The Federal Communications Commission (FCC) recently recommended greater cybersecurity oversight for internet service providers, it remains to be seen whether the advice, issued in the final days of President Obama’s administration, will be followed.
The FCC’s report, requested by Congress last fall in response to the distributed-denial-of-service attack on Dyn, Inc, indicated that ISPs have not only the ability to reduce cyber risk associated with their services, but also the responsibility to do so. The FCC emphasized the increased risk to critical infrastructure that rely on Internet connections that could occur without proper risk management on the part of ISPs, as well as cyber risks related to supply chain and mergers and acquisitions.
“ISPs, like all modern businesses, have economic incentives that drive investment decisions. When deciding how much to invest to reduce cyber risk, the cost-benefit analysis of ISPs naturally considers the risks to the firm,” stated the FCC in its report. “Unfortunately, relying on market forces alone fails to adequately weigh the risks imposed on third parties who rely on the networks and services they provision. A cybersecurity gap confronts the public. With the ISPs facing limited competition and low return on cyber investment, this is a gap that the free market is unlikely to fill.”