The United States Telecom Association, whose member representatives include Internet service provider’s like CenturyLink, AT&T, and Verizon, appears to have blocked a Federal Communications Commission advisory panel’s recommendation on measures needed to deal with the nation’s cyber-security problem. The lack of an agreement on Internet regulatory oversight highlights growing tension between the Obama administration’s directive, which orders federal agencies to develop a cyber-security framework for specific industries, and private sector industries, which view government oversight as stifling innovation and “not flexible.”
Advocates for regulatory oversight suggest that the federal government should develop a set of strict security standards that are developed in “concert” with the National Security Agency and other agencies. However, Telco advocates say that a “checklist” of government standards would be “clunky,” create an additional layer of unnecessary bureaucracy, and potentially expose ISPs to liability for failing to prevent cyber-attacks (since a vast majority of malicious code travels over the fiber optic pipes owned by Telco’s).
The irony behind the Telco industry lobbying against a checklist of standards for fear that their industry would become “clunky” and “bureaucratic,” has never made a customer service call to Verizon, AT&T, et al, or taken a tour of a telecommunication co-location facility. A response to the “bureaucratic” position requires little mention, simply because its absurdity. A co-location facility, which is the physical aberration of the Internet “clouds,” can best be described as a large, climate- and air- controlled office space with a seemingly endless series of interconnected wires, metallic racks stuffed with servers, switches, routers, processing units, “fan noise” and blinking yellow, blue, red, orange, and white lights that resembles Dr. Seuss’ Thinga-ma-jigger – it’s the definition of already being “clunky.”
In fairness to the regulatory oversight advocates, the government has been telling the private sector for years that self-regulation is a preferred option, but even self-regulation has its limitations. Organizations cannot self-regulate, because they themselves have become, or are, too bureaucratic – and this is not limited only to the Telco industry. If the Telco industry wants to have a straight-faced discussion on why a checklist of standards would not work, then they should look no further than the financial sector.
The financial industry has tried its own version of self-regulation in the form of the Payment Card Industry Data Security Standard, or as it is more commonly known, “PCI Compliance.” Banks and credit card companies love to show regulators that they have their act together when it comes to the issue of cyber-security, because participating members must be in compliance with the set of standards articulated by the PCI governing body (which is exclusively made up of banks and credit card companies). The problem with the PCI checklist is that, regardless of when a breach of data will occur (and it will), the customer, not the credit card companies, will still be liable for the loss in data. There is no “risk transference” in the PCI standard, and therefore what’s the incentive for customers to be PCI compliant?
Consider the Heartland Payment Systems (HPS) data breach case – at the time, the HPS data breach was the world’s largest release of unauthorized data; HPS was PCI Compliant; ended up numerous pending class action lawsuits as a result of the data breach; PCI governing body “revoked” their compliance AFTER the breach; and HPS is still in business today. Result: can a checklist of standards have any teeth if a company is “certified” compliant one day, and a cyber-incident occurs on another?