In the waning hours of Tom Wheeler's chairmanship, the FCC has released a white paper on cybersecurity risk reduction based on the assumption that it is in commercial communications networks' interest to provide lesser protections in service of the bottom line, so the government needs to remain a cybersecurity cop on the beat, including making cybersecurity a regular merger review issue.
The paper was issued by the FCC's Public Safety & Homeland Security Bureau.
"Since the vast majority of the commercial communications infrastructure is in private hands and private actors act first to maximize shareholder value," the paper concludes, "there is residual risk that remains when a firm’s risk tolerance exceeds that which is in the public interest. This is particularly so when consumers are not aware of the risk they are being asked to bear."
"Firms that internalize more risk are placing themselves at a competitive advantage as they forego cybersecurity investments and lower the cost of their goods and services," the paper said (though of course it would be raising the reputational risk from hacks, which might be factored into that business equation as well).
The paper concludes that there is as perverse market incentive to accept greater risk. "Those firms that internalize less risk expose themselves to a loss of market share."
Combined with the convergence in "wireless, wireline, cable, broadcast and satellite coupled with network functional virtualization and software defined radios" that means a large "exposed attack surface" for cybercriminals to target, the paper said, which is why the FCC needs an all hands on deck approach to making sure networks are secure, and one that balances corporate and consumer risks.
And while the paper says that private/public partnerships are the way to go, if market forces don't produce a "tolerable risk outcome," the commission has tools to "restore the balance."
The paper cites the Charter-Time Warner Cable merger, where "the Commission required the merged entity to submit a confidential filing to the Bureau within three months of the close of the transaction describing plans for managing the increased cybersecurity risks during the transition period," as an example of the kind of cybersecurity oversight the FCC should continue to make part of merger reviews.
"It is the networks that are the attack vectors" for cyber attacks, FCC Chairman Tom Wheeler said in an exit interview this week for C-SPAN's Communicators series.