading all virus software, instituting autoupdate policies for all routers and migrating to new servers. The company also took steps to upgrade all workstations that have access to the core network to ensure they minimized vulnerabilities. In addition, the company provided education and training to employees on risks and best practices for preventing cybersecurity problems. One of the medium-sized companies we spoke with noted that its compliance with PCI standards has resulted in it taking steps, including performing penetration tests, to harden its network. The company also explained that it has in place a small security group housed in its Information Technology division that assists the organization in planning and addressing cyberattacks. Another of the medium-sized companies we spoke with mentioned that it too complies with the PCI standard. This company also noted that it works closely with its vendors in identifying and responding to attacks on its network. These forward-looking steps were common across the companies we spoke with. We found that the companies had engaged at the executive levels in their organizations to understand the need and develop strategies to manage cybersecurity risks. They had worked with their IT staff and/or outside parties including, where applicable, their network operation center (NOC) vendors to implement greater monitoring and remediation procedures. They developed tools such as phone trees to ensure coverage and responsiveness in the event of an attack and they upgraded existing and deployed new software 9

10 to assist in prevention and early detection. These companies also adopted procedures for reviewing traffic logs to identify potential attacks early on and to shorten the time for resolution. They have each erected varying levels of access controls for their core network to better mitigate risks. The companies have taken these and other steps to promote greater security in their core network so that their customers are protected and their own systems continue operating, which as the CSRIC IV Report notes, is critical from an infrastructure and business perspective. 22 These companies recognize, as does the CSRIC IV Report, that these steps may not be able to completely avoid being the victim of a cybersecurity incident but can help the company be prepared to minimize the scope and duration of the incident. 23 As we have outlined above, the member companies we spoke with have made positive strides in addressing their own cybersecurity risk management needs without the benefits of the CSRIC IV Report. It is our expectation that the availability of best practices and other information contained in the report will help further enhance our members efforts at managing these risks. B. Improving on the CSRIC IV Report for Small and Medium Sized Cable Operators In the Public Notice, the Bureau seeks comment on ways in which the CSRIC IV Report is sufficient as well as ways that the recommendations might be improved, augmented, or made more specific. The Public Notice also seeks comment on voluntary mechanisms to provide 22 Id. at 372. Some of the companies interviewed were aware of the NIST Cybersecurity Framework and had used it to develop their plans. Others were not particularly aware of the framework but as noted above, developed plans that were consistent with the procedures and goals of the NIST Cybersecurity Framework and CSRIC IV Report. The majority had not yet carefully reviewed the recent and lengthy CSRIC IV Report. 23 Id. at

11 assurances [and] to provide evidence of the communications sector s commitment to enhance cybersecurity risk management capabilities. 24 The voluntary mechanisms identified include confidential meetings with individual companies, development of reporting metrics to evaluate the state of cybersecurity risk management over time, and Commission participation in the C3 Voluntary Program to assist small and mid-sized communications providers in making use of the CSRIC recommendations. 25 In addition, the Public Notice seeks comment on what barriers, if any, would inhibit industry s effective application of the voluntary mechanisms discussed throughout the report and what differences exist based on factors such as size and ways to mitigate such barriers. 26 Company-Specific Meetings. The CSRIC IV Report recommends that the Commission, in partnership with the Department of Homeland Security (DHS), conduct periodic confidential meetings with communications sector companies to discuss their cybersecurity risk management processes and their use of the NIST Cybersecurity Framework. 27 These meetings would be intended to provide the Commission and the public assurances that communications providers are taking the necessary measures to manage cybersecurity risks across the enterprise. 28 We make suggestions regarding such meetings primarily in three areas, the impracticality of meeting with all small and medium-sized businesses individually and how to address it, the content of individual meetings with small and medium-sized businesses that do occur, and valuable ways other than individual meetings for the Commission and DHS (and NIST) to do 24 CSRIC IV Report Public Notice at Id. 26 Id. 27 CSRIC IV Report at 7, Id. at 4 (CSRIC IV uses the phrase macro-level assurances to mean the FCC and the public). 11

12 outreach both to obtain and provide valuable information about cybersecurity risk management in regard to small and medium-sized businesses in this sector. With respect to the recommendation that the Commission and DHS conduct confidential company-specific meetings, as a practical matter the Commission and DHS are unlikely to be able to meet with all small providers individually given the large number of smaller companies that provide communications services in America. ACA believes there to be at least between 2,100 and 2,300 smaller operators serving rural and smaller markets across the county. 29 The Commission and DHS will understandably need to carefully consider and prioritize their efforts as they face resource limitations. The impracticality of company-specific individual meetings with all providers, however, is by no means fatal to whether the Commission and public receive the voluntary assurances contemplated by the CSRIC IV Report. The reality is that little benefit in regard to assurances is gained in meeting with all small providers because the amount of new information that would be learned after meeting with a representative sample will be small and diminishing. By doing individual meetings with a sampling of small and medium-sized providers, a point discussed further below, the Commission and DHS should be able to adequately glean the insights that are of relevance and concern for the entire sector of smaller providers. Accordingly, the Commission and DHS can save their limited finances and time, and also those of many smaller providers by focusing their outreach. If the Commission and DHS elect not to meet with all providers, smaller providers who don t meet individually with the Commission or DHS, should 29 ACA and the National Telephone Cooperative Association, which represents small rural wireline broadband providers, together represent between 1,200 and 1,400 different wireline providers. In addition, the Competitive Carriers Association represents approximately 100 smaller wireless providers, and the Wireless Internet Service Providers Association include about 800 wireless Internet service providers. 12

13 not be considered any more or less likely to be taking reasonable steps to manage their cybersecurity risks and threats than other similar companies. Although the Commission and DHS need not meet with all small and medium-sized providers, it is important for these agencies to gain perspective from companies of varying sizes. As the CSRIC IV Report notes, each company faces its own set of challenges and has its own needs. 30 Our conversations about cybersecurity risk management issues with ACA members of different sizes and with vastly different resources confirm this point and underscore the value of the Commission and DHS doing individual meetings with a cross-section of small and mediumsized companies. As the Commission considers how best to engage individually with small and mediumsized communications providers, we would suggest that a variety of possibilities be considered. One that may present real opportunities for not only the Commission, but DHS and NIST is to schedule meetings on the sidelines of trade shows and other similar events that attract a large number of providers. Various industry associations hold annual trade shows and commissioners and Commission staff are often invited to the events to share their perspective on issues that effect that sector. These events attract strong turnout by member companies. The Commission, DHS and NIST should leverage these opportunities to meet individually with providers to discuss cybersecurity risk management, in addition to participating in larger meetings and making presentations. Should the agencies express an interest in pursuing this approach, ACA stands ready to act as an intermediary. Regional gatherings of various kinds that are organized by industry or that could be organized by government can also provide opportunities for 30 CSRIC IV Report at

14 individual meetings and, of course, it may also be feasible to conduct some individual meetings by phone. As to the scope of the meetings, ACA believes that the recommended focus, which is for the Commission and DHS to discuss with network operators the operators cybersecurity risk management processes and their use of the NIST Cybersecurity Framework, is too narrow in certain respects. We think that the Commission and DHS should broaden their perspective on the goals of these individual meetings, which would at the same time increase the value of these meetings to the small and medium-sized businesses that participate. The meetings should be viewed as a two-way conversation. These small and medium-sized companies are resource constrained and rarely have individual meetings of this kind with policymakers skilled on such subjects, so using these meetings as an opportunity to be helpful to them could add substantial value and interest. Specifically, the Commission and DHS should view these individual meetings as an opportunity to share information. They can convey information on potential strategies and best practices that may be helpful based on what the Commission and DHS learn in meetings and from companies facing similar challenges and issues, while preserving the confidentiality of individual meetings. In addition to providing valuable direct assistance to companies in these individual meetings, the DHS and Commission will also have the opportunity to augment more effectively the ways that government can be helpful to the private sector after conducting these meetings Id. at (discussing the importance of sharing experiences and continued collaboration so that the NIST Cybersecurity Framework can continue to evolve). 14

15 Thus, the meetings can be thought of too as an opportunity in part for the Commission and providers to discuss the successes that either are aware of in overcoming cybersecurity risk management challenges. As the CSRIC IV Report notes, communications sector members are one component of a vast landscape of interdependent critical infrastructure ecosystem stakeholders that requires a high degree of information sharing (consistent with applicable law) and collaboration to effectively manage cyber risk. 32 More broadly, the companies we spoke with mentioned that information sharing could be very beneficial in helping them better protect their networks. 33 That is not limited to the particular forms of information sharing addressed in presidential executive orders and proposed legislation. As the Commission hears from a range of providers in the various segments, it will gain a broad base of knowledge that could make it a repository of information and practices that would be useful for small and medium-sized providers to learn and be able to utilize. The Commission should consider sharing information and best practices in its conversations with providers generally as well as individually, again while protecting the confidentiality of specific information about specific providers. This broader scope for meetings will help the Commission and DHS better effectuate the information sharing goals that are part of the NIST Cybersecurity Framework and the CSRIC IV Report. More generally, in addition to individual meetings, we would suggest that greater outreach, on the part of the Commission, DHS and NIST would be welcome to educate smaller and medium-sized companies about practices, tools, training, resources etc., that are available to help manage and address cybersecurity risks. We understand that the DHS, NIST and the Commission are interested in doing more outreach to small and medium-sized businesses, and 32 Id. at Infra at

16 we can attest from our conversations with members that it would be welcomed and needed, given the serious resource constraints our members face and serious competing demands for attention. These events attract very strong turnout by member companies. Should the agencies express an interest in pursuing this approach, ACA stands ready to act as an intermediary. Development of the Communications Sector-Specific Annual Report. The Public Notice asks what measures to include in a Sector Annual Report (SAR) to provide appropriate levels of visibility about the state of cybersecurity risk management. 34 The Measurements Feeder Group to the CSRIC IV found that the communications SAR could be expanded to include meaningful indicators that could be useful in demonstrating the overall state of cybersecurity. 35 In the CSRIC IV Report, the subgroup recommends that the Communications Sector Coordinating Council (CSCC) develop an addendum to the SAR that, based on these indicators, discusses how cyber risk management practices employed by the sector are addressing availability, reliability, resiliency and integrity. 36 The subgroup notes, however, that it is difficult to develop cybersecurity measures around the effectiveness of given programs given the cross-sectorial nature of cyber threats. 37 ACA does not take a position on what measures should be included in such a report, but urges the Commission to be mindful of the burden reporting obligations could present, even in a voluntary context as recommended by the CSRIC IV Report. 38 As noted above, there are diminishing returns in questioning all small and medium-sized providers. One way to minimize 34 CSRIC IV Report Public Notice at CSRIC IV Report at Id. 37 Id. at , CSRIC IV Report at

17 the burden would be to seek input from a cross-section or sampling of providers. That should be sufficient to help inform the CSRIC s discussion as part of any SAR addendum should it choose to pursue such a report. ACA does see the potential value of a SAR, particularly if, as the CSRIC IV Report recommends, it offers high level, aggregated information regarding cybersecurity practices that were successful at promoting the ongoing availability and resiliency of networks. 39 Commission Participation in the C3 Voluntary Program. The Public Notice seeks comment on how the Commission can coordinate with DHS through the C3 Voluntary Program to help small and medium sized communications providers. 40 The primary functions of the C3 Voluntary Program are to promote use of the NIST Cybersecurity Framework through outreach and to work with organizations using the NIST Cybersecurity Framework to understand how they are using it and how it can be improved. 41 As suggested above, a broader outreach effort by the Commission and DHS will help inform those agencies understanding of the extent to which small and medium-sized providers are using the NIST Cybersecurity Framework and how the framework could be improved/adapted to better accommodate their needs or concerns. Barriers That Inhibit Cybersecurity Risk Management. Finally, the Public Notice seeks comment on whether barriers exist that inhibit application of the voluntary mechanism. 42 The Public Notice seeks comment on what differences in the barriers exist based on factors such as 39 Id. at CSRIC IV Report Public Notice at 2. We note that for most ACA members, it is safe to say that they have no experience with the C3 Voluntary program and little or no knowledge of it CSRIC IV Report Public Notice at 2. 17

18 size and how might these barriers be mitigated. 43 The CSRIC IV Report notes five barriers to implementation: financial, legal (policy), technical, consumer/market, and operational. 44 ACA members are affected by each of these barriers to varying degrees but our comments here focus on the financial, legal, and technical barriers. 45 ACA member companies are lean operations that have to prioritize investments. As the CSRIC IV Report notes, such companies have much more limited operating and capital resources and require a stricter prioritization regimen. 46 ACA member companies balance those costs against the need to protect the network that serves the members of the communities in which they serve and live. 47 ACA members take their responsibility seriously and have already made substantial investments in increasing their cybersecurity protections. In order to be effective, these investments must, in many instances, be recurring investments, and commitments have been made in that regard. As innovation progresses, so do threats and as the CSRIC IV Report notes the evolving nature of those threats have the potential to make financial considerations an even bigger barrier going forward. 48 In addition to purely financial considerations, there are also very substantial human resource costs that must be part of the calculus. Whether it is bringing on additional staff or contracting with vendors for services in this area, resource limitations are a 43 Id. 44 CSRIC IV Report at The comments mention consumer/market in the context of financial barriers and to the extent operational barriers include human resources, those are also addressed in our comment on financial barriers. 46 CSRIC IV Report at The CSRIC IV Report noted this concern as a consumer/market barrier. We agree that this is a barrier. Id. at Id. at

19 real constraint and are often associated with financial barriers. Many of these companies have very small staffs. ACA is pleased that the Small Medium Business Feeder Group recognized these constraints and called on the federal government to resume the work on incentives that was called for in the Executive Order and ACA supports that call. 49 Companies we spoke with cited financial and resource barriers as major impediments and stated that financial incentives for implementation and training of employees would be very helpful. These companies agreed that mitigating some of the costs associated with voluntary adoption of the NIST Cybersecurity Framework will help further implementation. 50 The Commission, DHS and NIST should work with other federal agencies to encourage Congress to develop economic incentives that further adoption of the NIST Cybersecurity Framework. 51 Perhaps the most straightforward economic incentive government can provide is a tax incentive. A number of parties supported extending tax incentives for cybersecurity investments in comments filed before the National Telecommunications and Information Administration and the Department of Treasury. 52 While those agencies determined not to pursue tax incentives at that time, ACA agrees with the Small Medium Business Feeder Group and the National Association of State Chief Information Officers that work on just such incentives should resume Id. at Id. 51 Id. 52 See National Telecommunications and Information Administration, Incentives to Adopt Improved Cybersecurity Practices, Notice of Inquiry, Docket No (available at 53 Id.; see (supporting legislation that would provide federal tax credits to private industry that participate in cybersecurity Information Sharing and Analysis Organizations (ISAOs) and fusion centers. 19

20 In addition to advocating for economic incentives, the Commission and DHS can work to help reduce costs associated with better cybersecurity risk management by continuing their efforts to develop tools and templates that small and medium-sized providers can use for assessment. For example, the CSRIC IV Report contains an Appendix in the Small Medium Business section that list the 37 practices deemed to be the priority practices for consideration by small and medium-sized providers. 54 The list walks providers through the various recommendations from the NIST Cybersecurity Framework and explains how each fits into its what, who, and how construct, making the information readily accessible and more digestible. While providers understand that such lists are designed as guides and not a prescriptive, inclusive list, such lists can be extremely helpful in focusing their planning and educating people within their organization regarding what is needed to promote better cybersecurity risk management. Additional templates that could offer cost savings would be templates that could be used by small and medium sized providers with regards to incident response. The CSRIC IV Report provides some information but it could be developed further into an even more usable tool. 55 Other templates could focus on contracting language and building on the work of the Commission Small Biz Cyber Planning Tool, a template small and medium size providers could use to assist their end users in better understanding their part in promoting cybersecurity. 56 Finally, we encourage the Commission more generally to remain mindful of the economic and resource considerations that are of concern to ACA members as they move to implement cybersecurity risk mitigation measures. These are real and daunting concerns that 54 CSRIC IV Report at Id. at FCC Small Biz Cyber Planner 2.0, 20

21 must be taken into account as the Commission works with other agencies in developing structures to promote use of the NIST Cybersecurity Framework. Closely related to financial barriers are the technology barriers. The CSRIC IV Report states that uncertainty around the value of certain technologies complicates the inability of a provider to determine the rate of investment on solutions. 57 ACA members have faced this challenge in their cybersecurity risk planning and a number of ACA members we spoke with have gone through and continue to reevaluate the process of reviewing their business environment to prioritize needs and selected a suite of solutions to meet those needs. 58 The CSRIC IV Report notes that the main legal (policy) barrier is the uncertainty around information sharing. 59 ACA would agree with that assessment. In each of the conversations we had with ACA members, the need for greater information sharing was cited as the second most helpful thing the government could do (the first being financial incentives). Our member companies, as with other small and medium-sized businesses, could greatly benefit by having a better understanding of what threats others are confronting to help them better target their efforts. In this regard, the companies stated that greater information sharing could help in preventing and resolving cyber-attack more quickly and could help reduce the cost of managing cybersecurity risks. For their part, the Commission and DHS can be very helpful in reducing this barrier through more outreach and engagement, whether through the C3 Voluntary Program, companyspecific meetings or association conference participation. In addition, to the extent these 57 Id. at Id. at 209, Id. at

22 agencies can help inform the discussions in Congress around legislation to promote greater information sharing, we would encourage that. Passage of such legislation would help entities across the spectrum better identify and respond to cyber-attacks. As the CSRIC IV Report finds, legislation that supports increased liability protections for information sharing would allow for a more proactive approach to implementing cybersecurity information sharing practices. 60 ACA sees the opportunities for reducing barriers detailed above as an effort that must be undertaken by all stakeholders in the sector. There is a role for private interests to play in using the tools provided through the NIST Cybersecurity Framework and the CSRIC IV Report to assess and plan for appropriate risk mitigation. There is a role for the Commission and DHS to play in not only helping providers lessen barriers, but in helping to inform other agencies and Congress of the needs of providers, particularly smaller providers, related to economic incentives and information sharing. Only through a coordinated effort will we be able to plan for and manage cybersecurity-related risk. III. CONCLUSION ACA appreciates the opportunity to provide these comments on the CSRIC IV Report. As these comments demonstrate, the CSRIC IV Report provides a useful tool for managing cybersecurity risk. Many ACA member companies have also used the NIST Cybersecurity framework to address their unique circumstances. ACA hopes the information in these comments is helpful in providing the Commission with some perspective on the challenges and opportunities small and medium-sized cable providers face in addressing cybersecurity risks. 60 Id. 22

23 We reiterate that to the extent the Commission, DHS and NIST determine that greater outreach is warranted, ACA stands ready to assist these agencies in that effort. Respectfully submitted, Matthew Polka Gregory W. Guice President and CEO Akin Gump Strauss Hauer & Feld American Cable Association 1333 New Hampshire Avenue, NW 875 Greentree Road Washington, DC Seven Parkway Center, Suite 755 (202) Pittsburgh, Pennsylvania (412) Attorney for American Cable Association Ross J. Liebermann Senior Vice President of Government Affairs American Cable Association th Place, NW Washington, DC (202)