FEDERAL COMMUNICATIONS COMMISSION WASHINGTON OFFICE OF THE CHAIRMAN The Honorable Thomas R. Carper Ranking Member June 10, 2016 Committee on Homeland Security and Governmental Affairs United States Senate 442 Hart Senate Office Building Washington, D.C. 20510 Dear Senator Carper: Thank you for your recent letter inquiring how the Federal Communications Commission (FCC) is addressing cybersecurity issues as part of our current rulemaking efforts to comply with the Communications Act' s mandate for consumer choice in television navigation tools. Protecting the nation' s networks is a top priority for the FCC. Commission personnel work around the clock-including in a 24/7 operations center-to safeguard America' s telephone, radio, cable, satellite, and Internet connectivity. The Commission takes our security responsibilities very seriously, and we leverage extensive staff expertise to ensure our policy proposals accord with best practices and the best available science. We bring this cybersecurity experience and awareness to all ofthe rulemakings we undertake to fulfill our responsibilities under the Communications Act, including our current efforts to update our rules implementing section 629 of the Act. Adopted by Congress in 1996, section 629 requires the Commission to promote competition in the market for devices that consumers use to access their pay~television content. 1 The Notice of Proposed Rulemaking (NPRM) we adopted earlier this year proposes updating our rules implementing section 629 to allow device manufacturers and other innovators to develop devices or software that will give pay-television subscribers new ways to access the content they have purchased .. 2 We took this action because consumers have few alternatives to leasing set-top boxes from their pay-television providers. The statutory mandate is not yet filled. This lack of competition has meant few choices and high prices for consumers. In a recent Rasmussen Reports study, 84 percent of consumers felt their cable bill was too high. Included in every bill is a no-option, add-on fee for set top box rental. According to a congressional study, consumers spend, on average, $231 in rental fees annually. Even worse for consumers, these rental fees continue to increase.3 And while MVPD set-top boxes are increasingly connected to the Internet, I 47 U.S.C. § 629. 2 Expanding Consumers ' Video Navigation Choices, 81 Fed. Reg. 14033 (proposed Mar. 16, 20 16). 3 One recent analysis found that the cost of cable set-top boxes has risen 185 percent since 1994 while the prices of computers, televisions, and mobile phones have dropped by 90 percent during that same time period. Consumer Page 2-The Honorable Thomas R. Carper they have been greatly outpaced in functionality and convenience by online video devices and apps. The NPRM proposes a careful balance between network security and section 629' s mandate that consumers be able to enjoy pay-television content with the equipment of their choice. Cable and satellite providers would be required to support a narrow, defined set of interfaces that would allow competitive devices and apps to access television content. These types of interfaces, usually termed Application Programming Interfaces (APis ), are routinely offered by online services. APis allow a third party (such as a consumer navigation device provider) to interface with an organization's systems, without revealing any internal design, operation, or data about the organization. Third parties that connect to an API are not granted full system access, and are limited to only the features provided by the API. Securing an API is easier than securing internal systems, because an API only has to support specific functionality. Best practices for API security are readily available and widely practiced.4 The proposal would bring to television services the same secure modularity that phone and Internet customers have long enjoyed. In the telephone context, for example, a user can purchase and operate a third-party (e.g. Samsung) phone; the phone is not granted full access to telephone carrier (e.g. Verizon) internal systems. Similarly, in the Internet context, a user can purchase and operate a third-party (e.g. Arris) modem; that modem is not granted full access to the Internet Service Provider's (e.g. Comcast) internal systems. All of the major cable and satellite providers, in fact, already support APis for authenticating user credentials-some of the most sensitive information in the television ecosystem. Services like HBO Go5 and Showtime Anytime6 ensure that customers have subscribed by interfacing with cable and satellite account management systems. These APis have been supported for over 5 years. Finally, the FCC's set-top box proposal would in no way alter the role of digital rights management (DRM) platforms in the television ecosystem. DRM platforms offer rigorous protection against unauthorized copying and other violations of content owner rights.7 Under the FCC's proposal, content owners would remain free to select the DRM platforms that they prefer. Developers of competitive set-top boxes and apps would license the DRM technology and satisfy compliance requirements - in the very same way that current set-top boxes support DRM, and the same way that competitive devices and apps already support DRM for online video. Fed'n Am. & Pub. Knowledge, Comment Re: Media Bureau Request for Comment on DSTAC Report, MB Docket No. 15-64 (Jan. 20, 2016). 4 See, e.g., OW ASP Enterprise Security API Project, OPEN WEB APPLICATION SOC'Y PROJECT https://www.owasp.org/index.php/Project_ lnformation: __ OW ASP _Enterprise_ Security _API_Project (last visited June 2, 2016). 5 HBO Go, http://play.hbogo.com (last visited June 2, 20 16). 6 SHOWTIME ANYTIME, http://www.showtimeanytime.com (last visited June 2, 2016). 7 See DOWNLOADABLE SEC. TECH. ADVISORY COMM. , DST AC FINAL REPORT 262-67 (Aug. 28, 20 15), https:/ /transition. fcc.gov/dstac/dstac-report-final-082820 15.pdf [hereinafter DST AC FINAL REPORT] . Page 3-The Honorable Thomas R. Carper Furthermore, all of the major DRM platforms support revoking authorization for content; if a competitive device or app were ever found to be violating DRM requirements, access to content could be immediately terminated. Please find below answers to the specific questions in your letter. 1. How did the FCC consider cybersecurity when developing the proposed rulemaking? The NPRM was prompted in part by a congressional directive within the STELA Reauthorization Act of2014.8 Section 106(d) ofthat legislation required FCC to assemble a working group of technical experts to evaluate and recommend options for enhancing downloadable security systems designed to promote the competitive availability of navigation devices. The FCC promptly implemented Congress' s directive by chartering the Downloadable Security Technology Advisory Committee (DSTAC) on December 5, 2014. This DSTAC' s membership consisted of diverse technical experts, drawn from content creators, cable and satellite providers, consumer electronics manufacturers, software vendors, public interest organizations, and academia.9 The group first convened on February 23, 2015. After weekly conference calls and additional in-person meetings, the committee issued its final 344- page report on August 28, 2015. 10 The FCC also received over 100 comments and other submissions in association with this process. 11 You can find this report and other DST AC materials at: https :/ /www .fcc. gov I about-fcc/ advisory-committees/ general/ downloadable-security­ technology-advisory-committee. The DSTAC' s participants and commenters provided valuable technical guidance to the Commission, with particular emphasis on security and privacy matters. Over 100 pages of the committee's final report expressly address cable and satellite network security, protecting content, or safeguarding consumer data. 12 Many comments and submissions also addressed security issues. In sum, the FCC solicited and benefited from a wealth of security expertise while developing the proposed rulemaking, and we carefully evaluated the input that we received. The Notice of Proposed Rulemaking seeks additional input from stakeholders on the security aspects of the Commission' s proposa1. 13 8 STELA Reauthorization Act of2014, Pub. L. No. 113-200, § 106(d), 128 Stat. 2059 (2014) 9 Appointment of Members to the Downloadable Security Technology Advisory Committee, 30 FCC Red. 389 (Jan. 27, 2015). 10 DSTAC FINAL REPORT, supra note 9. 11 See MB Docket No. 15-64. 12 See DSTAC FINAL REPORT, supra note 9, at 3-4, 12-16, 24-26,28-30, 31-37, 47-56, 60-135, 186-192. 13 Expanding Consumers' Video Navigation Choices, supra note I , ~~ 50-62, 70-80. Page 4-The Honorable Thomas R. Carper 2. The FCC requires self-certifications related to a number of issues, how will the FCC enforce this? The Communications Act and Commission rules guarantee a set of public interest features for current cable and satellite set-top boxes. 14 These features include strong security and privacy protections, Emergency Alert System messaging, closed captioning, parental controls, and limits on advertising to children. If a cable or satellite provider fails to satisfy these requirements, the Commission is able to ensure corrective measures by initiating an enforcement action. 15 The NPRM seeks to ensure that these important and longstanding public interest features continue to be guaranteed in competitive set-top boxes and video apps that access cable and satellite content. We propose accomplishing this goal through a certification process, in which third-party devices' and apps' interoperability with cable and satellite networks will be conditioned on the devices' and apps' compliance with these public interest features. The purpose of this certification is to ensure a clear set of rules and strong enforcement authority. We are seeking to adopt the best certification process, whether certification to consumers, certification to cable and satellite providers, certification to the Commission, or certification to an independent body to ensure compliance. The Federal Trade Commission, state attorneys general, and private litigants are generally able to pursue businesses that misrepresent their security and privacy practices. We anticipate that we and our partners at FTC would vigorously protect public interest features in competitive devices and apps, in much the same way that FCC already protects those same features in cable and satellite devices and apps. The NPRM seeks comment on these certification and enforcement mechanisms. 3. How does the proposed rulemaking ensure that third-party device manufacturers and software developers are meeting an adequate level of software and hardware security, including supply chain risks? A business that offers a competitive set-top box or video app that accesses cable and satellite content would commit to adopting reasonable security safeguards. If a device manufacturer or software vendor failed to implement adequate precautions, it would risk enforcement action under the Federal Trade Commission Act and similar state statutes. Cable and satellite providers could also revoke interoperability with that set-top box or video app. Under our proposal, a competitive device or app could also be subject to technical auditing for ensuring adequate content protection. The proposal would not alter the current landscape of DRM platforms, some of which require technical validation for a device or app to be 14 /d. ~ 73. 15 E.g., Cox Communications, Inc. Order and Consent Decree, 30 FCC Red. 12302 (Nov. 5, 20 15) (enforcement action against an cable provider that did not adequately secure customer information). Page 5-The Honorable Thomas R. Carper compliant. 16 The NPRM seeks comment on whether independent testing should be required for other navigation device security properties. 17 Responsibility for securing the internal networks of cable and satellite providers would remain with those providers. The FCC's proposal would not affect a cable or satellite provider's selection of products, services, integrators, suppliers, service providers, or other considerations for supply chain risk. 4. Did the FCC consider the NIST Cybersecurity Framework risk management approach in the proposed rule-making? a. If yes, please describe how and cite the references in the proposed rule making. Yes. FCC staff sought and received a broad range of security input, as discussed in response to Question #1. The NIST Cybersecurity Framework was one of many resources that Commission expert personnel consulted in the course of developing our proposal. FCC staff also considered recommendations from the Communications Security, Reliability, and Interoperability Council (CISRIC) IV Working Group 4, a technical advisory group charged with reporting NIST Cybersecurity Framework best practices for the communications sector. 18 DSTAC's final report cites NIST security guidance and technical standards. 19 The Commission has sought comment on both the DST AC report and the set-top box proposal, and stakeholders have referenced the NIST Cybersecurity Framework. 5. Does the proposed rulemaking address economic harm to content creators or businesses that may be impacted from the potential for cyberattacks or potential harm to infrastructure? In light of our comprehensive approach to security issues, our proposal does not increase the risk of economic harm to content creators or businesses as a result of cyberattacks. As addressed above and consistent with our duty under section 629(b) to protect system security, our proposal protects both the integrity of television delivery systems and the rights of content owners. Content creators will have the very same legal remedies available to them today to pursue individuals who pirate content20 or circumvent copy protections.21 Similarly, our proposal would not affect the legal remedies available to cable and satellite providers to pursue hackers.22 16 Expanding Consumers' Video Navigation Choices, supra note 1, ~ 71. 17 /d. ~~ 72, 74. 18 COMMC'NS SEC., RELIABILITY & lNTEROPERABILITY COUNCIL IV, CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICES (Mar. 18, 20 15), https://transition.fcc.gov/pshs/advisory/csric4/CSR1C IV WG4 Final Report 031815.pdf. 19 DSTAC FINAL REPORT, supra note 9, at I 00, 186-92. - - - - 20 E.g., 47 U.S.C. §§ 501-506 (civil cause of action and criminal penalties for copyright infringement). 21 E.g., 17 U.S.C. § 120 I (civil cause of action and criminal penalties for circumventing content protections). 22 E.g., 18 U.S.C. § 1030 (civil cause of action and criminal penalties for computer trespass). Page 6 - The Honorable Thomas R. Carper Thank you for your engagement on this important issue. As we develop a record and explore fulfilling our statutory mandate, I look forward to continuing to work with you on this important consumer issue. Tom Wheeler FEDERAL COMMUNICATIONS COMMISSION WASHINGTON OFFICE OF THE CHAIRMAN The Honorable Ron Johnson Chairman June 10, 2016 Committee on Homeland Security and Governmental Affairs United States Senate 340 Dirksen Senate Office Building Washington, D.C. 20510 Dear Chairman Johnson: Thank you for your recent letter inquiring how the Federal Communications Commission (FCC) is addressing cybersecurity issues as part of our current rulemaking efforts to comply with the Communications Act's mandate for consumer choice in television navigation tools. Protecting the nation's networks is a top priority for the FCC. Commission personnel work around the clock-including in a 24/7 operations center-to safeguard America's telephone, radio, cable, satellite, and Internet connectivity. The Commission takes our security responsibilities very seriously, and we leverage extensive staff expertise to ensure our policy proposals accord with best practices and the best available science. We bring this cybersecurity experience and awareness to all of the rulemakings we undertake to fulfill our responsibilities under the Communications Act, including our current efforts to update our rules implementing section 629 of the Act. Adopted by Congress in 1996, section 629 requires the Commission to promote competition in the market for devices that consumers use to access their pay-television content. 1 The Notice of Proposed Rulemaking (NPRM) we adopted earlier this year proposes updating our rules implementing section 629 to allow device manufacturers and other innovators to develop devices or software that will give pay-television subscribers new ways to access the content they have purchased . . 2 We took this action because consumers have few alternatives to leasing set-top boxes from their pay-television providers. The statutory mandate is not yet filled. This lack of competition has meant few choices and high prices for consumers. In a recent Rasmussen Reports study, 84 percent of consumers felt their cable bill was too high. Included in every bill is a no-option, add-on fee for set top box rental. According to a congressional study, consumers spend, on average, $231 in rental fees annually. Even worse for consumers, these rental fees continue to increase.3 And while MVPD set-top boxes are increasingly connected to the Internet, I 47 U.S.C. § 629. 2 Expanding Consumers' Video Navigation Choices, 81 Fed. Reg. 14033 (proposed Mar. 16, 2016). 3 One recent analysis found that the cost of cable set-top boxes has risen 185 percent since 1994 while the prices of computers, televisions, and mobile phones have dropped by 90 percent during that same time period. Consumer Page 2-The Honorable Ron Johnson they have been greatly outpaced in functionality and convenience by online video devices and apps. The NPRM proposes a careful balance between network security and section 629's mandate that consumers be able to enjoy pay-television content with the equipment of their choice. Cable and satellite providers would be required to support a narrow, defined set of interfaces that would allow competitive devices and apps to access television content. These types of interfaces, usually termed Application Programming Interfaces (APis), are routinely offered by online services. APis allow a third party (such as a consumer navigation device provider) to interface with an organization's systems, without revealing any internal design, operation, or data about the organization. Third parties that connect to an API are not granted full system access, and are limited to only the features provided by the API. Securing an API is easier than securing internal systems, because an API only has to support specific functionality. Best practices for API security are readily available and widely practiced.4 The proposal would bring to television services the same secure modularity that phone and Internet customers have long enjoyed. In the telephone context, for example, a user can purchase and operate a third-party (e.g. Samsung) phone; the phone is not granted full access to telephone carrier (e.g. Verizon) internal systems. Similarly, in the Internet context, a user can purchase and operate a third-party (e.g. Arris) modem; that modem is not granted full access to the Internet Service Provider's (e.g. Comcast) internal systems. All of the major cable and satellite providers, in fact, already support APis for authenticating user credentials-some of the most sensitive information in the television ecosystem. Services like HBO Go5 and Showtime Anytime6 ensure that customers have subscribed by interfacing with cable and satellite account management systems. These APis have been supported for over 5 years. Finally, the FCC's set-top box proposal would in no way alter the role of digital rights management (DRM) platforms in the television ecosystem. DRM platforms offer rigorous protection against unauthorized copying and other violations of content owner rights. 7 Under the FCC's proposal, content owners would remain free to select the DRM platforms that they prefer. Developers of competitive set-top boxes and apps would license the DRM technology and satisfy compliance requirements - in the very same way that current set-top boxes support DRM, and the same way that competitive devices and apps already support DRM for online video. Fed'n Am. & Pub. Knowledge, Comment Re: Media Bureau Request for Comment on DST AC Report, MB Docket No. 15-64 (Jan. 20, 20 16). 4 See, e.g., OW ASP Enterprise Security API Project, OPEN WEB APPLICATION SOC'Y PROJ ECT https://www.owasp.org/index.php/Project_lnformation:_ OW ASP_ Enterprise_ Security _API_Project (last visited June 2, 2016). 5 HBO Go, http://play.hbogo.com (last visited June 2, 20 16). 6 SHOWTIME ANYTIME, http://www.showtimeanytime.com (last visited June 2, 20 16). 7 See DOWNLOADABLE SEC. TECH. ADVISORY COMM., DST AC FINAL REPORT 262-67 (Aug. 28, 20 15), https://transition.fcc.gov/dstac/dstac-report-final-082820 15.pdf [hereinafter DST AC FINAL REPORT] . Page 3-The Honorable Ron Johnson Furthermore, all of the major DRM platforms support revoking authorization for content; if a competitive device or app were ever found to be violating DRM requirements, access to content could be immediately terminated. Please find below answers to the specific questions in your letter. I. How did the FCC consider cybersecurity when developing the proposed rulemaking? The NPRM was prompted in part by a congressional directive within the STELA Reauthorization Act of 20 14.8 Section 1 06( d) of that legislation required FCC to assemble a working group oftechnical experts to evaluate and recommend options for enhancing downloadable security systems designed to promote the competitive availability of navigation devices. The FCC promptly implemented Congress's directive by chartering the Downloadable Security Technology Advisory Committee (DSTAC) on December 5, 2014. This DSTAC's membership consisted of diverse technical experts, drawn from content creators, cable and satellite providers, consumer electronics manufacturers, software vendors, public interest organizations, and academia.9 The group first convened on February 23, 2015. After weekly conference calls and additional in-person meetings, the committee issued its final 344- page report on August 28, 2015. 10 The FCC also received over 100 comments and other submissions in association with this process. 11 You can find this report and other DST AC materials at: https://www.fcc.gov/about-fcc/advisory-committees/generalldownloadable-security­ technology-advisory-committee. The DSTAC's participants and commenters provided valuable technical guidance to the Commission, with particular emphasis on security and privacy matters. Over 100 pages of the committee's final report expressly address cable and satellite network security, protecting content, or safeguarding consumer data. 12 Many comments and submissions also addressed security issues. In sum, the FCC solicited and benefited from a wealth of security expertise while developing the proposed rulemaking, and we carefully evaluated the input that we received. The Notice of Proposed Rulemaking seeks additional input from stakeholders on the security aspects of the Commission's proposal. 13 8 STELA Reauthorization Act of2014, Pub. L. No. 113-200, § 106(d), 128 Stat. 2059 (2014) 9 Appointment of Members to the Downloadable Security Technology Advisory Committee, 30 FCC Red. 389 (Jan. 27, 2015). 10 DSTAC FTNAL REPORT, supra note 9. 11 See MB Docket No. 15-64. 12 See DST AC FTNAL REPORT, supra note 9, at 3-4, 12-16, 24-26, 28-30, 31-37, 47-56, 60-135, 186-192. 13 Expanding Consumers' Video Navigation Choices, supra note I,~~ 50-62, 70-80 . Page 4-The Honorable Ron Johnson 2. The FCC requires self-certifications related to a number of issues, how will the FCC enforce this? The Communications Act and Commission rules guarantee a set of public interest features for current cable and satellite set-top boxes. 14 These features include strong security and privacy protections, Emergency Alert System messaging, closed captioning, parental controls, and limits on advertising to children. If a cable or satellite provider fails to satisfy these requirements, the Commission is able to ensure corrective measures by initiating an enforcement action. 15 The NPRM seeks to ensure that these important and longstanding public interest features continue to be guaranteed in competitive set-top boxes and video apps that access cable and satellite content. We propose accomplishing this goal through a certification process, in which third-party devices' and apps' interoperability with cable and satellite networks will be conditioned on the devices ' and apps' compliance with these public interest features . The purpose ofthis certification is to ensure a clear set of rules and strong enforcement authority. We are seeking to adopt the best certification process, whether certification to consumers, certification to cable and satellite providers, certification to the Commission, or certification to an independent body to ensure compliance. The Federal Trade Commission, state attorneys general, and private litigants are generally able to pursue businesses that misrepresent their security and privacy practices. We anticipate that we and our partners at FTC would vigorously protect public interest features in competitive devices and apps, in much the same way that FCC already protects those same features in cable and satellite devices and apps. The NPRM seeks comment on these certification and enforcement mechanisms. 3. How does the proposed rulemaking ensure that third-party device manufacturers and software developers are meeting an adequate level of software and hardware security, including supply chain risks? A business that offers a competitive set-top box or video app that accesses cable and satellite content would commit to adopting reasonable security safeguards. If a device manufacturer or software vendor failed to implement adequate precautions, it would risk enforcement action under the Federal Trade Commission Act and similar state statutes. Cable and satellite providers could also revoke interoperability with that set-top box or video app. Under our proposal, a competitive device or app could also be subject to technical auditing for ensuring adequate content protection. The proposal would not alter the current landscape of DRM platforms, some of which require technical validation for a device or app to be 14 /d. ~ 73 . 15 E.g. , Cox Communications, Inc. Order and Consent Decree, 30 FCC Red. 12302 (Nov. 5, 20 15) (enforcement action against an cable provider that did not adequately secure customer information). Page 5-The Honorable Ron Johnson compliant. 16 The NPRM seeks comment on whether independent testing should be required for other navigation device security properties. 17 Responsibility for securing the internal networks of cable and satellite providers would remain with those providers. The FCC's proposal would not affect a cable or satellite provider's selection of products, services, integrators, suppliers, service providers, or other considerations for supply chain risk. 4. Did the FCC consider the NIST Cybersecurity Framework risk management approach in the proposed rule-making? a. If yes, please describe how and cite the references in the proposed rule making. Yes. FCC staff sought and received a broad range of security input, as discussed in response to Question #1. The NIST Cybersecurity Framework was one of many resources that Commission expert personnel consulted in the course of developing our proposal. FCC staff also considered recommendations from the Communications Security, Reliability, and Interoperability Council (CISRIC) IV Working Group 4, a technical advisory group charged with reporting NIST Cybersecurity Framework best practices for the communications sector. 18 DSTAC's final report cites NIST security guidance and technical standards. 19 The Commission has sought comment on both the DST AC report and the set-top box proposal, and stakeholders have referenced the NIST Cybersecurity Framework. 5. Does the proposed rulemaking address economic harm to content creators or businesses that may be impacted from the potentia/for cyberattacks or potential harm to infrastructure? In light of our comprehensive approach to security issues, our proposal does not increase the risk of economic harm to content creators or businesses as a result of cyberattacks. As addressed above and consistent with our duty under section 629(b) to protect system security, our proposal protects both the integrity of television delivery systems and the rights of content owners. Content creators will have the very same legal remedies available to them today to pursue individuals who pirate content20 or circumvent copy protections.21 Similarly, our proposal would not affect the legal remedies available to cable and satellite providers to pursue hackers. 22 16 Expanding Consumers' Video Navigation Choices, supra note I,~ 71. 17 !d. ~~ 72, 74. 18 COMMC'NS SEC., RELIABILITY & lNTEROPERABILITY COUNCIL IV, CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICES (Mar. 18, 20 15), https://transition.fcc.gov/pshs/advisory/csric4/CSR.IC _IV_ WG4_Final_ Report_ 031815.pdf. 19 DSTAC FINAL REPORT, supra note 9, at 100, 186-92. 20 E.g., 47 U.S.C. §§ 501-506 (civil cause of action and criminal penalties for copyright infringement). 21 E.g., 17 U.S.C. § 1201 (civil cause of action and criminal penalties for circumventing content protections). 22 E.g., 18 U.S.C. § 1030 (civil cause of action and criminal penalties for computer trespass). Page 6-The Honorable Ron Johnson Thank you for your engagement on this important issue. As we develop a record and explore fulfilling our statutory mandate, I look forward to continuing to work with you on this important consumer issue. Tom Wheeler FEDERAL COMMUNICATIONS COMMISSION WASHINGTON OFFICE OF THE CHAIRMAN The Honorable Michael McCaul Chairman Committee on Homeland Security U.S. House ofRepresentatives H2-176 Ford House Office Building Washington, D.C. 20515 Dear Chairman McCaul : June 10, 2016 Thank you for your recent letter inquiring how the Federal Communications Commission (FCC) is addressing cybersecurity issues as part of our current rulemaking efforts to comply with the Communications Act' s mandate for consumer choice in television navigation tools. Protecting the nation' s networks is a top priority for the FCC. Commission personnel work around the clock-including in a 24/7 operations center-to safeguard America' s telephone, radio, cable, satellite, and Internet connectivity. The Commission takes our security responsibilities very seriously, and we leverage extensive staff expertise to ensure our policy proposals accord with best practices and the best available science. We bring this cybersecurity experience and awareness to all of the rulemakings we undertake to fulfill our responsibilities under the Communications Act, including our current efforts to update our rules implementing section 629 of the Act. Adopted by Congress in 1996, section 629 requires the Commission to promote competition in the market for devices that consumers use to access their pay-television content. 1 The Notice of Proposed Rulemaking (NPRM) we adopted earlier this year proposes updating our rules implementing section 629 to allow device manufacturers and other innovators to develop devices or software that will give pay-television subscribers new ways to access the content they have purchased . . 2 We took this action because consumers have few alternatives to leasing set-top boxes from their pay-television providers. The statutory mandate is not yet filled . This lack of competition has meant few choices and high prices for consumers. In a recent Rasmussen Reports study, 84 percent of consumers felt their cable bill was too high. Included in every bill is a no-option, add-on fee for set top box rental. According to a congressional study, consumers spend, on average, $231 in rental fees annually. Even worse for consumers, these rental fees continue to increase.3 And while MVPD set-top boxes are increasingly connected to the Internet, I 47 U.S.C. § 629 . 2 Expanding Consumers' Video Navigation Choices, 81 Fed. Reg. 14033 (proposed Mar. 16, 2016). 3 One recent analysis found that the cost of cable set-top boxes has ri sen 185 percent since 1994 while the prices of computers, televisions, and mobile phones have dropped by 90 percent during that same time period. Consumer Page 2-The Honorable Michael McCaul they have been greatly outpaced in functionality and convenience by online video devices and apps. The NPRM proposes a careful balance between network security and section 629's mandate that consumers be able to enjoy pay-television content with the equipment of their choice. Cable and satellite providers would be required to support a narrow, defined set of interfaces that would allow competitive devices and apps to access television content. These types of interfaces, usually termed Application Programming Interfaces (APis), are routinely offered by online services. APis allow a third party (such as a consumer navigation device provider) to interface with an organization's systems, without revealing any internal design, operation, or data about the organization. Third parties that connect to an API are not granted full system access, and are limited to only the features provided by the API. Securing an API is easier than securing internal systems, because an API only has to support specific functionality. Best practices for API security are readily available and widely practiced.4 The proposal would bring to television services the same secure modularity that phone and Internet customers have long enjoyed. In the telephone context, for example, a user can purchase and operate a third-party (e .g. Samsung) phone; the phone is not granted full access to telephone carrier (e.g. Verizon) internal systems. Similarly, in the Internet context, a user can purchase and operate a third-party (e.g. Arris) modem; that modem is not granted full access to the Internet Service Provider' s (e.g. Comcast) internal systems. All of the major cable and satellite providers, in fact, already support APis for authenticating user credentials-some ofthe most sensitive information in the television ecosystem. Services like HBO Go5 and Showtime Anytime6 ensure that customers have subscribed by interfacing with cable and satellite account management systems. These APis have been supported for over 5 years. Finally, the FCC's set-top box proposal would in no way alter the role of digital rights management (DRM) platforms in the television ecosystem. DRM platforms offer rigorous protection against unauthorized copying and other violations of content owner rights.7 Under the FCC's proposal, content owners would remain free to select the DRM platforms that they prefer. Developers of competitive set-top boxes and apps would license the DRM technology and satisfy compliance requirements - in the very same way that current set-top boxes support DRM, and the same way that competitive devices and apps already support DRM for online video. Fed'n Am. & Pub. Knowledge, Comment Re: Media Bureau Request for Comment on DSTAC Report, MB Docket No. 15-64 (Jan. 20, 20 16). 4 See, e.g. , OW ASP Enterprise Security API Proj ect, OPEN WEB APPLICATION SOC'Y PROJECT https://www.owasp.org/index.php/Project_lnformation:_ OW ASP _Enterprise_ Security _API_Project (last visited June 2, 2016). 5 HBO Go, http://play.hbogo.com (last visited June 2, 20 16). 6 SHOWTIME ANYTIME, http://www.showtimeanytime.com (last visited June 2, 20 16). 7 See DOWNLOADABLE SEC. TECH. ADVISORY COMM., DST AC FINAL REPORT 262-67 (Aug. 28, 20 15), https://transition.fcc.gov/dstacidstac-report-final-082820 !5.pdf [hereinafter DSTAC FfNAL REPORT]. Page 3-The Honorable Michael McCaul Furthermore, all of the major DRM platforms support revoking authorization for content; if a competitive device or app were ever found to be violating DRM requirements, access to content could be immediately terminated. Please find below answers to the specific questions in your letter. 1. How did the FCC consider cybersecurity when developing the proposed rulemaking? The NPRM was prompted in part by a congressional directive within the STELA Reauthorization Act of2014.8 Section 106(d) of that legislation required FCC to assemble a working group of technical experts to evaluate and recommend options for enhancing downloadable security systems designed to promote the competitive availability of navigation devices. The FCC promptly implemented Congress's directive by chartering the Downloadable Security Technology Advisory Committee (DSTAC) on December 5, 2014. This DSTAC's membership consisted of diverse technical experts, drawn from content creators, cable and satellite providers, consumer electronics manufacturers, software vendors, public interest organizations, and academia. 9 The group first convened on February 23 , 2015. After weekly conference calls and additional in-person meetings, the committee issued its final 344- page report on August 28, 2015. 10 The FCC also received over 100 comments and other submissions in association with this process. 11 You can find this report and other DSTAC materials at: https :/ /www. fcc. gov I about-fcc/ advisory -committees/ general/ downloadable-security­ technology-advisory-committee. The DSTAC's participants and commenters provided valuable technical guidance to the Commission, with particular emphasis on security and privacy matters. Over 100 pages of the committee's final report expressly address cable and satellite network security, protecting content, or safeguarding consumer data. 12 Many comments and submissions also addressed security issues. In sum, the FCC solicited and benefited from a wealth of security expertise while developing the proposed rulemaking, and we carefully evaluated the input that we received. The Notice of Proposed Rulemaking seeks additional input from stakeholders on the security aspects of the Commission's proposal. 13 8 STELA Reauthorization Act of2014, Pub. L. No. 113-200, § 106(d), 128 Stat. 2059 (2014) 9 Appointment of Members to the Downloadable Security Technology Advisory Committee, 30 FCC Red. 389 (Jan. 27, 2015). 10 DSTAC FrNAL REPORT, supra note 9. 11 See MB Docket No. 15-64. 12 See DSTAC FINAL REPORT, supra note 9, at 3-4, 12-16, 24-26, 28-30, 31-37, 47-56, 60-135, 186-192. 13 Expanding Consumers' Video Navigation Choices, supra note 1, ~~ 50-62, 70-80. Page 4-The Honorable Michael McCaul 2. The FCC requires self-certifications related to a number of issues, how will the FCC enforce this? The Communications Act and Commission rules guarantee a set of public interest features for current cable and satellite set-top boxes. 14 These features include strong security and privacy protections, Emergency Alert System messaging, closed captioning, parental controls, and limits on advertising to children. If a cable or satellite provider fails to satisfy these requirements, the Commission is able to ensure corrective measures by initiating an enforcement action. 15 The NPRM seeks to ensure that these important and longstanding public interest features continue to be guaranteed in competitive set-top boxes and video apps that access cable and satellite content. We propose accomplishing this goal through a certification process, in which third-party devices' and apps' interoperability with cable and satellite networks will be conditioned on the devices' and apps' compliance with these public interest features. The purpose of this certification is to ensure a clear set of rules and strong enforcement authority. We are seeking to adopt the best certification process, whether certification to consumers, certification to cable and satellite providers, certification to the Commission, or certification to an independent body to ensure compliance. The Federal Trade Commission, state attorneys general, and private litigants are generally able to pursue businesses that misrepresent their security and privacy practices. We anticipate that we and our partners at FTC would vigorously protect public interest features in competitive devices and apps, in much the same way that FCC already protects those same features in cable and satellite devices and apps. The NPRM seeks comment on these certification and enforcement mechanisms. 3. How does the proposed rulemaking ensure that third-party device manufacturers and software developers are meeting an adequate level of software and hardware security, including supply chain risks? A business that offers a competitive set-top box or video app that accesses cable and satellite content would commit to adopting reasonable security safeguards. If a device manufacturer or software vendor failed to implement adequate precautions, it would risk enforcement action under the Federal Trade Commission Act and similar state statutes. Cable and satellite providers could also revoke interoperability with that set-top box or video app. Under our proposal, a competitive device or app could also be subject to technical auditing for ensuring adequate content protection. The proposal would not alter the current landscape of DRM platforms, some of which require technical validation for a device or app to be 14 !d. , 73 . 15 E.g., Cox Communications, lnc. Order and Consent Decree, 30 FCC Red. 12302 (Nov. 5, 2015) (enforcement action against an cable provider that did not adequately secure customer information). Page 5-The Honorable Michael McCaul compliant. 16 The NPRM seeks comment on whether independent testing should be required for other navigation device security properties. 17 Responsibility for securing the internal networks of cable and satellite providers would remain with those providers. The FCC's proposal would not affect a cable or satellite provider's selection of products, services, integrators, suppliers, service providers, or other considerations for supply chain risk. 4. Did the FCC consider the NIST Cybersecurity Framework risk management approach in the proposed rule-making? a. If yes, please describe how and cite the references in the proposed rule making. Yes. FCC staff sought and received a broad range of security input, as discussed in response to Question #1. The NIST Cybersecurity Framework was one of many resources that Commission expert personnel consulted in the course of developing our proposal. FCC staff also considered recommendations from the Communications Security, Reliability, and Interoperability Council (CISRIC) IV Working Group 4, a technical advisory group charged with reporting NIST Cybersecurity Framework best practices for the communications sector. 18 DSTAC's final report cites NIST security guidance and technical standards. 19 The Commission has sought comment on both the DSTAC report and the set-top box proposal, and stakeholders have referenced the NIST Cybersecurity Framework. 5. Does the proposed rulemaking address economic harm to content creators or businesses that may be impactedfrom the potentia/for cyberattacks or potential harm to infrastructure? In light of our comprehensive approach to security issues, our proposal does not increase the risk of economic harm to content creators or businesses as a result of cyberattacks. As addressed above and consistent with our duty under section 629(b) to protect system security, our proposal protects both the integrity of television delivery systems and the rights of content owners. Content creators will have the very same legal remedies available to them today to pursue individuals who pirate content20 or circumvent copy protections.21 Similarly, our proposal would not affect the legal remedies available to cable and satellite providers to pursue hackers.22 16 Expanding Consumers' Video Navigation Choices, supra note 1, ~ 71. 17 /d. ~~ 72, 74. 18 COMMC'NS SEC., RELIABILITY & lNTEROPERABILITY COUNCIL IV, CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICES (Mar. 18, 20 15), https://transition.fcc.gov/pshs/advisory/csric4/CSR1C_IV _ WG4_Finai_Report_031815 .pdf. 19 DSTAC FINAL REPORT, supra note 9, at 100, 186-92. 20 E.g., 47 U.S.C. §§ 501-506 (civil cause of action and criminal penalties for copyright infringement). 21 E.g., 17 U.S.C. § 1201 (civil cause of action and criminal penalties for circumventing content protections). 22 E.g., 18 U .S.C. § I 030 (civil cause of action and criminal penalties for computer trespass) . Page 6-The Honorable Michael McCaul Thank you for your engagement on this important issue. As we develop a record and explore fulfilling our statutory mandate, I look forward to continuing to work with you on this important consumer issue. Sincerely/ j j J?;:UJ!~I~ Tom Wheeler FEDERAL COMMUNICATIONS COMMISSION WASHINGTON OFFICE OF THE CHAIRMAN The Honorable Bennie Thompson Ranking Member Committee on Homeland Security U.S. House ofRepresentatives H2-117 Ford House Office Building Washington, D.C. 20515 Dear Congressman Thompson: June 10, 2016 Thank you for your recent letter inquiring how the Federal Communications Commission (FCC) is addressing cybersecurity issues as part of our current rulemaking efforts to comply with the Communications Act's mandate for consumer choice in television navigation tools. Protecting the nation's networks is a top priority for the FCC. Commission personnel work around the clock-including in a 24/7 operations center-to safeguard America's telephone, radio, cable, satellite, and Internet connectivity. The Commission takes our security responsibilities very seriously, and we leverage extensive staff expertise to ensure our policy proposals accord with best practices and the best available science. We bring this cybersecurity experience and awareness to all of the rulemakings we undertake to fulfill our responsibilities under the Communications Act, including our current efforts to update our rules implementing section 629 of the Act. Adopted by Congress in 1996, section 629 requires the Commission to promote competition in the market for devices that consumers use to access their pay-television content. 1 The Notice of Proposed Rulemaking (NPRM) we adopted earlier this year proposes updating our rules implementing section 629 to allow device manufacturers and other innovators to develop devices or software that will give pay-television subscribers new ways to access the content they have purchased .. 2 We took this action because consumers have few alternatives to leasing set-top boxes from their pay-television providers. The statutory mandate is not yet filled . This lack of competition has meant few choices and high prices for consumers. In a recent Rasmussen Reports study, 84 percent of consumers felt their cable bill was too high. Included in every bill is a no-option, add-on fee for set top box rental. According to a congressional study, consumers spend, on average, $231 in rental fees annually. Even worse for consumers, these rental fees continue to increase.3 And while MVPD set-top boxes are increasingly connected to the Internet, I 47 U.S.C. § 629. 2 Expanding Consumers ' Video Navigation Choices, 81 Fed. Reg. 14033 (proposed Mar. 16, 2016). 3 One recent analysis found that the cost of cable set-top boxes has risen 185 percent since 1994 while the prices of computers, televisions, and mobile phones have dropped by 90 percent during that same time period. Consumer Page 2-The Honorable Bennie Thompson they have been greatly outpaced in functionality and convenience by online video devices and apps. The NPRM proposes a careful balance between network security and section 629's mandate that consumers be able to enjoy pay-television content with the equipment of their choice. Cable and satellite providers would be required to support a narrow, defined set of interfaces that would allow competitive devices and apps to access television content. These types of interfaces, usually termed Application Programming Interfaces (APis ), are routinely offered by online services. APis allow a third party (such as a consumer navigation device provider) to interface with an organization's systems, without revealing any internal design, operation, or data about the organization. Third parties that connect to an API are not granted full system access, and are limited to only the features provided by the API. Securing an API is easier than securing internal systems, because an API only has to support specific functionality. Best practices for API security are readily available and widely practiced.4 The proposal would bring to television services the same secure modularity that phone and Internet customers have long enjoyed. In the telephone context, for example, a user can purchase and operate a third-party (e.g. Samsung) phone; the phone is not granted full access to telephone carrier (e.g. Verizon) internal systems. Similarly, in the Internet context, a user can purchase and operate a third-party (e.g. Arris) modem; that modem is not granted full access to the Internet Service Provider's (e.g. Comcast) internal systems. All of the major cable and satellite providers, in fact, already support APis for authenticating user credentials- some of the most sensitive information in the television ecosystem. Services like HBO Go5 and Showtime Anytime6 ensure that customers have subscribed by interfacing with cable and satellite account management systems. These APis have been supported for over 5 years. Finally, the FCC's set-top box proposal would in no way alter the role of digital rights management (DRM) platforms in the television ecosystem. DRM platforms offer rigorous protection against unauthorized copying and other violations of content owner rights. 7 Under the FCC's proposal, content owners would remain free to select the DRM platforms that they prefer. Developers of competitive set-top boxes and apps would license the DRM technology and satisfy compliance requirements- in the very same way that current set-top boxes support DRM, and the same way that competitive devices and apps already support DRM for online video. Fed'n Am. & Pub. Knowledge, Comment Re: Media Bureau Request for Comment on DST AC Report, MB Docket No. 15-64 (Jan. 20, 2016). 4 See, e.g., OW ASP Enterprise Security API Project, OPEN WEB APPLICAT ION SOC'Y PROJECT https://www.owasp.org/index.php/Project_lnformation:_ OW ASP_ Enterprise_ Security _API_Project (last visited June 2, 20 16). 5 HBO Go, http://play.hbogo.com (last visited June 2, 20 16). 6 SHOWTIME ANYTIME, http://www.showtimeanytime.com (last visited June 2, 20 16). 7 See DOWNLOADABLE SEC. TECH. ADVISORY COMM., DSTAC FINAL REPORT 262-67 (Aug. 28, 2015), https://transition.fcc.gov/dstac/dstac-report-final-082820 15.pdf [hereinafter DST AC FINAL REPORT]. Page 3-The Honorable Bennie Thompson Furthermore, all of the major DRM platforms support revoking authorization for content; if a competitive device or app were ever found to be violating DRM requirements, access to content could be immediately terminated. Please find below answers to the specific questions in your letter. 1. How did the FCC consider cybersecurity when developing the proposed rulemaking? The NPRM was prompted in part by a congressional directive within the STELA Reauthorization Act of2014.8 Section 106(d) of that legislation required FCC to assemble a working group of technical experts to evaluate and recommend options for enhancing downloadable security systems designed to promote the competitive availability of navigation devices. The FCC promptly implemented Congress's directive by chartering the Downloadable Security Technology Advisory Committee (DST AC) on December 5, 2014. This DSTAC's membership consisted of diverse technical experts, drawn from content creators, cable and satellite providers, consumer electronics manufacturers, software vendors, public interest organizations, and academia. 9 The group first convened on February 23 , 2015. After weekly conference calls and additional in-person meetings, the committee issued its final 344- page report on August 28, 2015 .10 The FCC also received over 100 comments and other submissions in association with this process. 11 You can find this report and other DST AC materials at: https :/ /www .fcc. gov I about-fcc/ advisory -committees/ general/ downloadable-security­ technology-advisory-committee. The DSTAC's participants and commenters provided valuable technical guidance to the Commission, with particular emphasis on security and privacy matters. Over 100 pages of the committee's final report expressly address cable and satellite network security, protecting content, or safeguarding consumer data. 12 Many comments and submissions also addressed security issues. In sum, the FCC solicited and benefited from a wealth of security expertise while developing the proposed rulemaking, and we carefully evaluated the input that we received. The Notice of Proposed Rulemaking seeks additional input from stakeholders on the security aspects ofthe Commission's proposal. 13 8 STELA Reauthorization Act of2014, Pub. L. No. 113-200, § 106(d), 128 Stat. 2059 (2014) 9 Appointment of Members to the Downloadable Security Technology Advisory Committee, 30 FCC Red. 389 (Jan. 27, 2015). 10 DSTAC FINAL REPORT, supra note 9. 11 See MB Docket No. 15-64. 12 See DSTAC FINAL REPORT, supra note 9, at 3-4, 12-16,24-26, 28-30,31-37, 47-56, 60-135, 186-192. 13 Expanding Consumers' Video Navigation Choices, supra note I , ~~ 50-62, 70-80. Page 4-The Honorable Bennie Thompson 2. The FCC requires self-certifications related to a number of issues, how will the FCC enforce this? The Communications Act and Commission rules guarantee a set of public interest features for current cable and satellite set-top boxes. 14 These features include strong security and privacy protections, Emergency Alert System messaging, closed captioning, parental controls, and limits on advertising to children. If a cable or satellite provider fails to satisfy these requirements, the Commission is able to ensure corrective measures by initiating an enforcement action. 15 The NPRM seeks to ensure that these important and longstanding public interest features continue to be guaranteed in competitive set-top boxes and video apps that access cable and satellite content. We propose accomplishing this goal through a certification process, in which third-party devices' and apps' interoperability with cable and satellite networks will be conditioned on the devices' and apps' compliance with these public interest features. The purpose of this certification is to ensure a clear set of rules and strong enforcement authority. We are seeking to adopt the best certification process, whether certification to consumers, certification to cable and satellite providers, certification to the Commission, or certification to an independent body to ensure compliance. The Federal Trade Commission, state attorneys general, and private litigants are generally able to pursue businesses that misrepresent their security and privacy practices. We anticipate that we and our partners at FTC would vigorously protect public interest features in competitive devices and apps, in much the same way that FCC already protects those same features in cable and satellite devices and apps. The NPRM seeks comment on these certification and enforcement mechanisms. 3. How does the proposed rulemaking ensure that third-party device manufacturers and software developers are meeting an adequate level of software and hardware security, including supply chain risks? A business that offers a competitive set-top box or video app that accesses cable and satellite content would commit to adopting reasonable security safeguards. If a device manufacturer or software vendor failed to implement adequate precautions, it would risk enforcement action under the Federal Trade Commission Act and similar state statutes. Cable and satellite providers could also revoke interoperability with that set-top box or video app. Under our proposal, a competitive device or app could also be subject to technical auditing for ensuring adequate content protection. The proposal would not alter the current landscape of DRM platforms, some of which require technical validation for a device or app to be 14 /d. ~ 73. 15 E.g., Cox Communications, Inc. Order and Consent Decree, 30 FCC Red. 12302 (Nov. 5, 2015) (enforcement action against an cable provider that did not adequately secure customer information). Page 5-The Honorable Bennie Thompson compliant. 16 The NPRM seeks comment on whether independent testing should be required for other navigation device security properties. 17 Responsibility for securing the internal networks of cable and satellite providers would remain with those providers. The FCC's proposal would not affect a cable or satellite provider's selection of products, services, integrators, suppliers, service providers, or other considerations for supply chain risk. 4. Did the FCC consider the NIST Cybersecurity Framework risk management approach in the proposed rule-making? a. If yes, please describe how and cite the references in the proposed rule making. Yes. FCC staff sought and received a broad range of security input, as discussed in response to Question #1. The NIST Cybersecurity Framework was one of many resources that Commission expert personnel consulted in the course of developing our proposal. FCC staff also considered recommendations from the Communications Security, Reliability, and Interoperability Council (CISRIC) IV Working Group 4, a technical advisory group charged with reporting NIST Cybersecurity Framework best practices for the communications sector. 18 DSTAC's final report cites NIST security guidance and technical standards. 19 The Commission has sought comment on both the DSTAC report and the set-top box proposal, and stakeholders have referenced the NIST Cybersecurity Framework. 5. Does the proposed rulemaking address economic harm to content creators or businesses that may be impacted from the potential for cyberattacks or potential harm to infrastructure? In light of our comprehensive approach to security issues, our proposal does not increase the risk of economic harm to content creators or businesses as a result of cyberattacks. As addressed above and consistent with our duty under section 629(b) to protect system security, our proposal protects both the integrity of television delivery systems and the rights of content owners. Content creators will have the very same legal remedies available to them today to pursue individuals who pirate content20 or circumvent copy protections.21 Similarly, our proposal would not affect the legal remedies available to cable and satellite providers to pursue hackers.22 16 Expanding Consumers' Video Navigation Choices, supra note l, ~ 71. 17 /d. ~~ 72, 74. 18 COMMC'NS SEC., RELIABILITY & INTEROPERABILITY COUNCIL IV, CYBERSECURJTY RISK MANAGEMENT AND BEST PRACTICES (Mar. 18, 20 15), https://transition.fcc.gov/pshs/advisory/csric4/CSR1C _IV_ WG4_Final_ Report_ 031815.pdf. 19 DSTAC FINAL REPORT, supra note 9, at 100, 186-92. 20 E.g., 47 U.S.C. §§ 501-506 (civil cause of action and criminal penalties for copyright infringement). 21 E.g., 17 U.S.C. § 1201 (civil cause of action and criminal penalties for circumventing content protections). 22 E.g. , 18 U.S.C. § I 030 (civil cause of action and criminal penalties for computer trespass) . Page 6-The Honorable Bennie Thompson Thank you for your engagement on this important issue. As we develop a record and explore fulfilling our statutory mandate, I look forward to continuing to work with you on this important consumer issue. Tom Wheeler