FCC Threatens to Invoke Mandatory Cybersecurity Testing

FCC issues a white paper warning the commercial IoT industry that it had better address cybersecurity risks with testing, authentication safeguards and best practices or manufacturers will face extreme government interaction… and soon!


Does everyone remember why the Department of Homeland Security exists? Among other things, that massive government agency was created because the private commercial airline industry was lackadaisical in addressing the terrorist threat in airports. September 11, 2001 was the result.

Well guess what? In one of the last FCC rulings under the Obama Administration, the FCC has issued a stern warning to private industry involved in the Internet of Things (IoT), saying basically, “Clean up your act or we will be forced to step in.”

The warning notes that the government will force commercial companies to institute protective procedures if action is not taken.

The FCC's Cybersecurity Risk Reduction White Paper, which was issued on January 18, 2017, expresses serious concerns about the “burgeoning and insecure IoT market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.” 

Noting that insecure wireless devices have shut down service to millions of users by attacking critical control utilities that are not FCC-regulated, the FCC is advocating “cyber accountability” — a combination of market-based incentives and regulatory oversight — to reduce cyber risk in the communications sector.

Security by Design

Certainly, the FCC is most worried about communications carriers, including Internet service providers primarily. But the IoT world, namely device manufacturers and vendors, would bear a large portion of responsibility.  

The FCC proposes that IoT equipment suppliers should implement “security by design” practices to build cybersecurity into their products before marketing them. As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards, and adherence to best [cybersecurity] practices.” 
The FCC hints that regulatory oversight of this process will likely be required, in part because of the “large and diverse numbers of IoT vendors — who are driven by competition to keep prices low — hinders coordinated efforts to build security by design into the IoT on a voluntary basis.” 

Accordingly, the FCC states that, among other things, changes to its equipment certification rules may be necessary to protect networks from IoT device security risks.

The last sentence of the report says it all: “The Commission’s preference is to work collaboratively with industry using private/public partnerships. However, if market forces do not result in a tolerable risk outcome, the Commission has tools available to make adjustments to restore the balance.”

This warning is like a pre-9/11 document about Osama bin Laden. It should not be ignored, especially if it means there is a potential “9/11-like” cyber attack coming. The Consumer Technology Association (CTA) and other associations should immediately be engaged with the vendor community on this looming regulatory issue. 

Next: Cryptography Expert on DDoS Attack: Don’t Blame IoT

About the Author

Jason Knott
Jason Knott:

Jason Knott is Chief Content Officer for Emerald's Connected Brands. Jason has covered low-voltage electronics as an editor since 1990, serving as editor and publisher of Security Sales & Integration. He joined CE Pro in 2000 and serves as Editor-in-Chief of that brand. He served as chairman of the Security Industry Association’s Education Committee from 2000-2004 and sat on the board of that association from 1998-2002. He is also a former board member of the Alarm Industry Research and Educational Foundation. He has been a member of the CEDIA Business Working Group since 2010. Jason graduated from the University of Southern California.