FCC Seeks Comment on Cybersecurity Best Practices for ISPs

Late last week, the FCC released a Public Notice requesting comment on existing best practices for Internet Service Providers (ISPs) to combat cybersecurity threats. The inquiry is a follow up to the FCC’s New Cybersecurity Initiative focused on developing a voluntary, private-sector driven approach to cyber risk management. Comments from this inquiry will support and inform the work of Communications, Security, Reliability and Interoperability Council IV (CSRIC IV) to create cybersecurity best practices that align with the National Institute of Standards and Technology (NIST) framework across the broader communications sector.

The inquiry is focused on what steps the industry has taken voluntarily to combat certain cyber threats. However, the FCC acknowledged that the vulnerabilities addressed by these recommendations remain active threats and sought comment on how to address these concerns and create cyber assurances across the industry. As Chairman Wheeler noted in his June 12 speech, the FCC is open to considering other options if a voluntary, market-driven approach fails to yield measurable, accountable results. The existing best practices were adopted March 2012 by the FCC’s CSRIC III, predecessor of CSRIC IV, to address critical cybersecurity threats, specifically botnets, attacks on the Domain Name Systems (DNS) and Internet route hijacking. CSRIC III also recommended that ISPs implement source-address filtering to prevent attackers from spoofing IP addresses to launch distributed denial of service (DDoS) attacks. In connection with the adoption of the best practices in 2012, several of the largest ISPs participating in CSRIC III committed to voluntarily implementing the recommendations.

Two and a half years later, the FCC’s Public Safety and Homeland Security Bureau is looking to the Internet community, ISPs, consumer organizations and the broader public community for feedback on implementation of the best practices and their overall effectiveness. Stakeholders are encouraged to weigh in on the progress of and any barriers to implementation, discuss any success stories or breakthroughs, evaluate how effective the current recommendations are at mitigating cyber risk, and identify any new alternatives or technologies that could be more effective going forward.

Comments must be submitted to the FCC’s Public Safety and Homeland Security Bureau by September 26, 2014.