FCC Chair Claims Cybersecurity Role Congress Crafted for CISA

The Federal Communications Commission is claiming a space for itself in cybersecurity policymaking that Congress has already designated for the Cybersecurity and Infrastructure Security Agency under a new cyber incident reporting law, given various existing requirements at sector-specific agencies.   

“We’ll discuss how this group can work on achieving greater consistency in the reporting of cyber incidents,” FCC Chairwoman Jessica Rosenworcel said in a speech to the representatives of 30 regulatory and advisory agencies, according to a press release the commission issued Friday. “Right now, there’s a lot of fragmentation across sectors and jurisdictions in what information gets reported, when and how it is reported, and how that information can be used. So we’ll discuss using this forum as a place to work toward greater convergence on these matters.”

The forum was first convened in 2014 at the Nuclear Regulatory Commission by independent and executive-branch regulators, under a charter to “identify and explore opportunities to align, leverage and deconflict cross-sector regulatory authorities’ approaches and promote cybersecurity protection.”  

Rosenworcel relaunched it in February, asserting the need for a whole-of-government approach to cybersecurity and “to enhance communication, share lessons learned and develop a common understanding of cybersecurity activities through the sharing of best practices.” Her speech Friday highlighted regulatory efforts by Congress—passage of the incident reporting law which offers critical infrastructure companies limited liability protections in exchange for sharing reports to CISA—and the administration in a different cybersecurity landscape.

“When this body was first created in 2014, it was focused primarily on information sharing and self-regulatory approaches,” she said. “The cyber threats to our critical infrastructure have evolved since then, so this group’s mission should evolve to keep pace. Our chief objective now is to harmonize how private sector industries implement essential cybersecurity controls and how independent and executive branch regulatory agencies can ensure their work advances those efforts.”

But Rosenworcel’s first task for the forum describes a role Congress carved out in the incident-reporting law for CISA. That agency’s director, Jen Easterly, is already tasked with overseeing a rulemaking process and interagency council to hammer out agreements with sector specific agencies, such as the Department of Energy, and others that already have incident reporting requirements for how the information should be shared while avoiding a duplication of efforts by critical infrastructure entities. 

Top CISA and DHS officials participated in the forum, which was closed to the press. A CISA spokesperson said CISA Executive Director Brandon Wales "highlighted some of the ways CISA and our federal partners can work together to improve our collective defense in an evolving threat environment." CISA did not answer questions about how the agency views the FCC undertaking activities Congress directed CISA to conduct under the incident reporting law or the status of the rulemaking process at the agency. National Cyber Director Chris Inglis and Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger also participated in the FCC-led forum.

“Many have asked why it is important that we revitalize this group now,” Rosenworcel said. “To that, I would say the membership is the message.” 

Meanwhile, lawmakers with jurisdiction over the sector-specific agencies are already starting to push cabinet officials to defend their authorities in the cybersecurity space during CISA’s rulemaking process.

“We are writing to ask you to ensure that the Department of Energy maintains its existing authority as the Sector Risk Management Agency for energy sector cybersecurity,” the chair and ranking members for the relevant House and Senate committees wrote in a letter to Energy Secretary Jennifer Granholm Friday. “Without your engagement and immediate attention, we are concerned that DOE’s role in helping to ensure energy sector cyber security will be diminished.” 

The incident reporting law was promoted by Sen. Rob Portman, R-Ohio—ranking member of the Homeland Security Committee—and others, as an urgently needed measure to address the threat of Russian cyberattacks in the wake of the Kremlin’s invasion of Ukraine. But it gives CISA as long as 3.5 years to finalize rules covering crucial details. Some observers say it could take even longer—and may not even be possible—to realize its intention.

“I mean, you have a federal law that tells you to harmonize, so I anticipate the agencies are going to take that seriously and try to work something out,” Shardul Desai, a partner at the law firm Holland and Knight who formerly worked for the U.S. Attorney’s Office on cybercrime, told Nextgov. “But the focusses of the agencies and CISA are slightly different, and … I don't see how we're gonna get that harmonization. I think the only way we'll get there is if we have concessions from the agencies, which again, I don't anticipate.”

Desai said he expects negotiations between CISA and sector specific agencies will still be taking place five years from now.