|
Cybertelecom Federal Internet Law & Policy An Educational Project |
|
FCC Cybersecurity | |
|
|
Public Safety and Homeland Security Bureau > Cybersecurity and Communications Reliability Division
"The Cybersecurity and Communications Reliability Division (CCR) administers the Commission's cyber security policy, communications reliability information collection requirements (e.g., network outage reports) and performs analyses and studies concerning public safety, homeland security, national security, disaster management, and related issues. The division keeps itself fully informed of technological and industry developments that may implicate public safety, homeland security, disaster management, and related issues. CCR coordinates with other Bureaus and Offices within the Commission on these issues. During emergencies or other incidents, CCR supports OEM and coordinates with other Bureaus and Offices in administering the Commission's information collection requirements and preparing any associated reports. CCR also works with communications providers to protect critical communications infrastructure from cyber attacks."
Initiatives:
- Commercial Mobile Alert System (CMAS)
- Disaster Information Reporting System (DIRS)
- Network Outage Reporting System (NORS)
Publications:
- Emergency Communications During the Minneapolis Bridge Disaster: A Technical Case Study by the Federal Communications Commission's Public Safety and Homeland Security Bureau's Communications System Analysis Division
- Emergency Communications Disaster Preparation Checklist: Suggested Planning Activities for Regions and States
- Tips for Communicating in an Emergency
- Vulnerability Assessment and Feasibility of Creating a Back-Up Emergency Communications System
See also FCC's FACA Communications Security, Reliability, and Interoperability Council
Broadband Plan Recommendations
- Recommendation 4.18 FCC consumer online security efforts should support broader national online security policy, and should be coordinated with the Department of Homeland Security (DHS), the FTC , the White House Cyber Office and other agencies. Federal agencies should connect their existing websites to OnGuard Online to provide clear consumer online security information and direction.
Proceedings
- Inquiry into Mobile Device Security
- FCC WIRELESS TELECOMMUNICATIONS BUREAU LAUNCHES INQUIRY INTO MOBILE DEVISE SECURITY UPDATES. Partnership with FTC will examine how patches are distributed. News Release. WTB https://apps.fcc.gov/edocs_public/attachmatch/DOC-339256A1.docx
https://apps.fcc.gov/edocs_public/attachmatch/DOC-339256A2.pdf
https://apps.fcc.gov/edocs_public/attachmatch/DOC-339256A3.pdf
https://apps.fcc.gov/edocs_public/attachmatch/DOC-339256A1.pdf- FTC To Study Mobile Device Industry’s Security Update Practices May 9, 2016.
- In order to gain a better understanding of security in the mobile ecosystem, the Federal Trade Commission has issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.
The eight companies receiving orders from the FTC are: Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc.
Among the information recipients must provide under the orders are:
- the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;
- detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;
- the vulnerabilities that have affected those devices; and
- whether and when the company patched such vulnerabilities.
- Released: 03/19/2015. FCC'S PUBLIC SAFETY AND HOMELAND SECURITY BUREAU REQUESTS COMMENT ON CSRIC IV CYBERSECURITY RISK MANAGEMENT AND ASSURANCE RECOMMENDATIONS. (DA No. 15-354). (Dkt No 15-68 ). Comments Due: 05/29/2015. Reply Comments Due: 06/26/2015. PSHSB .
TXT
- 8/9/10 FCC Seeks Public Comment on National Broadband Plan Recommendation to Create a Cybersecurity Roadmap. Public Notice: Word | Acrobat PS Docket No. 10-146 GN Docket No. 09-51 Comments Due: September 23, 2010
- "By this Public Notice , the Federal Communications Commission 's (FCC or Commission) Public Safety and Homeland Security Bureau (PSHSB) seeks public comment on the creation of a Cybersecurity Roadmap to identify vulnerabilities to communications networks or end-users and to develop countermeasures and solutions in preparation for, and response to, cyber threats and attacks in coordination with federal partners. The FCC's Cybersecurity Roadmap was recommended as an initial step forward in the area of cybersecurity as part of the Commission's National Broadband Plan (NBP). Specifically, the NBP recommended that the FCC issue, in coordination with the Executive Branch , a plan to address cybersecurity . The NBP further stated that the roadmap should identify the five most critical cybersecurity threats to the communications infrastructure and its end users and establish a two-year plan, including milestones, for the FCC to address these threats. In making this recommendation, the NBP stated that "[t]he country needs a clear strategy for securing the vital communications networks upon which critical infrastructure and public safety communications rely."
"The Cybersecurity Roadmap will establish a plan for the FCC to address vulnerabilities to core Internet protocols and technologies and threats to end-users, including consumers, business enterprises, including small businesses, public safety and all levels of government. Cybersecurity is a vital topic for the Commission because end-user lack of trust in online experiences will quell demand for broadband services, and unchecked vulnerabilities in the communications infrastructure could threaten life, safety and privacy . The NBP originally called for completion of the Cybersecurity Roadmap within 180 days (e.g., September 13, 2010). In order to ensure a complete and robust record in response to this Public Notice, we anticipate completion of the Cybersecurity Roadmap by November 2010.
"We welcome public input on these matters and the overall roadmap from interested parties. For example, commenters could offer responses to: What are the most vital cybersecurity vulnerabilities for communications networks or users? How can these vulnerabilities be addressed? What role should the Commission play in addressing them? What steps should the Commission take, if any, to remediate them? If the FCC does not play a role in addressing these vulnerabilities and problems, what agency or entity would fulfill that role? How should the Commission coordinate its efforts with other agencies of government?
- FCC Launches Inquiry On Proposed Cyber Security Certification Program For Communications Service Providers Docket No. 10-93. Comments due July 12; Replies due September 8, 2010.
- Press Release: "The Federal Communications Commission (FCC) today adopted a Notice of Inquiry (NOI) that seeks public comment on the proposed creation of a new voluntary cyber security certification program that would encourage communications service providers to implement a full range of cyber security best practices. This National broadband Plan recommendation serves as a first step to implementing a comprehensive roadmap to help counter cyber attacks and better protect America's communications infrastructure. 4/21/10 FCC Launches Inquiry on Proposed Cyber Security Certification Program for Communications Service Providers. News Release : NOI
- FCC Commences Inquiry On Survivability Of America's Broadband Infrastructure Docket No. 10-92. Comments due June 25; Replies due July 26, 2010; 4/21/10 FCC Commences Inquiry on Survivability of America's Broadband Infrastructure. News Release: NOI:
Government Activity
- STATEMENT FROM FCC CHAIRMAN TOM WHEELER ON THE CYBERSECURITY FRAMEWORK. STMT. OCHTW http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-325604A1.docx
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-325604A1.pdf
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-325604A1.txt- FCC ANNOUNCES AGENDA AND PANELISTS FOR THE NOVEMBER 12, 2013 CYBERSECURITY FORUM. News Release. News Media Contact: CGB . http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-323994A1.docx
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-323994A1.pdf
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-323994A1.txt- FCC CHAIRMAN JULIUS GENACHOWSKI PREPARED REMARKS ON CYBERSECURITY, BIPARTISAN POLICY CENTER, WASHINGTON, DC. OCHJG
- FCC LAUNCHES SMALL BIZ CYBER PLANNER, A NEW EASY-TO-USE ONLINE RESOURCE TO EMPOWER SMALL BUSINESSES WITH CYBERSECURITY PLANS. News Release. News Media Contact: Neil Grace OCHJG
- FACT SHEET: FCC CHAIRMAN GENACHOWSKI ANNOUNCES SMALL BIZ CYBER PLANNER - A NEW ONLINE RESOURCE TO EMPOWER SMALL BUSINESSES WITH CYBERSECURITY PLANS. News Release OCHJG
- FCC CHAIRMAN GENACHOWSKI ANNOUNCES SMALL BIZ CYBER PLANNER - A NEW ONLINE RESOURCE TO EMPOWER SMALL BUSINESSES WITH CYBERSECURITY PLANS. FACT SHEET
Wireless Security
Derived From: NIST Guidelines on Cell Phone and PDA Security, Special Pub. 800-124 Oct. 2008
Cell phones and Personal Digital Assistants (PDAs) have become indispensable tools for today's highly mobile workforce. Small and relatively inexpensive, these devices can be used not only for voice calls, simple text messages, and Personal Information Management (PIM) (e.g., phonebook, calendar, and notepad), but also for many functions done at a desktop computer. The latter includes sending and receiving electronic mail, browsing the Web, storing and modifying documents, delivering presentations, and remotely accessing data. Mobile handheld devices may also have specialized built-in hardware, such as a camera, a Global Positioning System (GPS) receiver, and reduced-size removable-media card slots, and employ a range of wireless interfaces, including infrared, Wireless Fidelity (Wi-Fi), Bluetooth, and one or more types of cellular interfaces.
While these devices provide productivity benefits, they also pose new risks to an organization, including the following.
- Because of their small size and use outside the office, handheld devices can be easier to misplace or to have stolen than a laptop or notebook computer. If they do fall into the wrong hands, gaining access to the information they store or are able to access remotely can be relatively easy.
- Communications networks, desktop synchronization, and tainted storage media can be used to deliver malware to handheld devices. Malware is often disguised as a game, device patch, utility, or other useful third-party application available for download. Once installed, malware can initiate a wide range of attacks and spread itself onto other devices.
- Similar to desktop computers, cell phones and PDAs are subject to spam, but this can include text messages and voice mail, in addition to electronic mail. Besides the inconvenience of deleting spam, charges may apply for inbound activity. Spam can also be used for phishing attempts.
- Electronic eavesdropping on phone calls, messages, and other wirelessly transmitted information is possible through various techniques. Installing spy software on a device to collect and forward data elsewhere, including conversations captured via a built-in microphone, is perhaps the most direct means, but other components of a communications network, including the airwaves, are possible avenues for exploitation.
- Location tracking services allow the whereabouts of registered cell phones to be known and monitored. While it can be done openly for legitimate purposes, it may also take place surreptitiously.
- It is possible to create a clone of certain phones that can masquerade as the original. Once popular with analog phones, it is not as prevalent today with the rise of digital networks, but some early generation digital equipment has been shown to be vulnerable.
- Server-resident content, such as electronic mail maintained for a user by a network carrier as a convenience, may expose sensitive information through vulnerabilities that exist at the server.
To date, incidents from malware and other identified dangers that have occurred against handheld devices have been limited when compared with those against desktop and networked computers. One factor is that no single operating system dominates handheld devices to the same extent, fragmenting the number of potential homogeneous targets. Cellular network carriers have also favored a closed system approach in which they exerted control over devices and applications, as well as their networks. Nevertheless, an increasing amount of mobile malware has been reported over the past several years, which raises concerns for the future, particularly when coupled with the recent trend towards establishing a more open system environment for cellular handheld devices. Such an open environment would not only facilitate application development and allow flexibility in choosing devices and applications from other sources, but it would also expedite malware development and potentially provide more attractive avenues of attack to exploit.
© Cybertelecom ::
See also Can Spam Act: Wireless Spam Derived From: Security Tip (ST06-007), Defending Cell Phones and PDAs Against Attack, US CERT Aug. 9, 2006
What can you do to protect yourself?
- Follow general guidelines for protecting portable devices - Take precautions to secure your cell phone and PDA the same way you should secure your computer (see Cybersecurity for Electronic Devices and Protecting Portable Devices: Data Security for more information).
- Be careful about posting your cell phone number and email address - Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam (see Reducing Spam for more information). Cell phone numbers can be collected automatically, too. By limiting the number of people who have access to your information, you limit your risk of becoming a victim.
- Do not follow links sent in email or text messages - Be suspicious of URLs sent in unsolicited email or text messages. While the links may appear to be legitimate, they may actually direct you to a malicious web site.
- Be wary of downloadable software - There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate (see Understanding Web Site Certificates for more information). If you do download a file from a web site, consider saving it to your computer and manually scanning it for viruses before opening it.
- Evaluate your security settings - Make sure that you take advantage of the security features offered on your device. Attackers may take advantage of Bluetooth connections to access or download information on your device. Disable Bluetooth when you are not using it to avoid unauthorized access (see Understanding Bluetooth Technology for more information).
- Cell Phone Security, Consumer Reports
- Mobile Device Security, WMATA
- NIST Guidelines on Cell Phone and PDA Security, Special Pub. 800-124 Oct. 2008
- NIST Updates Guidelines for Mobile Device Security From NIST Tech Beat: July 11, 2012
- DRAFT Guidelines for Managing and Securing Mobile Devices in the Enterprise draft_sp800-124-rev1.pdf
- FCC Smartphone Security Checker
- US CERT
- Security Tip (ST06-007), Defending Cell Phones and PDAs Against Attack, US CERT Aug. 9, 2006
- Security Tip (ST05-017) Cybersecurity for Electronic Devices Last revised: February 06, 2013
- Security Tip (ST04-020) Protecting Portable Devices: Data Security Original release date: January 27, 2010 | Last revised: February 06, 2013
- “Technical Information Paper: Cyber Threats to Mobile Devices”
- Security Tip (ST04-017) “Protecting Portable Devices: Physical Security”
- DOD
- Improvements Needed with Tracking and Configuring Army Commercial Mobile Devices, Inspector General, US Department of Defense, March 26, 2013
- Army, DOD IG disagree over mobile device management, FCW April 5, 2013
- “Use of Commercial Mobile Devices in the Department of Defense ,” April 6, 2011
- “U.S. Army Guidance on Piloting Commercial Mobile Devices,” November 3, 2011
- DoD Directive 8500.01E, “Information Assurance,” April 23, 2007
- DoD CIO Memorandum, “Use of Commercial Mobile Devices in the Department of Defense,” April 06, 2011
- DOD Commercial Mobile Device Interim Policy, DoD Jan. 17, 2012
- Mobile Commuting Devices, April 3, 2013
- DON Security Guidance for Personal Electronic Devices DTG 202041Z AUG 07 - Publish Date: 08/20/07
Other Activities
REORGANIZATION OF THE PUBLIC SAFETY AND HOMELAND SECURITY BUREAU. To promote a more effective organizational structure and to enhance the agency's capabilities to address critical communications issues for the nation's first responders. Action by: the Commission. Adopted: 02/07/2011 by ORDER. (FCC No. 11-18). OMD
News
- FCC TO HOLD WORKSHOP ON CYBERSECURITY ROADMAP, FCC 10/21/2010
- FTC Files Comments on FCC's Proposed Cyber Security Certification Program, FTC 10/12/2010
- USTelecom Comments on FCC Cybersecurity Roadmap, USTelecom 9/24/2010