Brendan Bordelon

James Baker, the top lawyer at the Federal Bureau of Investigation, recommended that Congress take a more active role in legislating on US law enforcement’s limited access to encrypted data tied to a criminal investigation. “We don’t want this debate driven by some kind of catastrophe down the road,” Baker said. Baker, the FBI’s general counsel, appeared at an event to discuss a new encryption report issued by the Center for Strategic and International Studies. “The American people, through their elected representatives, have to make a value determination” regarding encryption, he said. “The world is moving forward, and doing nothing is an action, and will result in a particular state of affairs.” “I’m not sure that a commission is going to be able to come up with a kind of granular solution, [a] highly technical solution, promptly, that we can put in place to deal with this,” Baker said.

Sen Mike Rounds (R-SD), chairman of the recently created Senate Armed Services Subcommittee on Cybersecurity, views cyberspace like any other battleground. “Cyberwar is more than simply stealing emails,” Chairman Rounds said. “Cyberwar is where you’re doing damage that, if it was done using a different weapon — a kinetic weapon, a bomb or a missile — everyone would say, ‘Look, you just damaged our infrastructure. You just messed up the New York Stock Exchange. You just blew up a dam.’”

In Chairman Rounds’ view, there is little difference between a missile attack on key US targets and a cyberattack that accomplishes the same kind of destruction. Chairman Rounds said the cybersecurity panel’s first task will be to help the Defense Department craft guidelines for responding to cyberattacks — particularly those perpetrated by hostile states — that mirror the way the Pentagon responds to bombs and bullets.

Sen Steve Daines (R-MT) introduced bipartisan legislation (S 228) that would exempt small internet service providers from transparency requirements under the Federal Communications Commission’s Open Internet order. The Republican-led FCC has already said it won’t enforce the requirements for small ISPs, and suggested that it would revisit the rules as part of a broader re-examination of the 2015 Open Internet order. But providers want the exemption codified into law. The lack of enforcement could give senators time to work out the bill’s details with Democrats. As of Jan 24, Sen Joe Manchin (D-WV) was the only Democratic co-sponsor. The Senate Commerce Committee is not scheduled to vote on the measure, according to an aide to Sen Daines. S 228, would grant broadband providers with fewer than 250,000 subscribers a five-year exemption from FCC requirements that they provide enhanced technical and fee data to consumers. Smaller ISPs say the cost of collecting that data is onerous and would cut disproportionately into their business. The House passed a similar bill by voice vote earlier in January.

The House passed two bills on unanimous voice votes Jan 10 — one that would waive certain transparency requirements for small internet service providers and one that encourages data efficiency in the federal government. The Small Business Broadband Deployment Act (HR 288), would exempt ISPs with fewer than 250,000 subscribers from transparency requirements that were mandated under the Federal Communications Commission’s controversial Open Internet order. An identical bill passed the House in March before it stalled in the Senate. Both measures were introduced by House Commerce Committee Chairman Greg Walden (R-OR). The Federal Communications Commission had a temporary exemption for ISPs with fewer than 100,000 subscribers, but it expired in December after commissioners failed to agree on an acceptable threshold for the waiver. The requirements won’t take effect until Jan. 17 due to a delay at the Office of Management and Budget. Republican FCC commissioners have promised small providers that the agency won’t enforce the requirements once they take over the FCC on Jan. 20.

The House also passed the Energy Efficient Government Technology Act (HR 306). Sponsored by Rep Anna Eshoo (D-CA), it would require federal data centers to employ energy efficient technologies. That bill also passed the House in March but was not taken up by the Senate. In a statement, Chairman Walden said he hopes the Senate will “expeditiously” act on these bills.

As Republicans prepare to take over the Federal Communications Commission in 2017, don’t expect them to make a quick, clean break with the agency’s 2015 network neutrality rule. Two commission officials said that procedural hurdles and related programs may make scrapping the Open Internet order more complicated than GOP rhetoric suggests. The commission is still required to issue a proposed rule, which typically takes months to craft, and the comment period spans about two months.

Political precedent will weigh in. FCC Commissioner Ajit Pai will likely be acting chairman starting on Jan 20, and he will have to balance any desire to move quickly on Title II with some deference to the administration’s pick for chairman. That nomination could take months to finalize. Perhaps most importantly, the two commission officials separately noted that a rule to roll back net neutrality could face scrutiny in the courts. A federal appeals court upheld the net neutrality rule in June, and the decision relied on evidence of how the broadband market changed over the previous 10 years, making it difficult for Republicans to argue for a rollback now.

The US Supreme Court denied review of a case that leaves intact a Colorado law forcing retailers without a physical presence in the state to turn over customer purchase data to state tax officials. The court’s denial of Direct Marketing Association v. Brohl gives the green light for other states to impose laws mandating the collection of consumer purchase data from online retailers, making it more difficult for customers who buy products online to avoid state sales taxes. It may also presage an examination of a 1992 Supreme Court ruling in Quill v. North Dakota that prohibits states from ordering out-of-state retailers to directly collect sales tax from their customers.

A reconsideration of that decision has already been suggested thanks to a separate 2015 high court ruling in the same case, where the justices unanimously agreed that the Direct Market Association had the standing to sue. In that ruling, Justice Anthony Kennedy also wrote a concurring statement emphasizing that the court should take another look at its 1992 decision. Kennedy noted that the amount of forgone taxes resulting from the decision is now many orders of magnitude greater than in 1992, when Internet commerce was not yet viable. He urged the the court to reconsider the decision at the earliest opportunity.

The Federal Communications Commission’s network neutrality rule is “the worst kind of crony capitalism” and is likely to be weakened or dismantled in the next administration, according to Jeffrey Eisenach, one of President-elect Donald Trump’s top telecommunications advisers. Eisenach also said that one of the two Republicans currently on the commission “will be designated chairman, because that’s the way the world works.”

President-elect Trump will have the opportunity to name a Republican chairman of the FCC in 2017, and Eisenach, who’s head of Trump’s transition team for the agency, is expected to play a key role in determining who the White House places on the commission. Eisenach noted that the net neutrality rule is tangled up in federal court and seems likely to end up on the Supreme Court’s docket. Eisenach also suggested that a new Republican-led FCC would curb its own power, saying 1980s-style deregulation “absolutely” can happen.

Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the FCC could directly regulate the security of Internet-connected devices. In a letter to Sen Mark Warner (D-VA) dated Dec 2 and released by Sen Warner on Dec 5, Chairman Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. The proposal would also require consumer cybersecurity labels for IoT devices and associated services.

Chairman Wheeler is set to step down on Jan 20, but the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices. Chairman Wheeler’s letter responded to a set of questions that Sen Warner sent to the FCC four days after an Oct 21 cyberattack directed through IoT devices knocked popular websites offline for several hours. Chairman Wheeler that he shares Sen Warner’s concern “that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities.”

Confirmation prospects for Democratic Commissioner Jessica Rosenworcel of the Federal Communications Commission, who’s awaiting a Senate vote for a second term, aren’t dead yet, apparently. “I’ve felt for some time we were gonna get that resolved, I still hope that we will,” Senate Commerce Committee Chairman John Thune (R-SD) said. Earlier, he told reporters who were asking about Commissioner Rosenworcel,”It’s a leader decision about when that would come to the floor. …But you know we’re in a whole new world now. We’re going to have a new FCC starting next year.”

The prospect of a Trump Administration complicates pending confirmations, but not necessarily in a bad way for Commissioner Rosenworcel. “Now that we’ve got a new administration, we’ll have a new FCC. They’ll be looking at how and when to proceed with her nomination,” Chairman Thune said. Democratic lawmakers say Commissioner Rosenworcel is owed a confirmation vote based on a promise from Senate Majority Leader Mitch McConnell (R-KY). In December 2014, he promised Senate Democrats that if they voted to confirm Republican FCC Commissioner Michael O’Rielly, the GOP would in turn move quickly to confirm Commissioner Rosenworcel at the beginning of the 114th Congress in 2015. That hasn’t happened.

Don’t expect the Federal Communications Commission to rush into issuing network security rules anytime soon, even in the face of a congressional inquiry seeking the agency’s response to the massive Oct 21 distributed-denial-of-service attack. At issue is whether the FCC’s Open Internet rules restrict internet service providers’ ability to block insecure Internet of Things (IoT) devices from their networks and whether the commission should mandate greater safeguards. But the commissioners generally believe the Open Internet order already gives ISPs sufficient leeway to protect their networks from vulnerable internet-connected devices without additional regulations or standards. And, according to FCC officials, there isn’t much of an appetite to issue any new mandates now.

There are also questions as to whether cybersecurity is even in the commission’s purview. Sen Mark Warner (D-VA) sent a letter to FCC Chairman Tom Wheeler on Oct. 25, several days after a hijacked network of IoT devices took large swaths of the United States internet offline. Sen Warner asked detailed questions about the commission’s role in empowering both ISPs and consumers with the means to prevent similar attacks in the future. The senator suggested that the Open Internet rule — adopted in 2015 during the debate on net neutrality — might actually limit the ability of ISPs to block insecure IoT devices from their networks. That could make it difficult to prevent future attacks stemming from those devices. Chairman Wheeler called Sen Warner’s letter “thoughtful” and promised a response. He also disputed the notion that the rules limit security practices of ISPs. “The Open Internet order allows for reasonable network management, which clearly gives leeway to be able to deal with issues like this,” Wheeler said at the FCC’s open meeting on Oct. 27. There is clear language in the rules for ISPs to deny access to networks or devices that could put their security at risk, according to one FCC official, who added that they were “designed for flexibility, particularly when it comes to network security.” The rules allow broadband providers to implement network management practices for the purpose of “ensuring network security and integrity, including by addressing traffic that is harmful to the network,” according to the Open Internet order.