FCC Holds Off on Security Mandates for Internet of Things

Coverage Type: 

Don’t expect the Federal Communications Commission to rush into issuing network security rules anytime soon, even in the face of a congressional inquiry seeking the agency’s response to the massive Oct 21 distributed-denial-of-service attack. At issue is whether the FCC’s Open Internet rules restrict internet service providers’ ability to block insecure Internet of Things (IoT) devices from their networks and whether the commission should mandate greater safeguards. But the commissioners generally believe the Open Internet order already gives ISPs sufficient leeway to protect their networks from vulnerable internet-connected devices without additional regulations or standards. And, according to FCC officials, there isn’t much of an appetite to issue any new mandates now.

There are also questions as to whether cybersecurity is even in the commission’s purview. Sen Mark Warner (D-VA) sent a letter to FCC Chairman Tom Wheeler on Oct. 25, several days after a hijacked network of IoT devices took large swaths of the United States internet offline. Sen Warner asked detailed questions about the commission’s role in empowering both ISPs and consumers with the means to prevent similar attacks in the future. The senator suggested that the Open Internet rule — adopted in 2015 during the debate on net neutrality — might actually limit the ability of ISPs to block insecure IoT devices from their networks. That could make it difficult to prevent future attacks stemming from those devices. Chairman Wheeler called Sen Warner’s letter “thoughtful” and promised a response. He also disputed the notion that the rules limit security practices of ISPs. “The Open Internet order allows for reasonable network management, which clearly gives leeway to be able to deal with issues like this,” Wheeler said at the FCC’s open meeting on Oct. 27. There is clear language in the rules for ISPs to deny access to networks or devices that could put their security at risk, according to one FCC official, who added that they were “designed for flexibility, particularly when it comes to network security.” The rules allow broadband providers to implement network management practices for the purpose of “ensuring network security and integrity, including by addressing traffic that is harmful to the network,” according to the Open Internet order.


FCC Holds Off on Security Mandates for Internet of Things