By Andrea Peterson, Project on Government Oversight
After high-tech phone network outages hit major U.S. cities in 1991, the Federal Communications Commission (FCC) chartered an advisory group to help the agency troubleshoot emerging technology issues. Yet a recent Project On Government Oversight investigation found that instead of helping solve problems, this industry-dominated group has at times been a barrier to strengthening the security of America’s communications.
The group is now called the Communications Security, Reliability and Interoperability Council, and is known within the commission by its acronym, CSRIC, pronounced “scissor-ick.” The council’s current charter calls for a mixture of representatives from the government, non-profit consumer advocates, and the private sector to “balance the expertise and viewpoints” on technical topics.
In addition, the council falls under the purview of the Federal Advisory Committee Act, a statute that sets certain minimum transparency and membership requirements. The Federal Advisory Committee Act requires that memberships of advisory committees “be fairly balanced in terms of the points of view represented and the functions to be performed by the advisory committee”—potentially putting the group on the wrong side of the law.
POGO’s analysis found that the council, which is typically chartered for two-year sessions and whose members are appointed by the FCC chairman, is dominated by industry influences and falling short of legal requirements. Since March 2011, when cybersecurity officially became part of the group’s mission, there have been four iterations of the council. Each of those times, more than half of its members represented private sector interests, either as a direct employee of a for-profit company or via affiliation with an industry trade group, according to POGO’s analysis of its membership.
POGO reviewed the affiliations of 183 members who have served on the council since March 2011. In total, 124 members—over 67 percent—represented industry. And that figure is likely conservative because it does not take into account that some groups our methodology categorized as representing civil society or academia receive substantial financial funding from industry.
For example, Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology (CDT) was one of the few civil society representatives on an iteration of the council from March 2013 through March 2015. While CDT is a 501(c)(3) nonprofit, it receives a significant amount of its funding from corporations—including some with a vested interest in FCC policy making. According to the group’s financial disclosures, 43 percent of its revenue in 2018 came from corporations, including more than $200,000 from major telecom company Verizon. CDT’s gift acceptance policy states that “financial supporters have no influence or control over CDT’s projects or priorities.”
The skewed membership of the council has given industry undue influence on the FCC policy-making process, since the agency has all too often relied on the council’s research and analysis because its own in-house expertise failed to keep up with the pace of emerging communications technologies, former agency staffers told POGO.
While the council makes it reports in an advisory capacity and the FCC must take further action to create new regulations, several former commission employees told POGO the council’s reports and recommendations held heavy sway within the agency despite the obvious conflicts of interest inherent in their production. The reports and recommendations have been pointedly in the direction of agency inaction, which aligns with larger industry lobbying efforts against stronger digital security requirements, according to former staffers.
This setup created a vicious cycle in terms of who took part in the process.
“CSRIC working groups had such a reputation for being ineffective that the good people you’d want to participate would avoid them,” according to one former commission staffer, who requested anonymity to avoid impacting future career prospects.
To some participants, the council seemed like an exercise in futility. Hall, the CDT technologist, could not recall a single instance where the council made a substantive impact while he participated. Industry’s excessive influence was a major reason, he said.
Tom Wheeler, the FCC chairman from November 2013 through January 2017, told POGO he used the council to inform the commission’s early cybersecurity oversight efforts during his tenure. Under Wheeler, the council created a working group to study cybersecurity best practices. This resulted in a 2015 report and voluntary commitments by telecom companies to apply a framework for approaching cybersecurity developed by the Commerce Department’s National Institute of Standards and Technology to their security strategies—a small step forward. Wheeler said the council represented a flexible way to come up with responses to security problems that were constantly evolving.
But even after agreeing to some of those voluntary measures, industry seemed to balk at actually following through, according to Wheeler. He told POGO that industry pushed back once the commission started asking companies to inform them about their compliance with security standards and share information about security incidents, as recommended under the institute’s framework.
Many of the council’s recommendations originate from its smaller working groups. Transparency advocates, including POGO, have noted that such subgroups are often a way to get around some of the reporting requirements set in place by the Federal Advisory Committee Act. While the FCC website about the Federal Advisory Committee Act notes that informal working groups cannot “make recommendations to the Committee that are ‘rubber stamped’ without further action or consideration by the full Committee,” several people familiar with the process told POGO the council as a whole often does essentially rubber stamp the preferred direction of its working groups.
Additionally, during the iterations of the council since March 2011, the leadership of the working groups was heavily skewed towards industry, with more than 80 percent being chaired or co-chaired by industry representatives, according to POGO’s analysis. These chairs and co-chairs, along with the people chosen to serve as lead editors on reports, steer the direction of the working groups. Wheeler told POGO that he and his staff turned to industry for recommendations when choosing members for the council, a choice he defended as necessary to getting industry participation.
How Industry Influence at the FCC Risks Our Digital Security
The nation’s digital backbone is flawed, leaving calls and texts vulnerable to interception and disruption.
However, POGO’s recent investigationhighlighted how industry influence within the council’s process was used to delay meaningful action on serious security vulnerabilities in part of America’s cellular infrastructure known as Signaling System No. 7 or SS7 that can allow hackers to track people’s locations via their mobile devices and intercept calls or texts. Emails, obtained through a Freedom of Information Act request by POGO, show that the industry-aligned leaders of one of the council’s working groups—theoretically convened to help figure out how to solve the problem—instead delayed the process and ignored input from Department of Homeland Security experts in the working group.
The SS7 working group ultimately only recommended a set of voluntary best practices, despite fairly quickly identifying technical solutions to the problem, according to former FCC Public Safety and Homeland Security Bureau Chief David Simpson.
A later iteration of the working group, which excluded some of the DHS experts from the previous iteration, studied similar network security problems and ultimately also recommended only voluntary measures—despite acknowledging that the “technologies have become targets of both domestic and international attackers with different motivations and create different risks for both service companies and subscribers.”
The FCC’s founding statute charges it with, among other things, promoting “safety of life and property through the use of wire and radio communication.” Despite that mandate, and the increasing risks to America’s communications infrastructure, the commission has become even less engaged on cybersecurity issues under the current chairman, Ajit Pai.
The latest iteration of the council held its most recent meeting in March and the agency isreviewing nominations for the next version. Appointing members who better reflect public, rather than corporate, interests could show that Chairman Pai recognizes the importance of the agency’s legally mandated network security responsibilities.
A number of steps could improve the integrity of the FCC and its advisory group. POGO recommends:
That the Communications Security, Reliability and Interoperability Council and its working groups have equal participation from non-industry affiliated civil society groups, academia, industry, and representatives from various levels of government.
Meaningful reporting timelines and metrics for the council to reduce process delays within working groups and from the full council.
Stronger transparency requirements for information about the council and other Federal Advisory Committee Act advisory groups, including requirements that detailed notes be kept and publicly posted for any subcommittee or working group discussions.
More congressional oversight of the FCC’s security mandate through hearings about the agency’s handling of security issues in communications networks and its reliance on industry expertise through the council and other means.
Greater investment in high-tech expertise inside the FCC. Hiring more staff with deeper knowledge of modern systems will result in an agency less reliant on views from the industry it is supposed to be regulating. This could include:
- Increased funding for in-house technical experts at commission offices with security-related responsibilities, including the Office of Engineering and Technology, the Consumer and Governmental Affairs Bureau, and the Public Safety and Homeland Security Bureau.
- Expanding the role of the Chief Technology Officer position, a senior technology policy position at the FCC currently located within the commission’s Bureau of Economics and Analytics. The position has a limited advisory role. Creating an independent office led by the Chief Technology Officer and including additional staff who can facilitate technology-related policy discussions across the agency would build in-house expertise and make it less dependent on the Communications Security, Reliability and Interoperability Council.
Some of these reforms are part of the Federal Advisory Committee Act Amendments of 2019 (H.R. 1608 and S. 1220), legislation that POGO supports.