FEDERAL COMMUNICATIONS COMMISSION 
WASHINGTON 
OFFICE OF 
THE CHAIR MAN 
The Honorable Mark Warner 
United States Senate 
475 Russell Senate Office Building 
Washington, D.C. 20510 
Dear Senator Warner: 
December 2, 2016 
Thank you for your letter regarding the important issue of Distributed Denial of Service 
(DDoS) attacks, the security of the nation's networks, and the equipment and devices that attach 
to the networks to deliver integrated Internet-powered services to citizens and businesses. 
Cybersecurity has been a top priority for the Commission during my tenure. As you note, 
the rapid growth of network -connected consumer devices creates particular cybersecurity 
challenges. The Commission's oversight of our country's privately owned and managed 
communications networks is an important component of the larger effort to protect critical 
communications infrastructure and the American public from malicious cyber actors. The 
Commission is uniquely situated to comprehensively address this issue given its authority over 
the use of radio spectrum as well as the connections to and interconnections between commercial 
networks, which touch vi1iually every aspect of our economy. Other agencies have also begun 
looking at network-connected devices and the security implications they bring in certain industry 
segments. 1 
As your letter suggests, the Commission 's Open Internet Order' s rules enable Internet 
Service Providers (ISPs) to take measures to protect their networks, and those with which they 
interconnect, from harmful devices. These ru les make clear that providers not only have the 
latitude to take actions to protect consumers from harm, but have the responsibility to do so. The 
Open Internet Order in particular emphasizes that reasonable network management incorporates 
practices "ensuring network security and integrity," including by "addressing traffic harmful to 
the network," such as denial of service attacks.2 The Open Internet Order thus affirms ISPs' 
1 For examp le, the U.S. Food and Drug Administration released draft guidance outlining the agency's expectations 
for monitoring, identifyi ng and add ressing cybersecurity vulnerabi li ties in medical devices once they have entered 
the market. See U.S. Food and Drug Administrat ion, Postmarket Management of Cybersecurity in Medical Devices: 
Draft Guidance for Industry and Food and Drug Adm ini strat ion Staff (20 16), 
Imp:/ ivv·ww. fda. gov! down! oas;is/M ec.lis:..<:u_Dev.i.\~~J)S.'..'l~&.lZs.;~i_]at ion(! nd(,i_u ida ncc/G u ida nee Docu men ts/U C M482 022, 
J2.QJ:'. The U.S. Department of Transportation has proposed gu idance on improving motor vehicle cybersecurity. See 
U.S. Department of Transportation, Cybersecurity Best Practices for Modern Vehicles (20 16), 
http: //www .n h tsa. go vI sl!!.l i c fi I es, n v~~pd f~~J ~JJ l_l\~.fl~~~-liJ:i\).l:.QLM Q~ ':m Y~~hkl~-'i.J?i!f. 
2 See Protecting and Promoting the Open Internet, Report and Order, Declaratory Ruling, and Order, 30 FCC Red 
560 I, 570 I, para. 220 (20 15), aff'd, United States Telecom v. FCC, 825 F.3d 674 (D.C. Cir. 20 16). 
Page 2-The Honorable Mark Warner 
ability to take measures to protect the network. This policy builds on FCC rules that have, for 
decades, given providers of wire line telecommunications the right to "temporarily discontinue 
service forthwith" in the face of imminent harm. 3 More broadly, the recent D.C. Circuit decision 
upholding the Commission's authority over broadband networks empowers it to address core 
network issues. 
In recognition of the Commission's authority over telecommunications networks, 
Commission staff have been actively examining cyber challenges presented by today's end-to­
end Internet environment. This environment is fundamentally different, and more challenging, 
than the legacy telecommunications security environment that we've managed risks under for 
decades. The Dyn DDoS attack is illustrative of the cyber challenges that the Commission faces. 
During the attack, insecure devices, connected through wireless networks, shut down service to 
millions of customers by attacking a domain name system (DNS) server of an entity not licensed 
or directly regulated by the Commission. This attack highlighted that security vulnerabilities 
induced by or inherent in devices now can have large-scale impacts on network services 
connecting those devices. This is particularly so in two areas relevant to the Dyn attack: (i) the 
services at issue enable a broad new array of security risks to individuals and businesses that 
providers only have a defined and limited role in managing; and (ii) the many new entities 
involved in the end-to-end consumer Internet experience (especially with respect to loT). As the 
end-to-end Internet user experience continues to expand and diversify, both through provider 
network inputs and the products and services enabled by Internet access, the Commission's 
ability to provide assurance to individuals and businesses against cyber risk will continue to be 
both taxed and constrained. 
To pro1ect consumers using telecommunications networks, the Commission must address 
these cyber challenges. In 2014, I initiated a new paradigm for how the FCC would address 
cybersecurity for our nation's communications networks and services. I stated that it begins with 
private sector leadership that recognizes how easily cyber threats cross corporate and national 
boundaries and that, because of this, the communications sector must step up its responsibility 
and accountability for cyber risk management. In this vein, the Commission has worked closely 
with its Federal Advisory Committees, as well as with our federal pminers and other 
stakeholders, to foster standards and best practices for cyber risk management.4 We worked with 
the other regulatory agencies to create a forum whereby the agency principles meet to share best 
cybersecurity regulatory practices and coordinate our approaches. As a result of these 
collaborative efforts, a rich body of recommendations, including voluntary best practices, have 
been developed. Industry implementation of these practices must be pari of any cybersecurity 
solution. 
3 See 47 CFR 68.108. 
4 For example. our Technological Advisory Council (TAC) has been examining how to incorporate "security by 
design" principles into the very fabric of emerging 5G networks, and our Communications Security, Reliability, and 
lnteroperability Council (CSRIC) has been working on cybersecurity in connection with a number of issues, such as 
improving supply chain risk management, addressing risks associated with legacy protocols such as SS7, and 
promoting security in networks and devices utilizing Wi-Fi technology. In addition, we have been preparing to 
launch voluntary, face-to-face engagements, consistent with NIST Framework and CSRIC recommendations, in 
which providers will collaborate with the Commission to address cyber risk issues in their networks and service 
environments. 
Page 3-The Honorable Mark Warner 
I do, however, share your concern that we cannot rely solely on the market incentives of 
ISPs to fully address the risk of malevolent cyber activities . As private actors, ISPs operate in 
economic environments that pressure them to not take those steps, or to take them minimally. 
Given the interconnected nature of broadband networks, protective actions taken by one ISP 
against cyberthreats can be undermined by the failure of other ISPs to take similar actions. This 
weakens the incentive of all ISPs to take such protections. Cyber-accountability therefore 
requires a combination of market-based incentives and appropriate regulatory oversight where 
the market does not, or cannot, do the job effectively. 
While we have had to postpone some of the next steps in this combined approach in light 
of the impending change in Administrations, addressing loT threats remains a National 
imperative and should not be stalled by the normal transition of a new president. In recognition 
of the critical importance of the work that remains to protect Americans from cyber threats, I've 
attached an outline of a program that I believe would reduce the risk of cyber threats to 
America' s citizens and businesses. This program includes collaborative efforts with key Internet 
stakeholder groups; increased interagency cooperation; and consideration of regulatory solutions 
by the Commission to address residual risk that cannot be addressed by market forces alone due 
to market failure. 
Thank you for your interest in this important issue. Your views are-very important and 
will be included in the record of this proceeding. I would be happy to make appropriate FCC 
staff available to you and your staff for additional discussions regarding our ongoing work on 
these important issues. I also stand ready to collaborate on these efforts with my colleagues in a 
bipartisan manner during the remainder of my term. 
Tom Wheeler 
SG/IoT CYBERSECURITY RISK REDUCTION PROGRAM PLAN 
1. Federal Advisory Committee/voluntary stakeholder engagement. 
• Charge the FCC's Federal Advisory Committees to develop cyber risk reduction 
standards and best practices and to promote ISP-wide adoption and implementation of 
those standards. In particular, convene an advisory group with broad-based cyber 
expe1iise, including industry, academia, and government agencies to provide 
recommendations for a device cybersecurity certification process. 
• Establish an advisory committee/working group to provide recommendations on what 
different members of the communications ecosystem (including 50 service providers, 50 
network equipment manufacturers and suppliers, and 50 device manufacturers and 
suppliers) should do to prevent, reduce the risk of, or mitigate edge-based attacks that 
cause harm to the network. 
• Conduct voluntary and confidential, provider-specific meetings in which cyber threat and 
risk reduction challenges can be candidly discussed in order to foster a collaborative 
relationship and continued dialogue between the communications sector and the 
Commission. 
2. Leverage interagency relationships. 
• Provide the Cybersecurity Forum for Independent and Executive Branch Regulators to 
coordinate regulatory approaches to address Io T residual risks across the broader 
regulatory environment. 
• Within the Forum, convene a task force composed of cybersecurity regulatory experts in 
the relevant agencies to assess the full scope ofloT cyber threats to critical infrastructure, 
existing regulatory authorities and mitigation recommendations within those authorities, 
as well as those authorities requiring statutory change. 
• Continue collaboration with our executive branch pminers, state, local, Tribal, and 
territorial entities to identify unique state and local challenges and champion near-term 
activity to address those needs. 
3. Regulatory/rulemaking activities. 
• Identify cybersecurity data gaps with respect to residual risk in our network outage 
rep01iing framework and develop reporting obligations to address these gaps, in order to 
ensure the FCC has situational awareness during and immediately after major 
communications disruptions, and to enable the Commission to utilize outage data to 
formulate standards and best practices to promote the overall reliability and resiliency of 
the nation's communications networks. 
• Issue a Notice oflnquiry to develop a record and identify residual risk in the IoT 
commons, with the goal of determining where market failure may exist in the ISP, 
network element manufacturer, and device manufacturer community; identify current 
security best practices that could be implemented now by communications service 
providers-such as network filtering techniques-to address DoS attacks; and identify 
methods third party solution providers and other stakeholders in the 5G ecosystem can 
take to mitigate DoS attacks. 
• Issue an NPRM to examine regulatory measures the FCC could take to help address 
cyber risks that cannot be addressed through market-based measures. 
o Consider the application of existing legal authorities to protect networks from loT 
device security risks. The NPRM could examine changes to the FCC's equipment 
ce1iification process to protect networks from loT device security risks. 
Equipment authorization is a critical element of the FCC's regulatory structure to 
maintain the integrity and usability of spectrum. 
o Explore the potential of a cybersecurity certification (possibly self-certification) 
to create a floor and identifiable risk relevant levels above the floor for device 
cybersecurity and a consumer labeling requirement to address any asymmetry in 
the availability of information and help consumers understand and make better 
decisions regarding the potential cyber risks of a product or service. 
o Work with the Broadband Technical Advisory Group (BIT AG) and 5G/IoT 
relevant stakeholder groups to build upon the evolving risk reduction initiatives, 
encouraging industry-initiated commitment as the preferred option and increased 
government engagement where that falls short. 
2