US FCC forms task force to protect against supply chain vulnerabilities, data breaches 

The Federal Communications Commission (FCC) announced the creation of a new Privacy and Data Protection Task Force to coordinate interagency rulemaking, enforcement, and public awareness efforts on privacy and data protection. The task force will deal with various data breaches – for example, at telecommunications providers and in connection with cyberattacks – and supply chain vulnerabilities at third-party providers serving regulated communications providers.

“We live in an era of always-on connectivity. Connection is no longer just convenient. It fuels every aspect of modern civic and commercial life. To address the security challenges of this reality head-on, we must protect consumers’ information, ensure data security, and require cyber vigilance from every participant in our communications networks,” Jessica Rosenworcel, FCC chairwoman, said in a media statement. “This team of FCC experts will lead our efforts to protect consumer privacy.”

FCC Enforcement Bureau Chief Loyaan A. Egal has been appointed by the chairwoman to lead the Task Force, which is made up of FCC staff from across the agency, working on issues such as enforcement, device licensing, privacy breach notification requirements, and submarine cables. The task force will coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches, such as those involving telecommunications providers and vulnerabilities involving third-party vendors that service regulated communications providers.

The Task Force includes the Office of the Chairwoman, Enforcement Bureau, Public Safety and Homeland Security Bureau, Wireline Competition Bureau, Consumer and Governmental Affairs Bureau, Space Bureau, Media Bureau, Office of the General Counsel, Office of the Managing Director, Office of International Affairs, Office of Engineering and Technology, and Office of Economics and Analytics. The group met for the first time last week.

The telecommunications agency recognizes that addressing problems that erode the public’s trust in data protection requires a whole-of-government and public-private approach. The approach includes telecom carrier, interconnected VoIP, cable, and satellite provider responsibilities for privacy and data protection; the critical connection between privacy and data protection and supply chain integrity; supply chain vulnerabilities; consequences of a breach in the supply chain (both to consumer privacy and entities that do not take reasonable steps to protect consumer information); and potential risks to national security through compromised supply chains.

“Trust in our communications systems requires that we identify threats to this trust and take actions to address them. The FCC published the first-ever Covered List of communications and services that pose an unacceptable risk to national security as required under the Secure and Trusted Communications Networks Act,” the agency identified. “The FCC also launched the Secure and Trusted Communications Networks Reimbursement Program to remove untrusted equipment from our networks and replace them with secure alternatives. And the FCC worked with its national security colleagues and revoked the section 214 operating authorities of Chinese state-owned carriers who were providing service in the United States.”

The FCC has a unique role in securing the nation’s communications supply chain. It plays a critical role with the USF Supply Chain and as a named member of the departments and agencies, the Commerce department consults with to determine risks presented to the U.S. information and communications technology and services (ICTS) supply chain pursuant to Executive Order 13873. 

“We remind the public and industry about the importance of securing the supply chain through reasonable efforts: ‘know your vendor’ due diligence such as who owns the vendor; where does the third-party perform support; and what level of oversight is used to monitor third-party access levels within your networks,” the agency outlined.

The FCC also has dedicated a team in the Enforcement Bureau to investigate and enforce violations of the Commission’s privacy and data protection laws and rules. “That team has been expanded and will continue to add necessary resources to address this critical and growing concern. In addition, the Enforcement Bureau has increased the number of personnel with data protection, and national security experience, including those with TS/SCI clearances in order to review classified information and better coordinate with national security colleagues in assessing risks involving the communications (including telecom, cable, and satellite) services and supply chain sectors,” it added. 

The Enforcement Bureau will use its resources and the FCC’s discovery and subpoena authorities to procure information not only from regulated communications providers but also from relevant third parties, including companies that are part of the communications supply chain and who handle customer data to address privacy and data security issues that arise with regulated communications providers and their supply chains. 

The FCC added that this work spans all areas of communications and involves broad topics, such as customer location data and captioned communications services for those with disabilities. “When appropriate, the FCC will exercise its monetary penalty authority to ensure compliance with the Act and its rules. Companies must know that violating our rules is not merely an acceptable cost of doing business.”

The FCC also launched a proceeding to strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). The Commission will look to better align its rules with recent developments in federal and state data breach laws covering other sectors. 

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” according to Rosenworcel. 

The Notice of Proposed Rulemaking (NOPR) seeks to gather information on this important issue and also take comment on rule changes proposed by the Commission. It seeks to better address telecommunications carriers’ breach notification requirements. The FCC proposed eliminating the current seven business day mandatory waiting period for notifying customers of a breach. The FCC also proposed clarifying its rules to require consumer notification by carriers of inadvertent breaches and requiring notification of all reportable breaches to the FCC, FBI, and U.S. Secret Service.

“A thorough and swift response to these breaches is important because the telecommunications industry, in addition to being identified as critical infrastructure, affects nearly every individual, community, and business,” FCC said. 

The agency outlined that breaches can, and have, resulted in serious problems for consumers, including theft of sensitive personal data like social security numbers and financial information. “Breaches also facilitate more technically complex fraud schemes such as fraudulent porting of a customer’s phone number to another phone, called a SIM swap, which allows bad actors to subvert 2-factor authentication and could allow them to access highly sensitive information, including financial and social media accounts. These breaches have economic ripple effects and can impact U.S. national security and law enforcement interests,” it added. 

U.S. House Republicans raised concerns last October that Huawei infrastructure continues to exist across the nation’s cellular network despite its threat to national security. The members expressed concern about corporate espionage, theft of military intelligence, and the capabilities of cellular telecommunications to be intercepted and monitored by the Chinese Communist Party (CCP).

Last week, EU member states, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published a second progress report on the implementation of the EU Toolbox on 5G cybersecurity, which aims to address risks related to cybersecurity of 5G networks. The report provides an updated overview of the state of play of the implementation of the Toolbox by member states and covers the implementation of the strategic and technical measures of the EU Toolbox. Additionally, the report addresses some of the recommendations of the European Court of Auditors’ Special Report of January 2022.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.