[Infowarrior] - Infosec parts of FCC Broadband Plan

[Richard Forno]

(c/o AF)

360 pages on broadband, probably the most important govt document
about shaping infrastructure investment in a while, and less than 3 pages on
security. Of their 4 sources on the actual problem, two of them refer
to a controversial Mike McConnell oped in the Post. On one hand, I'm glad
the FCC is not trying to do something important badly, but on the other
hand, I don't understand why they are not trying to stake out a bigger
chunk of this.

< - >

From FCC's "Connecting America: The National Broadband Plan", March 2010

16.2 Promoting Cybersecurity and Protecting Critical Infrastructure

Improving Cybersecurity
Communications providers have experienced frequent attacks on critical Internet infrastructure. A variety of state and non-state entities has demonstrated the ability to steal, alter or destroy data and to manipulate or control systems designed to ensure the functioning of portions of our critical infrastructure. Additional safeguards may be necessary to protect our nation’s commercial communications infrastructure from cyberattack. Such safeguards could promote confidence in the safety and reliability of broadband communications and spur adoption.

Recommendation 16.5: the FCC should issue a cybersecurity roadmap.

Admiral Mike McConnell, former Director of National Intelligence, said recently that “the United States is fighting a cyber-war today, and we are losing.”[29] He noted that “to the extent that the sprawling U.S. economy inhabits a common physical space, it is in our communications networks.”[30] The country needs a clear strategy for securing the vital communications networks upon which critical infrastructure and public safety communications rely. Within 180 days of the release of this plan, the FCC should issue, in coordination with the Executive Branch, a roadmap to address cybersecurity. The FCC roadmap should identify the five most critical cybersecurity threats to the communications infrastructure and its end users. The roadmap should establish a two-year plan, including milestones, for the FCC to address these threats.

Recommendation 16.6: the FCC should expand its outage reporting requirements to broadband service providers.

Today the FCC currently does not regularly collect outage information when broadband service providers experience network outages. This lack of data limits our understanding of network operations and of how to prevent future outages. The FCC should initiate a proceeding to extend FCC Part 4 outage reporting rules to broadband Internet service providers (ISPs) and interconnected VoIP providers. Such reports will allow the FCC, other federal agencies and, as appropriate, service providers to analyze information on outages affecting IP-based networks. The information also will help prevent future out- ages and ensure a better response to actual outages.
The timely and disciplined reporting of network outages will help protect broadband communications networks from cyberattacks, by improving the FCC’s understanding of the causes and how to recover. This will help improve cybersecurity and promote confidence in the safety and reliability of broad- band communications.[31]

Recommendation 16.7: the FCC should create a voluntary cybersecurity certification program.

Many Internet users apparently do not consider cybersecurity a priority. Nearly half of all businesses in the 2009 Global State of Information Security Study reported that they are cutting budgets for information security initiatives. A 2008 Data Breach Investigations Report concluded that 87% of cyber breaches could have been avoided if reasonable security controls had been in place.[32] The FCC should explore how to encourage voluntary efforts to improve cybersecurity.

The FCC should begin a proceeding to establish a voluntary cybersecurity certification system that creates market incentives for communications service providers to upgrade their network cybersecurity. The FCC should examine additional voluntary incentives that could improve cybersecurity as and improve education about cybersecurity issues, and including international aspects of the issues. A voluntary cybersecurity certification program could promote more vigilant network security among market participants, increase the security of the nation’s communications infrastructure and offer end- users more complete information about their providers’ cybersecurity practices. In this proceeding, the FCC should consider all measures that will promote confidence in the safety and reliability of broadband communications. [33]

Recommendation 16.8: the FCC and the department of Homeland security (DHS) should create a cybersecurity information reporting system (cirs).

The FCC, other government partners and ISPs lack “situational awareness” to allow them to respond in a coordinated, decisive fashion to cyber attacks on communications infra- structure. The FCC and DHS’s Office of Cybersecurity and Communications together should develop an IP network CIRS to accompany the existing Disaster Information Reporting System. CIRS will be an invaluable tool for monitoring cyber- security and providing decisive responses to cyberattacks.
CIRS should be designed to disseminate information rapidly to participating providers during major cyber events. CIRS should be crafted as a real-time voluntary monitoring system for cyber events affecting the communications infrastructure. The FCC should act as a trusted facilitator to ensure any sharing is reciprocated and that the system is structured so ISP proprietary information remains confidential.

Recommendation 16.9: the FCC should expand its international participation and outreach.

The FCC should increase its participation in domestic and international fora addressing international cybersecurity activities and issues. It should also engage in dialogues and partnerships with regulatory authorities addressing cybersecurity matters in other countries. This should include outreach to foreign communications regulators and international organizations about elements of the National Broadband Plan (see Chapter 4 which discusses international outreach). The FCC should also continue to review other nations’ and organizations’ cybersecurity activities so it is better aware of those activities as they relate to U.S. domestic policies. And it should continue to participate in domestic initiatives that relate to cybersecurity activities in the international arena.
Critical infrastructure Survivability

Recommendation 16.10: the FCC should explore network resilience and preparedness.

Simultaneous failure of or damage to several IP network facilities or routers could halt traffic between major metropolitan areas or between national security and public safety offices. Because many companies colocate equipment, damage to certain buildings could affect a large amount of broadband traffic, including NG 911 communications. The FCC should begin an inquiry into the resilience of broadband networks under a set of physical failures—either malicious or non-malicious—and under severe overload. This will allow the FCC to assess the ability of next-generation public safety communications systems to withstand direct attacks and to determine if any actions should be taken in this regard.

This proceeding should also examine commercial networks’ preparedness to withstand overloads that may occur during extraordinary events such as bioterrorism attacks or pandemics. DHS has developed pandemic preparedness best practices for network service providers, but adherence to these voluntary standards is not tracked. For example, a surge in residential broadband network use during a pandemic or other disaster could hinder network performance for critical users and applications by hindering the flow of time-sensitive medical and public health information over public networks. This proceeding will give the FCC insight into pandemic prepared- ness in commercial broadband networks. In addition, it will yield important information about the susceptibility of such networks to severe overloads and how network congestion on residential-access networks—particularly in the “last mile”— may undermine public safety communications and 911 access during a pandemic or other large-scale event. [34]

Recommendation 16.11: the FCC and the national communications system (ncs) should create priority network access and routing for broadband communications.

Broadband users in the public safety community have no system of priority access and routing on broadband networks. Such a system is critical to protect time-sensitive, safety-of- life information from loss or delay due to network congestion. While technical work is under way to allow the creation of such a system, no corresponding set of FCC rules exists to sup- port it. The FCC and the National Communications System (NCS) should leverage their experience with the Government Emergency Telecommunications Service (GETS) and the WPS to jointly develop a system of priority network access and traffic routing for national security/emergency preparedness (NS/EP) users on broadband communications networks. The Executive Branch should consider clarifying a structure for agency implementation and delineating responsibilities and key milestones; the order should be consistent with national policies already in existing presidential documents. The FCC and NCS should jointly manage this program.

Recommendation 16.12: the FCC should explore standards for broadband communications reliability and resiliency.

For years, communications networks were designed and deployed to achieve “carrier-class” reliability. As the communications infrastructure migrates from older technologies to broadband technology, critical communications services will be carried over a communications network that may or may not be built to these high standards. The potential decline in service reliability is a concern for critical sectors, such as energy and public safety, and for consumers in general. The FCC should begin an inquiry proceeding to gain a better understanding of the reliability and resiliency standards being applied to broadband networks. The proceeding should examine the standards and practices applied to broadband infrastructure at all layers, from applications to facilities. Its objective should be to determine what action, if any, the FCC should take to bolster reliability of broadband infrastructure.


29	See Mike McConnell, Op.-Ed., Mike McConnell on How to Win the Cyber-War We’re Losing, Wash. pOst, Feb. 28, 2010, http://www.washingtonpost.com/wp-dyn/	41 content/article/2010/02/25/AR2010022502493.html. (McConnell, How to Win the Cyber-War).
30	McConnell, How to Win the Cyber-War.	42 31	Steven Chabinsky, Deputy Ass’t Director-Cyber
Division, Fed. Bureau of Investigation (FBI), Testimony before the U.S. Senate Judiciary Committee,	43 Subcommittee on Terrorism and Homeland Security (Nov. 17, 2009). The FBI considers the cyber threat	44 against the nation to be “one of the greatest concerns of the 21st century.” Id.	45
32	verizOn business, 2008 data breach investiGatiOns repOrt 2–3 (2008), available at http://www.	46 verizonbusiness.com/resources/security/ databreachreport.pdf.
33	The Commission will have to allocate funding to obtain a vendor to develop audit criteria and to accredit third- party certification bodies. Congress should consider public funding for the FCC in its next budget and on an ongoing basis as required.
34	In fact, estimates of residential-access network capacity suggest that current networks can carry between 1/100 and 1/10 of their advertised per-user capacity. See also AT&T Comments in re National Broadband Plan NOI, filed June 8, 2009, at 67–69; Telcordia Comments in re National Broadband Plan NOI, filed June 8, 2009, at 19.