This post was also written by Chris Cwalina and Amy Mushahwar.
Securing information technology infrastructure has become a prominent focus of the Obama administration and the subject of several bills percolating on Capitol Hill. In step with these efforts, on Monday, August 9, 2010, the Federal Communications Commission (“FCC”) requested public comment on its proposal to expand its role in protecting private networks from cybersecurity attacks through creation of a cybersecurity roadmap.
The concept of establishing a cybersecurity roadmap was initially laid out in the National Broadband Plan, which the FCC presented to Congress in March of this year. The proposed roadmap would identify the five most critical cybersecurity threats to the communications infrastructure and to end users. It would also establish a two-year plan (with milestones) for the FCC to address these threats.
By means of this roadmap, the FCC would like to demonstrate leadership and provide a clear vision on cybersecurity priorities. Presently, various parts of the federal government — from the Justice Department to the Defense Department — share responsibility for thwarting private cyberattacks. The Government Accountability Office (“GAO”) has intimated that the present structure of federal cybersecurity coordination leaves much to be desired. In a recent report, the GAO stated, “[f]ederal agencies have not demonstrated an ability to coordinate their activities and project clear policies on a consistent basis[.]”
The FCC is using its Section 706 deployment authority as a basis for acting to fill the perceived leadership void, stating that if cyberattacks create a lack of consumer confidence on the Internet, there may be a decreased demand for broadband services. The FCC’s concern is buttressed by the fact that online hackers are showing increasing sophistication. For example, in Malware (a program containing sequences of steps to carry out attacks) alone, there have been three generations of common hacks, each upping the ante in terms of network damages.
- Generation 1: consisted of viruses that were spread across the network through e-mail and file sharing methods that required human “touch” to trigger replication (examples of this generation include LoveLetter, Fizzer, and Melissa).
- Generation 2: consisted of worms that exploited operating systems or application vulnerabilities using an automated script (an example of this generation includes the now infamous Anna Kournikova virus).
- Generation 3: has been the most detrimental to networks and has consisted of a combination of elements (for example, viruses, Trojan horses, and automation) to uniquely exploit networks (examples of this generation include Blaster, SQL Slammer, Slapper, Sasser, and Witty worms).
Comments are encouraged from all relevant stakeholders (applications developers, ISPs, e-commerce site owners, device manufacturers). Because this is a newer foray of the FCC, comments are encouraged even by those who are not usual suspects before the Commission. Those companies interested in this proceeding should act quickly as comments are due to the FCC on September 23, 2010.