The likely regulators? An analysis of FCC jurisdiction over cybersecurity.

• Author: Sherling, Mike

Table of Contents I. Introduction II. Background A. Network Security Standards and Cyber-attacks B. The FCC's Historical Role in Cybersecurity C. The FCC's Jurisdiction over the Internet D. The FCC's Ancillary Authority E. The FCC's Authority in the Context of Rapid Technological Change III. The FCC's Ancillary Authority to Promulgate Cybersecurity Standards A. Broadband Internet Service as Within the FCC's General Jurisdictional Grant B. Mandatory Cybersecurity Standards for ISPs as Reasonably Ancillary to the FCC's Statutory Responsibilities IV. The Decision to Regulate Cybersecurity of Internet Service Providers A. Deciding When to Regulate 1. Appropriate Considerations for Deciding When to Regulate 2. The Decision to Regulate Cybersecurity to Ensure Network Reliability B. Cost-Benefit Analysis and Cost-Effectiveness Analysis 1. Principles of Cost-Benefit Analysis and Cost Effectiveness Analysis 2. Application to Cybersecurity Standards V. Conclusion I. Introduction

In October 2012, Former Secretary of Defense Leon Panetta warned the nation of the potential for a "cyber Pearl Harbor" that would cause physical destruction and the loss of life. (1) "In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability," he stated gravely. (2) The attack could "be as destructive as the terrorist attack on 9/11." (3) While the Secretary's statements were arguably hyperbolic, (4) ineffective cybersecurity in the United States is a pressing problem, jeopardizing both national security and individual online safety. (5) Recent events clearly illustrate that cyber-attacks have become almost a daily part of life. Skilled attackers can use computer and network vulnerabilities to do everything from commit bank fraud to disrupt uranium enrichment. (6)

Part of the reason for this vulnerability to cyber-attacks is the lack of uniform implementation of existing, authoritative network security standards for Internet service providers ("ISPs"), (7) a problem that persists because ISPs are under no obligation to implement these standards. (8) Together, these factors have created a market that often fails to provide adequate cybersecurity. (9)

When a market fails to provide a necessary service, such as the guaranteed integrity of the communications network, the government can step in to fill the gap. This Note argues that the Federal Communications Commission ("FCC") has the authority to require ISPs to implement network level cybersecurity measures to maintain the integrity and security of the networks. The FCC derives this power from its ancillary authority in Title I of the Communications Act of 1934 and its statutory mandates to ensure a reliable communications network and implement 9-1-1 service over VoIP. (10)

To establish the FCC's authority in this area, this Note examines some of the causes of and partial solutions to cyber-attacks in relation to FCC authority. Part II gives background on network security and cyberattacks, and details the FCC's ancillary authority, which allows the FCC to promulgate regulations concerning technology over which it does not have a direct statutory mandate. Part III analyzes the FCC's ability to use its ancillary authority to require ISPs to implement cybersecurity standards, concluding that the FCC has jurisdiction to implement minimum standards because insufficient cybersecurity could catastrophically impact services the FCC oversees. Part IV considers whether the FCC should exercise its ancillary authority, determining that the market failure in cybersecurity vulnerability information and network reliability, together with the compelling need for a reliable communications system, justifies government regulation. The Note concludes with a brief discussion of the costs and benefits of potential regulation.

2. Background

   The near consensus is that the current state of cybersecurity is abysmal. (11) For example, the computer security firm McAfee has over 100 million samples of malware in its database. (12) The National Vulnerability Database contains over 50,000 software vulnerabilities that malicious actors can exploit; (13) myriad industries experience cyber-attacks daily. (14) The magnitude of the problem is staggering.

   With threats coming from all over the world this is both a national and international problem. (15) In 2005, American corporations lost an estimated $867 million due to cyber-attacks, cyber theft, and other computer security incidents. (16) Recent high-profile events include attacks against the security firm RSA, (17) Google, (18) the financial sector, (19) oil companies, (20) and several others. (21) Moreover, it is more than just corporate networks that are under attack; cyber-attacks also compromise the basic computer infrastructure of the Internet.

   1. Network Security Standards and Cyber-attacks

      Uniform implementation of industry-developed network security standards by ISPs could significantly reduce overall vulnerability to cyber-attacks. For example, one of the foundational elements of the Internet, the Domain Name System ("DNS"), has well-known flaws. (22) The DNS is a set of computers that translates user-friendly text, such as website addresses, into the string of numbers (Internet Protocol, or IP, addresses) (23) that computers use to communicate on the Internet. (24) In the Internet's nascent days, the engineers who created the Internet chose a standard that did not emphasize security, instead focusing on ease of integration and interoperability. (25) As a result, the DNS is vulnerable to attacks By malicious actors who can hijack and reroute Internet traffic from the intended website to their own server. (26) In a case involving bank fraud, for example, when a person tries to access an online banking website, her computer connects to a DNS server on the Internet and receives the IP address of the bank website. (27) However, if a cyber-attacker provides the DNS server with the wrong IP address, the server would direct her browser to a malicious website that can capture bank login information. (28)

      In the mid-1990s, as the vulnerabilities of DNS became apparent, the development of a more secure system--known as Domain Name System Security Extensions ("DNSSEC")--began in earnest. DNSSEC was finalized in 2005, and by 2010, major Internet authorities, such as the Internet Corporation for Assigned Names and Numbers ("ICANN") and VeriSign, had upgraded to DNSSEC. (29) In domain name resolution, distinct roles are performed by root servers, ISP DNS servers, and Internet domains. A critical mass of all three types of operators is necessary for DNSSEC to function as intended. So far, only the root servers, some ISPs, and government servers have implemented DNSSEC, as there is no requirement to adopt it. (30) As of 2013, only Comcast has deployed DNSSEC in its subsidiary DNS servers, (31) and a paltry two percent of non-government domains run DNSSEC in the United States, reflecting the lack of incentive to do so. (32)

      Another security standard that, if uniformly implemented, would strengthen the resiliency of the Internet is the Secure Border Gate Protocol ("BGP"). (33) The insecure nature of the current BGP standard creates opportunities for malicious action by misconfiguring one BGP router to send out false information so as to capture or reroute private traffic as it travels over the Internet to a targeted server or group of IP addresses. (34) Other BGP routers will utilize that information to send traffic to the erroneous address. (35) The world saw this firsthand when Pakistan famously "took down YouTube" by configuring its BGP router to broadcast that it had the YouTube IP addresses within its network. (36) That information spread to other BGP routers, who started sending traffic intended for

      YouTube to Pakistan's servers. (37) Internet operators can remedy this misinformation relatively quickly; for example, in this case, network operators isolated Pakistan and fixed the routing tables within two hours. (38) A standard that cryptographically secures the designated path so malicious routers cannot alter the path of specific traffic within the packet could prevent this from happening again in the future. (39)

      The examples above are just two of the innumerable security vulnerabilities that exist. To stem the abuse of these vulnerabilities, the National Institute of Standards and Technology recently developed a Cybersecurity Framework to help organizations secure critical infrastructure. (40) Implementing some of these suggestions could fix a portion of the security problems facing ISPs. (41)

      These and other vulnerabilities have never been more important given the impending transition of our communications networks from the circuit-based Public Switched Telephone Network ("PSTN") to a flexible, all-IP network over which voice, video, and Internet traffic flow. (42) After this transition, communications that were once transmitted through separate networks, such as telephone and cable networks, will be transmitted through the Internet or using Internet Protocol, both of which are far more susceptible to cyber-attacks than the PSTN. (43) In contrast to the separate communications networks of the twentieth century, when there were only a small number of notable broadcast signal intrusion events and communication disruptions, (44) the Internet has made it possible to communicate--or, in some cases, alter others' communications--throughout the world. This is a double-edged sword, as interconnection is essential in a networked world. (45) Governments recognize this and hack administrators of telecommunications networks to intercept the communications on those networks; while this has been used for surveillance, it could be also be used to disrupt communications. (46)

      The Internet is built on the idea that packets may take many different paths to get from their source to their destination. (47) But this interconnectedness is also...