As Matthew Lasar explains at Ars Technica, while juggling several aspects of its broadband plan today, the FCC also floated a notice of inquiry asking whether it should launch a cybersecurity certification program for telecommunications carriers. The FCC or a private partner would audit program participants. Those that pass master would be able to claim compliance with the FCC’s program. That is about all the detail there is, aside from the presumption that a certification would make the nation’s networks more secure.
The notice only asks the core question, it is an initial step that may lead to implementing a plan of some form. It isn’t clear to me whether the inquiry would produce potential details or just yield a yes or no answer to the core question.
I think the answer is highly contingent on the scope and details of the plan, admittedly a bit of a catch-22. Both telephone and data carriers have proven highly secretive in other contexts. I could easily see them refusing to participate because of the implied cost of opening up, at least to the fed or its captive auditors. I am also concerned about how such a program would be kept current in the face of wickedly fast evolving attacks. What about software and equipment makers who would not be directly effected but have a huge impact on the security of carriers? Could the low availability of up to snuff gear present its own problems and how would those be resolved?
Finally, what would a certificated carrier versus a non-certified carrier mean to the end consumer? Would a voluntary program reach enough saturation to make a difference to national security? I don’t know the answers but I hope that any proceeding following the notice digs into and considers them fully.