FCC Chairwoman Jessica Rosenworcel has proposed communications service providers be mandated to submit annual certification. This certification would attest that the organization has a plan in action to defend against cyberattacks. This proposal is partly in response to the news that Chinese hackers accessed the text and call data of Americans by hacking telecommunication organizations.
Below, security leaders share their insights on this proposal.
Security leaders weigh in
Jason Soroko, Senior Fellow at Sectigo:
The FCC’s proposed annual cybersecurity certification for telecoms addresses vulnerabilities but smaller providers may struggle with costs without federal support. The proposal is likely to pass given bipartisan urgency, however, its impact depends on addressing compliance costs and enforcement. If properly defined and audited, it could improve security; otherwise, it risks becoming a symbolic measure.
Heath Renfrow, CISO and Co-Founder at Fenix24:
While the framework is solid conceptually, its success will hinge on effective implementation, government-industry collaboration, and periodic updates to address emerging threats. I do not believe this will be successful if made into a regulatory requirement. You can see other regulatory requirements that become compliance-based check the box type of audits. For example, do you have a firewall? Do you use MFA? Do you have backups? Do you use a modern EDR solution? It becomes nothing more than yes and no questions and true foundational cybersecurity and IT controls are not and frankly cannot be evaluated from an outside audit. The skill set is not there, and companies are not just going to let you poke around in their production systems.
Trey Ford, Chief Information Security Officer at Bugcrowd:
Accountability drives action, and sunlight is the best disinfectant. The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways. The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with — how inventory, score, and treat cyber risks — and the challenges in communicating what needs done, when, and how.
The highest calling in cybersecurity is creating safety around uncomfortable conversations — acknowledging and managing vulnerabilities. Obviously, telecoms have a massive amount of infrastructure to maintain, and security hygiene requires a body of investment and maintenance to stay current. The FCC’s desire for oversight also underscores the importance of the work at CISA, especially their Secure by Design pledge.
