Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 ) ) ) ) ) COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION



Similar documents
Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C ) ) ) ) ) ) ) ) COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C ) ) ) ) ) ) ) COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C ) ) ) ) ) ) ) ) ) ) ) ) ) COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Before the Federal Communications Commission Washington, DC ) ) ) ) ) REPLY COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC ) ) ) ) ) ) ) ) ) ) ) COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

BEFORE THE UNITED STATES DEPARTMENT OF ENERGY

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

Before the DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, DC ) ) ) ) )

Before the. First Responder Network Authority National Telecommunications and Information Administration Washington, DC ) ) ) ) )

Location Accuracy Requirements and the FCC

) ) ) ) COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION. The Telecommunications Industry Association ( TIA ) 1 hereby submits its comments in

BEFORE THE FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C

Ex Parte Notice Request For Updated Information And Comment on Wireless Hearing Aid Compatibility Regulations, WT Docket Nos.

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C ) ) ) PS Docket No COMMENTS OF CTIA THE WIRELESS ASSOCIATION

TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC In the Matter of ) ) Cyber Security Certification Program ) PS Docket No.

Securing the Network: Cybersecurity Recommendations for Critical Infrastructure and the Global Supply Chain Telecommunications Industry Association

Before the Federal Communications Commission Washington, D.C ) ) ) ) ) ) ) REPLY COMMENTS

Re: Invitation to Participate: Set-top Boxes and Network Equipment (12-AAER-2A)

Before the Federal Communications Commission Washington, D.C ) ) ) ) ) ) COMMENTS OF THE SATELLITE INDUSTRY ASSOCIATION

Submitted via September 12, 2013

Please find attached the comments of ITI in the Broadband Opportunity Council Notice and Request for Comment.

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C Comments of CTIA The Wireless Association

Before the Federal Communications Commission Washington, D.C.

Billing Code: 3510-EA

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Re: Request for Comments on the Preliminary Cybersecurity Framework

(IP) applications. Together with its three subcommittees and their working groups, the committee

The Dow Chemical Company. statement for the record. David E. Kepler. before

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users

Before the Federal Communications Commission Washington, D.C

Statement of Edward Amoroso, Ph.D. Senior Vice President & Chief Security Officer AT&T. United States House of Representatives

November 03, Via Electronic Mail to

Submitted at:

RE: Comments on Vietnam s Draft Law on Information Security, version 2.22

WHITE PAPER APRIL Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives

COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Inquiry into potential reforms of National Security Legislation. Cisco Systems Australia Pty Limited

Before the. FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Before the Federal Communications Commission Washington, D.C

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554

January 17, ITI Point of Contact:

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Before the Federal Communications Commission Washington, DC ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) )

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION

January 24, Submitted via website:

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

Making Windows Secure by Design

Before the Federal Communications Commission Washington, D.C ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) REPLY COMMENTS OF CTIA THE WIRELESS ASSOCIATION

Changing Legal Landscape in Cybersecurity: Implications for Business

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER

How To Write A Reply To The High Tech Broadband Coalition'S Comments To The Fcc.Com Website

Priority III: A National Cyberspace Security Awareness and Training Program

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C ) ) ) ) COMMENTS OF COMCAST CORPORATION

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC ) ) ) ) )

Re: Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition [Notice- OMA ; Docket No ]

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC In the Matter of ) ) RURAL CALL COMPLETION ) WC Docket No.

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

STATEMENT OF KAREN UTTERBACK, MSN, RN VICE PRESIDENT, MARKETING AND PRODUCT STRATEGY MCKESSON TECHNOLOGY SOLUTIONS

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

Cisco Cloud Enablement Services for Education

September 10, Dear Administrator Scott:

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C COMMENTS OF WTA ADVOCATES FOR RURAL BROADBAND

Managing the Unpredictable Human Element of Cybersecurity

FEDERAL COMMUNICATIONS COMMISSION WASHINGTON. February 4, 2015

ETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things

SIEM is only as good as the data it consumes

Audit Report. Management of Naval Reactors' Cyber Security Program

Delving Into FCC's 'Damn Important' Cybersecurity Report

NSTAC Response to the National Strategy for Secure Online Transactions Partial Draft version 0.2

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C COMMENTS OF VONAGE HOLDINGS CORPORATION

Cyber Security and Privacy - Program 183

FCC Dives Headfirst Into Privacy

April 10, Ms. Melissa Hathaway Acting Senior Director for Cyberspace National Security and Homeland Security Councils. Dear Ms.

Charter of Consumer Rights in the Digital World

BEFORE THE FEDERAL COMMUNICATIONS COMMISSION WASHINGTON D.C

The SIEM Evaluator s Guide

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC ) ) ) ) ) ) REPLY COMMENTS OF CTIA THE WIRELESS ASSOCIATION

Specific comments on Communication

How a Hybrid Cloud Strategy Can Empower Your IT Department

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

America s Broadband Connectivity Plan

Cybersecurity. Are you prepared?

Some Specific Parawise Suggestinons. 2. An application which collects and analyzes this data for further consolidation and,

The Comprehensive National Cybersecurity Initiative

Strategic Plan On-Demand Services April 2, 2015

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

BEFORE THE FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C ) ) ) ) ) REPLY COMMENTS OF SOUTHERNLINC WIRELESS

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014

Transcription:

Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Cyber Security Certification Program PS Docket No. 10-93 To: The Commission COMMENTS OF THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION The Telecommunications Industry Association (TIA hereby submits comments to the Federal Communications Commission (Commission in the above-captioned proceeding. 1 TIA appreciates the opportunity to discuss the potential of creating a cyber security program within the Commission. TIA represents the global information and communications technology (ICT industry through standards development, advocacy, tradeshows, business opportunities, market intelligence and world-wide environmental regulatory analysis. With roots dating back to 1924, TIA enhances the business environment for broadband, mobile wireless, information technology, networks, cable, satellite and unified communications. 1 See In the Matter of Cyber Security Certification Program, Notice of Inquiry, PS Docket No. 10-93 (rel. Apr. 21, 2010 (Cyber Security NOI 1

Members products and services empower communications in every industry and market, including healthcare, education, security, public safety, transportation, government, the military, the environment and entertainment. TIA is accredited by the American National Standards Institute (ANSI. SUMMARY Cyber security is vital to our nation, and much work is already being done in the federal government to protect against cyber attacks. In order to assess the level of risk of cyber attacks, better data must be assimilated. Moreover, certification programs have not been widely embraced to secure critical infrastructure and key resources (CIKR by industry. However, there are several other incentives proffered that should increase cyber security efforts in the private sector. As the Commission considers its proposed certification program, it must assess likely impact upon global cyber security efforts. Finally, it should be noted that a cyber security program as proposed by the Commission could restrict entities from implementing flexible practices that respond to ever-changing cyber security needs. DISCUSSION I. MORE DATA IS NEEDED TO ASSESS THE THREAT OF CYBER ATTACK. The Commission has provided some data indicating that there are significant threats to cyber security in the United States. 2 Reported annual increases in malware reports are routine, and different data establishing cyber threats is difficult to correlate across data 2 See id. at 2-3 (noting increasing malware reports by PandaLabs, a commercial security enterprise. 2

sets. In fact, the Organisation of Economic Co-operation and Development (OECD has recently reported that the level of malware contained in emails is difficult to comprehend due to disparate measurement techniques. 3 Accordingly, the level of cyber security cannot be measured without a more comprehensive assessment that evaluates disparate data from public and private interests to establish the severity of cyber security threats. II. THE PROPOSED CERTIFICATION PROGRAM MAY NOT BE THE MOST EFFECTIVE PROTECTION AGAINST CYBER ATTACKS. a. Ongoing Certification Initiatives Have Proven to Discourage Participation Certifications, while valuable in many ways, are very difficult to establish for cyber security for several reasons. From a practical perspective, certifications can be time consuming and costly, and may delay important security related actions. An example can be gleaned from the Common Criteria for Information Technology Security Evaluation (CC efforts. CC is an international standard for evaluating security functionality within products that are either primarily focused on providing information assurance capabilities or are focused on providing a specific functionality type that relies upon certain information assurance capabilities. In addition, the CC standard requires review of the developer's configuration management procedures, delivery processes, and development security controls in place to adequately ensure the evaluated product is properly maintained and securely delivered to the end-user. The ICT industry is very committed to the CC and is working to improve its ability to drive assurance in security products. However, over the past ten years, the CC process has been slow and costly to 3 See The Organisation for Economic Co-operation and Development, Malware: A Security Threat to the Internet Economy 27 (2008, available at: http://www.oecd.org/dataoecd/53/34/40724457.pdf. 3

participating companies. These cost and time delays have proven to be a disincentive to participation by industry. In another initiative, as the Commission notes in its NOI, the Department of Homeland Security is working on protecting Americans from cyber attacks through public-private initiatives. 4 While this is a preliminary program, it should be noted that participation is low. We suggest that the Commission survey this effort to determine its effectiveness prior to implementing potentially overlapping programs. b. Other Incentives Provide Effective Solutions to Cyber Threats A robust study by the IT Sector Coordinating Council was done in 2008 on incentives for cyber security as part of Project 12 of the Comprehensive National Cyber Initiative (CNCI. 5 That effort explored the possibility of voluntary certification programs for cyber security practices. After significant debate and discussion, the report determined that many other incentives would drive more secure systems. The report noted that cyber security best practices differ based upon CIKR dynamics: no one perfect set of [cyber security] practices exists (due in part to the plethora of devices, applications, and versions of different technologies in use at any one time in a specific environment, and CIKR owners will be most successful in their endeavor to improve cyber security by assessing risk to their information systems and networks and seeking solutions that are commensurate with their unique risk profiles. 6 4 See Cyber Security NOI at 3. 5 See Incentives Recommendations Report, Comprehensive National Cyber security Initiative, Cross Sector Cyber Security Working Group Incentives Subgroup, (September 2009 (CNCI Incentives Subgroup Report. 6 Id. at 4. 4

Further, the report made clear that best practices must be adapted as technology and security needs change: already-identified effective practices need to be continually adapted to keep pace with the changing technological and security needs that are inherent parts of the cyber landscape. 7 Due to the identified disparate and ever-changing cyber security needs of entities, the CNCI Incentives Subgroup Report recommended several incentives for companies to maintain effective cyber security practices. Noticeably absent was a recommendation for a government-imposed certification program. First, the report stated a need to address Federal Government cyber security needs; there are opportunities to leverage the purchasing power of the Federal government to incentivize companies that do business with the government to adopt good cyber security practices or deploy best known/successful methods to protect the systems and networks they own from attack and/or compromise. 8 Further, the report stated that grants should be provided to accelerate adoption of cyber security standards and practices. 9 Moreover, the report noted that the Federal government should reduce, rather than increase, regulatory complexity for CIKR. 10 In addition, the report stated, there should be direct federal funding for cyber security research and development (R&D of new cyber security technologies and practices through one or more federally funded R&D centers or academic partnerships. 11 The report also made clear that the Federal government should 7 Id. at 5. 8 Id. at 7. 9 See id. at 7-8. 10 See id. at 8-9. 11 See id. at 9-10. 5

extend grants to companies developing and implementing cyber security technologies and practices. 12 As the CNCI Incentives Subgroup Report makes clear, the Federal government must provide incentives for cyber security enhancement among entities. The report lists noncertification steps that will most effectively accomplish this goal. These recommendations should be considered as primary steps that the federal government should take to ensure cyber security prior creating a certification program. c. The Proposed Certification Program Could Negatively Affect Global Cyber Security Efforts. Certification regimes such as that being discussed by the Commission tend to motivate other countries to also change existing requirements or create new security certification regimes. This can lead to overly expansive and intrusive security and certification requirements that are costly, risk exposure of technical information or intellectual property, create trade barriers, and do not improve security. Paradoxically, the expansion of multiple security certification schemes may ultimately weaken security by taking scarce resources away from actual security improvement. Global schemes offer a better and more efficient alternative to a potentially bifurcated system of multiple third party security assessment and certification schemes. A bifurcated system could create barriers to trade, hinder U.S. competitiveness, and 12 See id. at 10. 6

potentially compromise the intellectual property of vendors. It is important to note that certification schemes are inherently based on standards. Given the global nature of ICTs, these standards must be global in nature by definition. It is unclear what global standard will be considered for the proposed Commission program, but TIA urges the Commission to refrain from imposing country-specific standards or practices. Such action could again isolate U.S. cyber security efforts and create global reactions that could defeat the goal of ensuring superior cyber security protection. III. A CYBER SECURITY CERTIFICATION PROGRAM COULD STIFLE NEEDED FLEXIBILITY It is important to note that cyber security requirements vary from sector to sector and business to business. Thus, a one size fits all approach to cyber security certification is unlikely to result in more secure systems. Further, the cyber security space is rapidly changing, and certification schemes may not promote the flexibility necessary to address emerging and developing threats. However, if certification requirements are high-level enough to be acceptable by all parties and provide significant flexibility, they could result in the adoption of minimum requirements and best practices rather than the most robust, secure solutions and practices available. 7

IV. CONCLUSION. For the foregoing reasons, TIA urges to take into consideration its recommendation on the Commission s proposed cyber security certification program. Respectfully submitted, TELECOMMUNICATIONS INDUSTRY ASSOCIATION By: /s/ Danielle Coffey Vice President, Government Affairs Patrick Sullivan Director, Technical and Government Affairs TELECOMMUNICATIONS INDUSTRY ASSOCIATION 10 G Street N.E. Suite 550 Washington, D.C. 20002 (202 346-3240 July 12, 2010 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information