Some of the biggest names in American telecommunications, including AT&T, Sprint, Verizon, Comcast and Microsoft, have released an inconclusive report about how the US government should enforce (by law if necessary) cyber security controls in the communications sector. The working group, which was set up to advise the Federal Communications Commission (FCC), reported that there was no consensus within the committee regarding the extent to which the government should “encourage” the communications industry to use the so-called “20 Controls.”
The 20 controls is a list of practices that all infrastructure and utility companies (including electricity, water and telecommunications) should implement to protect the USA against cyber attack. The list includes things like running anti-malware software and controlling who has administrative privileges. The scope of the 20 controls only applies to the infrastructure side of the telecommunications and not to customers or their handsets and computers.
The lack of consensus is being seen as a snub of the Obama administration which is trying to protect America’s infrastructure from hackers. However the White House is having trouble passing new laws without first getting industry support and without defining what standards companies need to comply with.
The forceful implementation of the security rules, which would affect 3G and 4G carriers as well as companies offering phone and Internet services, is being resisted in the private sector as potentially expensive regulation, which could stifle business and innovation.
In February, President Barack Obama signed an executive order calling for the establishment of a voluntary minimum standards for all businesses that provide critical infrastructure services. However top CEOs from companies like AT&T have asked for a “light touch” from the government.
In the long term the question is should security standards be regulated much like food and hygiene are? The answer, in my opinion, is yes. We are all living in an ever increasingly hostile cyber world and I want to know that the telecommunications infrastructure is secure and that someone is checking that it is.
What do you think?