Cyber-Threats Will Outpace Any FCC Regulations, Lawmakers Tell Wheeler
Posted at 9:18 a.m. on June 17
Rogers at an Energy and Commerce hearing on the 2010 health care law’s website. (Tom Williams/CQ Roll Call)
Mike Rogers, R-Mich., chairman of the House Intelligence panel, and Mike Pompeo, R-Kan., aren’t exactly thrilled to see what they interpret as signals that the FCC is potentially looking to regulate cybersecurity.
The duo, who sit on both the House Intelligence and Energy and Commerce panels, wrote in a letter to FCC Chairman Tom Wheeler yesterday:
In a December appearance before the Subcommittee on Communications and Technology, you testified that you believed a collaborative, multi-stakeholder approach to cybersecurity was preferable to a regulatory approach. However, statements by you and senior Commission staff suggest otherwise, and lead us to be concerned that the Commission may be preparing to implement a new regulatory scheme that would significantly impact Internet service providers and other web services.
They go on to write:
While your most recent speech to the American Enterprise Institute appears to indicate that you will rely on industry and the market first, our concerns remain. We believe that prescriptive regulations are not necessary, a view that Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator shares, and even well-meaning regulation cannot keep pace with evolving cybersecurity threats.
The lawmakers were referring to a speech Wheeler gave last week, where he said: “We are therefore challenging private sector stakeholders to create a new regulatory paradigm for business-driven cybersecurity risk management.”
“We cannot hope to keep up if we adopt a proscriptive regulatory approach,” Wheeler said at the time. “We must harness the dynamism and innovation of competitive markets to fulfill our policy and develop solutions.”
While he said he was confident the new paradigm would work, “we must be ready” with “alternatives if it doesn’t.” He didn’t suggest any.
Rogers and Pompeo asked Wheeler a series of questions in their letter:
- Upon what basis have you concluded that companies subject to the FCC’s jurisdiction are not adequately protecting their networks from cyber attacks?
- What are the “other options” you are referring to when you state that you “will rely on industry and the market first while preserving other options if that approach is unsuccessful.”
- What would constitute a lack of success by the industry and the market that would trigger your pursuit of these “other options”?
- How would prescriptive regulations enhance cybersecurity and encourage companies to create innovative cybersecurity strategies?
- Do you believe the FCC has statutory authority to impose regulation related to cybersecurity practices? If so, what specific statutory provisions provide the FCC with such authority? Please explain.
The “other options” refer to this part of Wheeler’s statements (from his prepared remarks):
Now, let me pause right here. Before headline writers rush to interpret this as “FCC wants to regulate cyber,” we need to put these statements in the context of a broader philosophy we’ve been practicing at the FCC. We believe there is a new regulatory paradigm where the Commission relies on industry and the market first while preserving other options if that approach is unsuccessful.