Cybersecurity
The agency will vote in June on a proposal to institute internet routing security mandates.
Photo of a Coast Guard officer checking a server from the Department of Defense
WASHINGTON, May 30, 2024 – The cable industry is urging the Federal Communications Commission to lighten proposed cybersecurity reporting requirements for broadband providers.
The FCC released on May 16 a draft proposal that would require all ISPs to produce plans for expanding resource public key infrastructure (RPKI), a protocol for securely routing traffic across the internet, in their networks. It’s a step enabled by the agency’s newly reinstated Title II authority over broadband providers.
The draft proposal says that public data shows “only 22% of U.S. networks allow for the validation of their routing information by registering and maintaining [route origin authorizations] in the RPKI,” as of March, which the agency says must increase to protect from cyberattacks.
Nine of the largest providers – AT&T, Altice, Charter, Comcast, Cox, Lumen, T-Mobile, TDS, and Verizon – would have to file the risk management plans with the commission and update them annually until at least 90 percent of their networks are covered. The select providers would also have to provide quarterly data on RPKI implementation.
“These significant providers are likely to originate routes covering a large proportion of the IP address space in the United States and will play critical roles” in implementing the protocol, the FCC wrote.
The agency said it fashioned the proposal based on input from the Department of Defense, Department of Justice, and the Cybersecurity and Infrastructure Security Agency in response to a 2022 Notice of Inquiry.
NCTA, the major cable lobbying group that represents Charter, Comcast, and Cox, spoke on May 23 with the chief of the FCC’s Public Safety and Homeland Security Bureau to say “NCTA and its members believe that prescriptive rules are not needed in this area.”
The group also asked that, in the likely event the agency proceeded with the item, quarterly reporting requirements be nixed along with annual obligations once a provider reaches the 90 percent threshold.
“We support and appreciate the FCC’s draft proposal to eliminate an ISP’s annual RPKI reporting requirement once it attests to covering 90% of its originating internet traffic routes,” the group wrote in an ex parte letter filed after the meeting. “We think the same logic applies and should extend to the proposed quarterly reporting requirement, too.”
The proposal is on the agency’s agenda for its June 6 meeting. If approved, the FCC would open a formal comment period to solicit input before considering an enforceable rule.