CTIA, CCA blast FCC for slipping cybersecurity rule into 5G order

Both CTIA and the Competitive Carriers Association (CCA), which don’t always see eye-to-eye on wireless regulatory issues, agree on one thing: The FCC’s proposal to require millimeter wave (mmWave) licensees to disclose network security plans is a bad idea.

Actually, both organization say it violates the Administrative Procedure Act (APA) because the FCC did not propose the rule in its original Notice of Proposed Rulemaking (NPRM), where entities like CTIA and CCA could have voiced their objections. Instead, they say the commission barely mentioned a security obligation in a “fact sheet” that was published less than a month before the order was adopted.

The requirement appears as Rule 30.8, published in the Federal Register on Nov. 14, and states that each licensee is required to submit to the FCC a statement describing its network security plans and related information, which must be signed by a senior executive within the licensee’s organization with personal knowledge of the security plans and practices within the licensee’s organization. It also spells out other specific requirements.

“The lengthy and complex NPRM raised numerous issues, but contained no discussion of Rule 30.8. Nor did the rule appear in the NPRM’s appendix of proposed rules or in the [Jan. 13, 2016] Federal Register notice,” CTIA said in its Dec. 14 filing with the FCC. “The Commission failed to seek comment even on whether to impose a requirement at all. The NPRM merely sought comment on ‘how to ensure that effective security features are built into key design principles for all mmW band communications devices and networks’ without setting forth any specific proposals.”

CTIA, which represents the largest U.S. carriers, spelled out a host of arguments against the rule, including that Rule 30.8 “threatens security by publicizing information that can help bad actors. Network providers take pains to not reveal security plans, system architectures, or the tools they use. Public dissemination of even ‘high level’ network security plans risks exacerbating threats.”

CCA, in its Dec. 14 commentary, said the cybersecurity requirements will saddle carriers with administrative and competitive burdens and should be rejected. In addition, “the obligations that will be imposed on mmW licensees are discriminatory and against the public interest as there are no similar obligations currently imposed on licensees in other spectrum bands or on wireline providers. Further, there is no record evidence that mmW technology poses a higher risk than any other use of spectrum.”

CCA, which represents smaller and regional U.S. carriers, further states that licensees, especially wireless licensees, are not the appropriate party to make cybersecurity disclosures. Rather, “OEMs are in the business of constructing and selling network infrastructure and would be in the best position to provide security information.”

In a separate Dec. 14 filing, T-Mobile echoed the sentiment that the cybersecurity statement requirement is unreasonably discriminatory as it’s being applied only to millimeter wave band licensees despite any evidence in the record that security is a unique concern for them.

“T-Mobile does not dispute the importance of security in the millimeter wave bands or other bands, but the lack of any justification for this mechanism or discussion of its effectiveness or appropriateness prevents the Commission from adopting rules imposing new regulatory burdens on licensees,” the carrier said. “Security protocols are best developed in response to customer demands by industry through standards-setting bodies or otherwise. Providers of wireless communications services have ample incentive to ensure that their networks are sufficiently protected. There is no need for the Commission to unnecessarily insert itself into network design.”

However, if the FCC believes a cybersecurity statement requirement is within its authority and necessary, it should initiate a separate rulemaking proceeding to ensure that interested parties have the necessary procedural opportunities to evaluate the proposal, T-Mobile said, adding that would ensure the commission and the public get a full opportunity to analyze its implications in accordance with the APA.