Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.


Continue Reading

Last week, the FCC’s Public Safety and Homeland Security Bureau released a Public Notice (“Notice”) urging communications service providers to review and assess how they can incorporate the recommendations from Communications Security, Reliability, and Interoperability Council (“CSRIC”) V, Working Group 10 March 2017 Report to abate security signaling system 7 (“SS7”) protocol vulnerabilities(the “SS7 Report”).  SS7 is a communications protocol used within telephone networks to aid call setup, routing, billing and other functions between fixed and mobile service providers.

Continue Reading

Kelley Drye is excited to support the next Presidio Forum on “Securing (and Regulating) the Internet of Things: Policy, Innovation & Investment,” in San Francisco on June 20, 2017.  The forum will present a candid discussion exploring today’s expanding IoT threat landscape, continued rise of regulatory interests and the increasing venture capital investment for IoT

In the days leading up to Tuesday’s State of the Union address, President Obama has been previewing his Administration’s communications and technology priorities for 2015, including calling for an end to state laws that restrict municipal broadband deployments and new steps to promote cybersecurity.
Continue Reading

On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.


Continue Reading

On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”

This is the agency’s first data security case and the largest privacy action in the Commission’s history.  See News Release.  Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.

According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.”  The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. 
Continue Reading

The National Institute of Standards and Technology (NIST) released a Request for Information (RFI), “Experience with the Framework For Improving Critical Infrastructure Cybersecurity”, this week requesting industry feedback on the Cybersecurity Framework published in February 2014. Framework 1.0 was developed by NIST in response to the Obama Administration’s February 2013 Cybersecurity Executive Order aimed at improving cyber defenses for critical industries impacting U.S. national security. The Framework is a series of standards, methodologies, procedures, and processes developed to help organizations address cyber risks.

Since releasing the Framework, NIST has focused its efforts on raising awareness and educating public and private organizations on the importance of managing cyber risks. Now that the Framework has been publicly available for over 6 months, NIST is reaching out to the critical infrastructure community to find out whether organizations are choosing to voluntarily implement the Framework and track progress across the various industries.

Critical infrastructure industries, including communications, transportation, energy, and healthcare companies, are encouraged to weigh in on initial experiences in implementing the Framework, how it is being used, and the successes and challenges of using the Framework to develop cyber programs. While the RFI focuses heavily on responses from critical infrastructure owners and operators, Federal agencies, state, local and tribal governments, and other industry and consumer stakeholders are also invited to comment on any topic that may impact the awareness or voluntary use of the Framework.


Continue Reading

Late last week, the FCC released a Public Notice requesting comment on existing best practices for Internet Service Providers (ISPs) to combat cybersecurity threats.  The inquiry is a follow up to the FCC’s New Cybersecurity Initiative focused on developing a voluntary, private-sector driven approach to cyber risk management.  Comments from this inquiry will support and inform the work of Communications, Security, Reliability and Interoperability Council IV (CSRIC IV) to create cybersecurity best practices that align with the National Institute of Standards and Technology (NIST) framework across the broader communications sector.

The inquiry is focused on what steps the industry has taken voluntarily to combat certain cyber threats.  However, the FCC acknowledged that the vulnerabilities addressed by these recommendations remain active threats and sought comment on how to address these concerns and create cyber assurances across the industry.  As Chairman Wheeler noted in his June 12 speech, the FCC is open to considering other options if a voluntary, market-driven approach fails to yield measurable, accountable results.
Continue Reading

The Senate is one step closer to a floor vote on cybersecurity legislation that would address information sharing between the private sector and the government.  On July 8, the Senate Select Committee on Intelligence approved a contentious cybersecurity bill known as the Cyber Information Sharing Act (CISA).

The proposed legislation would remove legal barriers to allow private companies to share information regarding cyber-attacks “in real time” with other private companies and the government.  Companies sharing information for cybersecurity purposes would be shielded from lawsuits by individuals against the company for sharing that data, regardless of terms of service contracts that may prevent such actions without a customer’s consent.  In order to receive the liability protection, private entities would be required to submit information directly to the Department of Homeland Security, which could then share the information with other federal agencies as necessary to address the threat.  Additionally, CISA would direct the federal government to share classified and unclassified information with the private sector.

CISA also includes several provisions to protect privacy, such as requiring that companies sharing information remove all personally identifiable data (e.g. names, addresses, and Social Security numbers). The Attorney General would be directed to write procedures to limit government use of cyber information received to “appropriate cyber purposes” and ensure that privacy protections are in place. A full synopsis from the Senate Committee Chair and co-sponsor of CISA, Dianne Feinstein (D-CA), is available here.
Continue Reading

In the wake of a number of high-profile cybersecurity events — from the Heartbleed bug to the Target breach — cybersecurity has become a red-hot issue in Washington, D.C.  Earlier this month, in a major address delivered at the American Enterprise Institute, Federal Communications Commission Chairman Tom Wheeler announced a new cybersecurity initiative to create a “new paradigm for cyber readiness” in the communications sector.

As described by Wheeler, the FCC’s cybersecurity initiative will be led by the private sector, with the Commission serving as a monitor and backstop in the event that the market-led approach fails. In particular, the FCC will “identify public goals, work with the affected stakeholders in the communications industry to achieve those goals, and let that experience inform whether there is any need for next steps.” Chairman Wheeler stressed that the new paradigm must be dynamic, more than simply new rules, and the Commission will rely on innovation by the private sector.


Continue Reading