Wednesday was a busy day at the [U.S.] Federal Communications Commission, with National Broadband Plan related notices on the CableCard, Universal Service Fund, and roaming access issues out the door. Another interesting item was a Notice of Inquiry on whether the agency should launch a voluntary cybersecurity certification program.
In a nutshell, the proposed program's private sector auditors or the FCC would periodically run security evaluations of various telecommunications services. Companies that passed the program's muster could then market their networks as FCC cyber security compliant.
It's not hard to make a pitch for these kind of programs, given all the cybersecurity horror stories. The agency's Notice outlines what's at stake:
"In todayís interconnected world, an increasingly greater amount of the nationís daily business depends on our rapidly growing broadband communications infrastructure. Banking, investment and commercial interests routinely rely on the durability and security of IP-based networks to move capital and to track goods and services around the globe. To put this development in perspective, while our nationís total GDP was just over $14T last year, two banks in New York move over $7T per day in transactions. . . ."
But the open-ended questions that the FCC asks in its inquiry suggest that the Commission knows that the case for this kind of project isn't open and shut. Would the program "create a significant incentive for providers to increase the security of their systems and improve their cybersecurity practices?" the NOI asks. And it also wonders if "public knowledge of providers' cybersecurity practices would contribute to broader implementation by industry."
Another question the FCC might want to ask is, should individual government agencies coordinate this kind of activity, or should a broader cross-industry certification program be established? The probe comes in tandem with an inquiry on the survivability of the nation's broadband networks.