WASHINGTON, May 25, 2023 – A Cisco executive urged Congress at a Semafor event Thursday to provide more incentives for companies to ensure their cybersecurity posture is up to date. 

While Jeetu Patel, general manager of security at the information technology giant, didn’t specify what types of incentives can be used, he said the incentives must push private infrastructure to have high security standards. 

Both private and public sectors have a part to play in improving the nation’s security, he noted, adding private companies must build products that are secure by design. 

There is “tremendous” need for cross-nation coordination around cyberattacks, said Patel. He urged lawmakers to democratize cybersecurity by simplifying the process, adding the nation must be united to gain traction against attackers.

The cybersecurity industry has not made conversations simple to follow or technology easy to use, he said. Simplifying cybersecurity is the only way we can democratize it and when it’s democratized, it can be made universal, said Patel. 

He warned that the country cannot let the financial constraints of a few companies put the whole system at risk. Regardless of how affluent a country is, the weakest link controls the strength of the chain, he said. 

Artificial Intelligence will change cybersecurity fundamentally, he noted. It is important to remember that AI tools are also available to attackers. Currently, the majority of attacks stem from fraudulent emails which AI can make more personalized and difficult to discern from real communication, he said.  

Cybersecurity defenses must evolve

We need to develop an idea of civic responsibility for tech innovators and students in STEM fields, added Suzanne Spaulding, senior advisor of Homeland Security at the Center for Strategic and International Studies. Civic responsibility is the antidote to disinformation and is the change central to democracy, she continued.  

Spaulding warned companies against relying on existing cybersecurity measures. Resilience is about having layers of plans and assuming they all will fail, she said.  

This comes at a time of Congressional focus on cybersecurity. In March, two bills were introduced by Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., to establish pilot programs in the Department of Defense and Homeland Security that would hire civilian cybersecurity personnel in reserve. 

In 2021, President Joe Biden signed an executive order on improving American cybersecurity capabilities following the Colonial Pipeline ransomware attack and SolarWinds breach in 2020.   

WASHINGTON, April 5, 2023 – Charter Communications is recommending the Federal Communications Commission require device manufacturers seeking equipment authorization to add a layer of authentication security to protect against cyberthreats.

In a letter to the commission on Friday, the telecommunications company suggested the commission require, as a condition of certification, devices pass a security authentication step to connect to the user’s network. When an internet-connected device connects to a network, it can also access sensitive information being shared on it – leaving the door open to malicious activity.

This “baseline” security “would erect a new barrier to prevent malicious actors from exploiting unauthorized or unidentified devices connected to consumer broadband networks without consumers’ knowledge or consent,” Charter said in its letter, following a meeting with FCC officials. “It would also be a simple and efficient way to address major cybersecurity vulnerabilities without the Commission needing to prescribe detailed cybersecurity requirements.”

“The most vulnerable devices often lack strong passwords and other basic security measures, which make them susceptible to malicious actors and frequent sources of harmful traffic across networks,” Charter added. “Devices that can connect to home networks without first being authenticated are also a significant source of cyber threats. And, despite various educational efforts, many consumers still never change the default passwords that come printed on their devices.”

The company noted that this practice is accepted by industry standards bodies and the broader security community and would relieve consumers of an additional burden when they come to connect their devices.

In conjunction with a November order that halted equipment authorizations from companies on a national security blacklist, the FCC is currently contemplating a proposal that would revamp the equipment authorization program to minimize cybersecurity threats and other malicious activity of foreign agents. The proposal asks whether it should ban component parts of a problematic device, and not just the manufactured product, and if it should require certification applicants to have a U.S.-based representative to ensure compliance.

As ubiquitous 5G connectivity takes hold in the country, more and more internet-connected devices are flooding the market.

“The proliferation of cybersecurity incidents in recent years and, particularly, the growing number of cyber threats that exploit unsecured IoT devices, underscores the need for more proactive efforts to deter and combat vulnerabilities before they reach consumers,” Charter noted in the letter, adding device manufacturers are in the “best position” to address these common security vulnerabilities.

Charter added that a combination of device manufacturer action on the authentication front and user action to additional security layers – through stronger passwords, for example – “will better protect Americans and US networks from the growing harm of cyber threats.”

The company said it actively strives to enhance security measures for its devices, including some of its newer routers requiring users to provide a unique credential to manage their home network instead of a default password. It said its routers also have pre-set security settings and undergo regular software updates.

FCC Commissioner Nathan Simington had previously advocated for mandating ongoing, as-needed cybersecurity updates to mitigate risks on wireless devices already in the hands of consumers.

WASHINGTON, February 23, 2023 – Verizon, AT&T and Lumen Technologies have proposed that the Federal Communications Commission adopt and lead a strike force consisting of various industry, government and international participants to come up with policy mechanisms to secure internet traffic over the global gateway.

The proposals are particular to the border gateway protocol, which is how global traffic is routed. The problem is that there are no security features to ensure trust of the information being routed, according to the FCC, which opened a proceeding on the matter on February 28 last year asking for commentary on what to do about the issue. The concern is that without security measures, bad network actors can redirect traffic to itself instead of the intended recipient, which exposes Americans to the theft of identity, extortion, financial transactions, and state spying, the commission noted.

In the letter last week, the three telecommunications companies proposed that secure internet traffic routing practices over the border gateway protocol first focus on critical infrastructure entities in the United States and its allies to allow these telecommunications companies to protect the traffic routes via filtering.

The filtering would involve registering traffic origins and identifying where to filter traffic along the route, including at interconnection peering points and customer routers. The proposed strike force would involve Big Tech companies and cloud platforms, which the FCC asked if it should include in its original proceeding document, as they have networking equipment and BGP routers. The internet service providers, who have their own filtering practices, also floated the possibility of the Cybersecurity and Infrastructure Security Agency requiring other agencies to provide that information.

The proposal also includes “collaborative assurances” in which the ISPs would provide confidential technical briefings about the practices.

But they advise against the FCC making prescriptive rules about such practices, noting that different ISPs have different approaches by design, and that any onerous approach could jeopardize security, not bolster it.

Questions about FCC’s jurisdiction over a fundamentally global internet routing system

The trio also questioned the jurisdiction of the commission on the routing ecosystem, which is fundamentally global.

“Asserting prescriptive regulatory control over internet protocols could have cascading effects, prompting international regulators – and authoritarian regimes in general – to seek greater internet control at the global level through” the United Nation’s telecommunications regulatory, the International Telecommunication Union.

“This would create barriers to U.S. leadership in the global digital economy and U.S. national security and is directly contrary to core interests of the United States and our free market democratic allies,” they added.

The FCC’s notice came just days after Russia’s invasion of Ukraine, which resulted in reports of increased cyberattacks from the warring regions. In fact, the FCC accused Russian network operators of inexplicably routing traffic through its country, including from traffic from Google, Facebook, Apple, Microsoft and major credit card companies MasterCard and Visa.

It also came before a law was passed that requires critical infrastructure companies to report to the federal government within a certain timeframe when they have experienced a hack or breach, as the country grapples with a number of high-profile attacks since the pandemic began.

The FCC has targeted national security threats by halting license authorizations to Chinese firms and putting on a blacklist a number of companies whose equipment American telecommunications companies are expected to remove from their networks.