NTCA is committed to working with the public and private sectors to ensure that rural telecom providers have every tool at their disposal in order to efficiently and effectively secure their networks from cyber attack. As such, the association offers the following resources to assist your company as it seeks to protect network assets, and employee and customer data.
In response to the evolving cyber-threat landscape, industry leaders and policymakers have coalesced around a dynamic, flexible, risk-management approach to cybersecurity. This new approach allows a network operator to optimize its security investments, and as a secondary benefit, is consistent with policymakers’ expectations for critical infrastructure providers.
The NIST Cybersecurity Framework
The NIST Cybersecurity Framework is the preeminent resource to assist operators with developing a risk-management approach to cyber threats.
In response to presidential Executive Order 13636, on February 12, 2014, the National Institute of Standards and Technology (NIST) released the “Framework for Improving Critical Infrastructure Cybersecurity Version 1.0,” more commonly known as the NIST Cybersecurity Framework, and it has since been codified into legislation with the Cybersecurity Enhancement Act of 2014 and supported by President Trump in his May 2017 Executive Order.
The Framework is voluntary, based on existing standards, and designed to help owners and operators of critical infrastructure manage their cyber risk. The Framework applies to all 16 critical infrastructure sectors.
The CSRIC IV WG 4 Report on Cybersecurity Best Practices
Subsequent to the release of the NIST Cybersecurity Framework, the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC) IV advisory council convened working group 4 to adapt the NIST Cybersecurity Framework to the communications sector. The CSRIC IV cybersecurity working group report includes recommendations, resources, and guidance with regard to cybersecurity best practices.
NTCA urges its members to review the report, in particular, Section 9.9 which contains simplified, practical guidance for small businesses, including 37 high-priority subcategories—of the 98 included in the NIST Framework—for small network operators. This culled list is a useful starting point for a small operator that is seeking to undertake a more formalized and structured risk-management approach to protect its core network, and critical infrastructure and services from cyber threats.
CSRIC Best Practices for Small, Rural Providers
The FCC encourages small and rural communications service providers to review and consider implementing, where appropriate, 23 specific best practices recommended by CSRIC to improve network reliability and as appropriate for your network operations.
The CIS Critical Security Controls
The Center for Internet Security (CIS) Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to respond to today's attack landscapes. A principal benefit of the CIS controls is that they prioritize and focus on a smaller number of actions. Learn more about the CIS Controls and how this approach can align with the more macro-level risk-management guidance provided by the NIST Cybersecurity Framework and endorsed by policymakers.
America’s cyber adversaries move with speed, stealth and increasing sophistication. To keep pace, information sharing is a vital resource for critical infrastructure security and resilience, improving the cybersecurity preparedness and response of private and public organizations. Learn more about how you can engage in various cyber information sharing venues:
The U.S. Computer Readiness Team (US-Cert), part of the Department of Homeland Security (DHS), distributes cyber vulnerability and threat information on a regular basis, often several times per week, for free to subscribers.
InfraGard is a partnership between the FBI and members of the private sector which expedites the timely exchange of information, and promotes mutual-learning opportunities relevant to the protection of critical infrastructure.
State and Regional Fusion Centers
Fusion centers operate as state and major urban area focal points for the receipt, analysis, gathering, and sharing of threat-related information between federal; state, local, tribal, territorial; and private-sector partners.
NTCA’s Cybersecurity Working Group
NTCA’s Cybersecurity Working Group offers a venue for members—network operators and technical consultants—to communicate and collaborate in a trusted setting, and exchange cyber vulnerability and threat intelligence information. The group is limited to 40 participants on an annual basis, and it meets virtually on a monthly basis.
In light of the persistent and increasing cyber threats, there is a continued policy focus on protecting the nation’s critical infrastructure.
The Federal Communications Commission (FCC) is the communications industry’s traditional regulatory agency; however, the Trump administration has signaled its intent to have other government agencies take the lead on cybersecurity oversight and regulation. For instance, DHS is tasked as the communications sector specific agency (SSA) and, via longstanding legislative direction, oversees critical infrastructure providers and cybersecurity issues. DHS has adopted a public-private partnership approach, consistent with industry best practices.
The Federal Trade Commission (FTC) is charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the FTC Act, which prohibits “unfair or deceptive practices” in the marketplace. The agency has used this authority to bring enforcement actions against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. However, the 9th Circuit Court of Appeals is currently evaluating whether the FTC has the legal authority to oversee “common carriers.”
Despite this jurisdictional uncertainty, the touchstone of the FTC’s approach to data security is grounded in “reasonableness”: a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The FTC offers various resources to the business community:
- The FTC’s Start with Security provides practical lessons learned from its more than 50 enforcement actions and data security settlements.
- March 9, 2017: The FTC released a video detailing how its approach to security aligns with the NIST Cybersecurity Framework.
- May 20, 2015: The FTC released a blog post on what a company should expect if it is the target of an FTC data security investigation.
After enacting cyber threat information-sharing legislation in late 2015, Congress has focused on legislation that would provide cyber risk-management resources for small businesses. This effort has primarily taken two forms. One route involves directing the Small Business Administration (SBA) and the Department of Homeland Security (DHS) to work together on providing resources through SBA’s 900+ Small Business Development Centers to help small businesses improve their cybersecurity risk-management practices (see FY2017 NDAA Title XVIII Subtitle E). The other initiative directs the National Institute of Standards and Technology (NIST) to disseminate resources designed to help small businesses manage cybersecurity risk. (see H.R. 2105, H.R. 3010 and S. 770)
Regarding privacy and data security, Rep. Marsha Blackburn (R-TN) introduced the BROWSER Act in the wake of Congress’ successful effort to void the FCC’s controversial broadband privacy notice of proposed rulemaking. The BROWSER Act would put ISPs and edge providers under the same Federal Trade Commission (FTC) regulatory regime, but would also adopt controversial portions of the voided FCC Broadband Privacy Order, including the requirement to obtain opt-in consent from customers for use of a broad category of “sensitive” data. Sen. Ed Markey offered his own proposal to govern ISP use of customer information that also would address telecommunications carrier data security and breach notification. Indeed, massive consumer data breaches continue to elicit congressional proposals for regulating the security of consumer data and the responsibility to notify affected customers of a breach.
Information for Your Customers
Creating a culture of cybersecurity is critical for all organizations and is a responsibility shared among all employees and network users. Your subscribers may find the following resources helpful as they strive to become more informed, aware and resilient in regard to cyber threats:
- The Department of Homeland Security Stop.Think.Connect. Toolkit
- National Cyber Security Alliance Workplace Tips
- US-CERT Home and Business Networks web page
Cyber Wise Program
Learn how to develop a comprehensive, company-wide plan to manage your cyber risks and ensure your network is resistant to and resilient from cyber attacks. Designed for you – by NTCA – Cyber Wise is specifically for small, rural network service providers. It’s free from NTCA.
NTCA Cybersecurity Bundle
The 2018 NTCA Cybersecurity Bundle is a comprehensive guide designed to help your company develop a risk-management approach to cybersecurity—your company’s best defense against a proactive cyber adversary. This approach is scalable and flexible to address the evolving threat environment, and your needs and resource constraints. It also is consistent with the guidance provided within the NIST Cybersecurity Framework. The bundle consists of four robust resources, which are designed to be read and used sequentially. (Note: 2018 Cyber Wise Workshop attendees receive the new bundle for free.)
NTCA hosts a number of events throughout the year including the annual NTCA Cybersecurity Summit and webinars. Check out our latest events and see if cybersecurity issues is on the agenda.