October 19, 2021
October 18, 2021
Federal Communications Commission
45 L Street, NE
Washington, DC 20554
Subject: Reply Comments Regarding Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program (Docket No. 21‐232)
Dear Secretary Dortch:
The U.S. Chamber of Commerce appreciates the opportunity to provide the Federal Communications Commission (the FCC or the Commission) feedback on the agency’s notice of inquiry (NOI) regarding ways to strengthen Internet of Things (IoT) cybersecurity.
The Chamber agrees with the Commission’s view that the development and implementation of effective cybersecurity practices require the “continued cooperation and participation of all stakeholders.” The Commission notes that “both the public and private sectors have come together to develop measures to protect the integrity of communications networks and guard against malicious or foreign intrusions that can compromise network services, steal proprietary information, and harm consumers.” The agency further notes that the National Institute of Standards and Technology (NIST) has worked with both industry and government to “produce multiple cybersecurity frameworks and other forms of guidance that help protect the integrity of communications networks.”
The Chamber is particularly pleased with the work that the business community and NIST have jointly undertaken to prioritize IoT cybersecurity and create workable approaches to enhancing IoT cybersecurity for both U.S. and international stakeholders. As the Commission examines the next steps concerning its NOI and notice of proposed rulemaking (NPRM),3 the Chamber urges the FCC to take our perspectives into account.
Substantial Progress Is Being Made Toward Strengthening IoT Cybersecurity
The Chamber has been an important leader in public-private efforts to enhance IoT cybersecurity. Worth highlighting, in February 2019, the Chamber and 23 other associations sent a letter to the White House urging the administration and Congress to back NIST’s partnership with industry to strengthen IoT cybersecurity. The letter called on policymakers to support NIST in convening a robust effort on IoT security and resilience. Such an initiative, the organizations argued, will help stakeholders identify a flexible, performance-based, and cost-effective approach that can be voluntarily used by producers, sellers, and users of IoT devices to help them manage cyber risk and threats. To date, this public-private effort is proceeding well and producing tangible results.
In addition, the Chamber testified before Congress on IoT cybersecurity; collaborated with NIST in crafting NIST interagency report 8259 (NISTIR 8259); and worked closely with Congress on the Internet of Things Cybersecurity Improvement Act of 2020 (the IoT Act), which sets cybersecurity requirements for federal devices that are connected to the internet.
The Chamber maintains that industry and NIST have taken significant steps to strengthen cybersecurity for all new IoT devices, and we urge the Commission not to disrupt such guidance and foundational practices, including through the FCC’s equipment authorization program. The Chamber strongly urges the FCC to track closely with public-private developments in IoT cybersecurity, as well as industry-driven initiatives, such as the C2 Consensus on IoT Device Security Baseline Capabilities (C2 Consensus) and CTIA’s cybersecurity certification program for IoT devices.
On September 20, 2021, eight leading communications and technology industry associations, led by the Consumer Technology Association (CTA), wrote to the FCC to explain that these initiatives have led to tangible, positive impacts on product development, enterprise and retail sales, and IoT deployments and should not be hindered by the creation of new cybersecurity mandates. The Chamber welcomes the March 2021 CTA-led white paper, Smart Policy to Secure our Smart Future: How to Promote a Secure Internet of Things for Consumers, which promotes public‐private partnerships to develop and deploy risk‐based approaches to cybersecurity rather than top-down regulation.
FCC Regulation of IoT Device Security Would Add to a Growing List of Government Requirements
The Chamber believes that the Commission should not use its equipment authorization regime to regulate the cybersecurity of internet-connected devices. We agree with the associations’ letter to the FCC, which raises questions about the Commission’s legal authority to regulate IoT device security. The organizations argue that “[t]here are significant doubts about the FCC’s legal authority to take the actions contemplated in the NOI. To date, the FCC has not played a role in reviewing devices for cybersecurity risks, and Congress did not look to the FCC when it considered and passed legislation to improve IoT cybersecurity.”
The associations go on to say that “FCC regulation of the security of connected devices would venture far beyond the role given to it by Congress in equipment authorization,” which has been focused on matters such as radiofrequency emissions and spectrum use. The associations add that while the Commission has identified the Secure Networks Act as “a potential source of authority for the limited actions proposed in the NPRM,” the Secure Networks Act does not enable the FCC to “engage in a wide‐ranging inquiry into cybersecurity writ large.” Similarly, the Chamber believes that the FCC’s initial conclusion that regulating the security of IoT devices “is not specifically authorized by the Secure Networks Act itself” is correct.
If the Commission were to pursue regulating the cybersecurity of IoT devices, the FCC would add to the policy, legislative, and regulatory fragmentation that IoT device stakeholders already face in the U.S. and internationally. Instead of exacerbating the thicket of cybersecurity requirements, Commission leaders should work toward streamlining them.
The Solution: Congress Needs to Pass Preemptive, Protective IoT Cybersecurity Legislation
Fragmented approaches to IoT cybersecurity lead to duplicative and/or confusing security requirements, splinter organizations’ risk management budgets, and cause market distortions that weaken security for individual companies and collectively. The Chamber believes that the path forward is relatively straightforward but not easy. Congress must pass a federal, preemptive law that both addresses IoT cybersecurity and extends legal liability protections to industry. Such a law would have the virtues of giving policymakers, the business community, and consumers more of what they need. The Commission is seeking ways to increase the presence of trusted equipment on U.S. networks and information systems and spur innovation in more securable devices. Industry seeks these outcomes too. In addition, businesses need policymakers to better balance federal regulation with legal liability and related protections, consider the growing private sector costs of defending against nation states, and harmonize and promote U.S. policies at home and internationally.
A useful way to think about this model legislation is to summarize it in three P’s: program, protection, and preemption.
Program. The Chamber strives to work with lawmakers to strengthen the cybersecurity environment for governments, businesses, and consumers. We are especially interested in advancing innovative cybersecurity policies and laws that carefully balance regulatory compliance with industry-recognized standards and positive incentives to increase U.S. security and resilience commensurate with today’s threat levels.
Congress should write federal IoT cybersecurity legislation to motivate businesses to demonstrate their use of existing standards, guidelines, and frameworks to meet a regulation’s and/or a law’s requirements. In exchange, businesses would qualify for congressionally crafted protections and other inducements to invest in and meet heightened cybersecurity requirements. Where applicable, legislation should offer private parties a range of appropriate standards, guidelines, and/or frameworks to select from, facilitating choice and the buy-in of parties that may be subject to various regulatory requirements or expectations.12 Relatedly, programs should establish reciprocity requirements in order to harmonize laws, regulations, and other obligations. Congressionally created programs should be flexible—such as scalable to a business’ size and budget, and risk-based—thus targeting industry’s resources at legitimate threats and harms.
Protection. Businesses confront relentless, often state-sponsored, cyberattacks but frequently lack effective government protection. Cyberspace remains the only domain where private companies are expected to defend themselves against nation states and/or their proxies. The Chamber believes that this security gap justifies blending a mix of new cybersecurity requirements with regulatory and legal protections.
The Chamber believes that Congress should incentivize the behavior of industry members by granting robust legal liability protections. These safeguards would benefit organizations that take additional steps to elevate IoT cybersecurity. Depending on the nature of an IoT cybersecurity program, legal liability protections should range from an affirmative defense (sometimes referred to as a safe harbor) against lawsuits to more comprehensive protections against litigation generated by a cyberattack if a business is a builder, seller, or user of a government-driven certification and/or labeling program.
The Commission’s NOI specifically requests feedback on government certification and/or labeling of IoT devices. The timing of this questioning is helpful because it relates to a directive in the White House’s Executive Order (EO) Improving the Nation’s Cybersecurity. Section 4 of the EO calls on NIST to take into account existing consumer product labeling programs as it considers efforts to educate the public on the cybersecurity capabilities of IoT devices. NIST is also directed to examine ways to incentivize manufacturers and developers to participate in these programs. By early February 2022, NIST is required to identify IoT cybersecurity criteria for a consumer labeling program in coordination with the Federal Trade Commission and other agencies.15 While this review by NIST is underway, the Chamber contends that regulatory pursuits, including by the FCC, should not be undertaken.
The Chamber is concerned about government-driven certification and/or labeling programs related to cybersecurity, including their costs, absent some offsetting incentive structure. There is no public-private consensus that IoT device labeling is a silver bullet, even if labels empower consumers and other device users to make decisions based on security.16 NIST’s pilot programs and related work on IoT labeling must be given the opportunity to develop with substantial industry input without predetermined outcomes.
Yet if policymakers are confident that government-directed certification and/or labeling regimes would deliver the cybersecurity that these programs tend to presume, then certifications/labels should be confidently paired with legal liability protections for producers, sellers, and users of stronger IoT devices. Authorizing legal liability protections for industry would be the surest way to bolster the presence of trusted IoT equipment on U.S. networks and information systems.
Preemption. As new cybersecurity laws continue to be enacted domestically and internationally, businesses are forced to navigate a crowded patchwork of obligations. Adopting risk-based legislation while establishing clear and consistent federal guidelines would ensure that both regulators and regulated entities can direct scarce resources at significant cybersecurity risks. Congress should expressly preempt state IoT cybersecurity laws to provide national uniformity and align duplicative and often conflicting compliance burdens. Greater business certainty would drive investments in better cybersecurity risk management and adherence to laws and requirements.
The Chamber believes that stakeholders should increasingly direct their energies toward accomplishing two goals that will bolster the promotion of the baseline: fostering market demand for strong devices and pushing public officials at home and internationally to align their policies to the industry-driven IoT cybersecurity baseline.
Securable Devices Need to Be Built and Bought
The impressive work undertaken by NIST and the C2 Consensus may not be fully realized without a clear and growing demand for securable devices. Market demand is growing, but it needs to be cultivated.17 More securable IoT technologies need to be designed, built, and bought. To achieve this objective, the Chamber envisions a broad array of stakeholders promoting the production, purchase, and deployment of more secure IoT products across the U.S. and globally. Simply put, the Chamber wants device makers, service providers, and buyers to benefit from the business community leading the development of state-of-the-art IoT components and sound risk management practices to improve the security and resilience of the emerging IoT ecosystem.
U.S. and International Policies Need to Be Aligned to the Baseline
The Chamber supports efforts that spur commercial demand for strong devices by consumers, such as public and private enterprises and households. Policymakers at home and abroad need to align their IoT cybersecurity policies to the industry-led baseline. There is a robust consensus that IoT cybersecurity efforts will be most effective if they reflect global standards and innovative commercial practices, especially NISTIR 8259 and the C2 Consensus.
The Chamber welcomes the opportunity to provide the Commission comments on the NOI. If you have any questions or need more information, please do not hesitate to contact Christopher Roberti (firstname.lastname@example.org, 202-463-3100) or Matthew Eggers (email@example.com, 202-463-5619).
Christopher D. Roberti
Senior Vice President, Cyber, Intelligence, and Supply Chain Security Policy
Vice President, Cybersecurity Policy\