FCC looks to tackle IoT cybersecurity through 5G regulation

Having abandoned one regulatory approach this year, the FCC is now looking to 5G rules to provide security standards-setting authority for the internet of things.

The Federal Communication Commission’s Bureau of Public Safety and Homeland Security has released a wide-ranging set of questions for industry about the cybersecurity of 5G — the next generation of cellular networks promising to provide connectivity for the coming wave of billions of IoT devices.

The Notice of Inquiry released last week poses 130 questions about 5G cybersecurity — covering a huge variety of topics from encryption, authentication and security-by-design, to the availability of remote software upgrades, defense against DDoS attacks and network awareness.

Comments are due within 90 days of the Dec. 16 publication date and replies to those comments by 120 days after publication.

The notice comes on the heels of an FCC decision earlier this month to drop another more controversial effort aimed at IoT regulation using different powers. And follows an agency order in July allocating spectrum for 5G cellular and fixed broadband networks, which required successful licensees to submit network security plans to the commission. That security reporting provision is under protest by telcos and industry.


The agency said in the notice that it was trying to get ahead of security threats as the technology standards that will define 5G are developed — and companies start testing, perhaps as soon as 2018.

“While the Commission is moving quickly to make the spectrum needed for 5G available in the near term, it is also seeking to accelerate the dialogue around the critical importance of the early incorporation of cybersecurity protections in 5G networks, services, and devices,” states the notice.

One of the issues raised: Who should be responsible for cybersecurity? It’s germane because there may well be six or seven different companies involved in manufacturing, programming, assembling, marketing, and connecting an IoT device. And for each different kind of device, there might be different kinds of companies involved.

“Devices and other network elements may be furnished by the service provider, third parties, and consumers themselves. Who should be responsible for cyber protections for a device, or should responsibility be shared in some recognizable manner across the 5G ecosystem?” the notice asks.

A notice of inquiry often is the first step in a regulatory process, but it’s obviously unclear at this stage how the FCC will proceed next year. Although the agency is independent, its chairman is appointed by the president and the current incumbent, Tom Wheeler, has indicated he will step down Jan. 20.


In a letter earlier this month, Wheeler told Congress he was abandoning a plan to use the FCC’s unilateral authority to regulate wireless devices as a lever to set standards for IoT cybersecurity.

In that letter, Wheeler referenced the ongoing work of the Interagency Cybersecurity Forum for Independent and Executive Branch Regulators that he heads — a body where the FCC and other agencies work to coordinate their rule-making activity.

Within the forum, a work-plan attached to the letter states, a task-force should be created of officials to “assess the full scope of IoT cyber threats to critical infrastructure, existing regulatory authorities and mitigation recommendations within those authorities, as well as those authorities requiring statutory change.”

And the notice also references the work of other government agencies, saying, “We are not conducting this NOI in a vacuum. We intend this inquiry to complement the important work on cybersecurity that is already taking place within the government and private sector.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts