WASHINGTON (Reuters) - Large telecommunications companies and Internet providers succeeded in convincing an advisory panel that the U.S. government should not pursue enforcement of security measures meant to bolster their defenses against the growing threat of cyber attacks, according to a report released late on Monday.
Representatives of the communications industry on a panel advising the Federal Communications Commission argued against a recommendation that the FCC press the telecoms sector to abide by a list of cybersecurity standards endorsed by national security and defense experts. The panel could not reach an agreement needed to make such a recommendation.
Government officials and the business community have struggled to reach a consensus on the scope and power of cybersecurity standards as industry experts say prescriptive measures would hamper innovation and expose companies to being sued if their networks get hacked.
The panel that wrote the advisory report to the FCC includes experts from several state authorities, non-profits and Internet and telecom firms such as AT&T, Sprint, Verizon, Comcast and Microsoft.
In the report, the advisers said there was no consensus within the group on the “extent to which the FCC should encourage the communications industry” to follow so-called “20 Controls” endorsed by national security and defense leaders as strengthening protections against cyber attacks.
“The user community within Working Group 11 would prefer for the FCC to encourage industry to use the 20 Controls,” the advisers wrote in recommendation to the FCC.
“However ... the communications sector participants believe that some unique aspects of managing diverse multi-tenant communications networks will require additional evaluation in order to determine the extent to which the 20 Control protect network infrastructure directly; as well as, to determine the applicability of the 20 Controls to communications sector.”
The report then went on to recommend that the FCC encourage further review of cybersecurity practices and determine what standards should apply to the communications sector and to what extent. It also urged the industry to share cyber threat information and develop and improve best practices.
(For the full report, see: r.reuters.com/maj76t)
Minimum security standards have been a critical stumbling block in recent efforts to pass new cybersecurity laws. U.S. intelligence leaders call cyber attacks a top security threat but the business community is concerned about voluntary standards turning into imposing mandates.
Last week, CEOs - including AT&T’s - met with President Barack Obama and asked him for what one executive described as “light touch” from the government on the matter.
Obama’s executive order in February called for establishment of voluntary minimum cybersecurity standards for companies dealing with critical infrastructure, such as utilities.
Reporting by Alina Selyukh; Editing by Lisa Shumaker