By Chris Boyer, AT&T Assistant Vice President of Global Public Policy
Last week, the FCC’s Public Safety Bureau issued a white paper on “Cybersecurity Risk Reduction” that raised several issues around the role of Internet service providers (ISPs) in cybersecurity. While there are too many flaws in the paper to mention them all here, two themes are particularly problematic. First is the assumption that ISPs, like AT&T, don’t have the proper incentives to protect our network and customers from cyberattacks, and that there is some sort of unsubstantiated market failure that needs to be addressed. Second is the notion that the FCC is in a position to regulate this fast-changing area.
The Bureau makes bald assertions but doesn’t provide any evidence that there are a lack of incentives for carriers to protect their networks from cyberattacks. Instead it relies on already-debunked assumptions that there is inadequate competition in the broadband marketplace, and then leaps to the conclusion that ISPs therefore won’t invest in protecting their networks and customers from cyberattacks. This is not merely unsupported, it is absurd.
Cybersecurity is fundamental to what we do. AT&T’s security experts are analyzing the traffic on our network 24/7/365 to understand and identify emerging threats. We currently have eight global security operation centers and hold 179 security and privacy patents. AT&T has a fleet of cybersecurity experts, and we are actively training, and re-training, employees to increase this pool of experts.
With nearly 126 petabytes of data crossing our network every day, our security experts see more than 30 billion vulnerability scans and 400 million spam messages cross our global IP network every day. They also see five billion vulnerability scans and 200,000 malware events targeted specifically at our own network in any given day. And there has been a 3,198% increase in vulnerability scans of Internet of things (IoT) devices over the past three years. So, we’re well aware of the threats to our network and our customers, and are taking meaningful steps to counter these risks.
The Bureau’s paper further implies that not enough is being done in areas such as standards and best practices, security by design, national security and supply chain security. The industry, mind you, has been addressing these issues for decades. We have partnered with the federal government on national security issues dating back to the formulation of the National Communications System (NCS) in 1963 following the Cuban Missile Crisis, and the founding of the National Security Telecommunications Advisory Council (NSTAC) under President Reagan in 1982.
From our collaborative work with the Communications Sector Coordinating Council (CSCC), which works actively with the Department of Homeland Security (DHS) as part of the Critical Infrastructure Protection Advisory Council (CIPAC) process, to the Communications Information Sharing and Analysis Center (Comms-ISAC), to DHS’s National Cybersecurity and Communications Integration Center (NCCIC) and the FCC’s Communications Security Reliability and Interoperability Council (CSRIC), the ISP community is well engaged.
Indeed, ISPs are continually introducing new solutions to help tackle this enormous, industry-wide problem. FCC mandates, as the Bureau proposes, could not possibly keep up with the ever-changing face of cybersecurity threats and would only be counterproductive, stifling innovation and wasting resources complying with outdated and ineffective regulations.
The FCC is simply not designed to address the incredibly complex issues of cybersecurity, especially in an environment that is continuously changing and doesn’t fit nicely into traditional silos. In this regard, Chairman Pai had it exactly right when he observed that there are other agencies with more well-defined legal authority and more well established expertise on these issues. And Commissioner O’Rielly has also questioned the FCC’s authority in this space and pointed out that the Commission has not been included in any of the recent Congressional efforts in this area. Instead, the FCC should function in more of a consultative role to those agencies. This approach recognizes that the adoption of “one-size fits all” prescriptive rules on one segment of the industry is not the answer, and it certainly will do nothing to protect consumers and our nation’s communications infrastructure.