<teongrt5'5' of tbt Wnfttb ~tatt5' 'Ql~lfagbington, iDQC 20510 416 June 27, 2019 The Honorable Ajit Pai Chairman U.S. Federal Communications Commission 445 12th Street, SW Washington, D.C. 20554 Dear Chairman Pai: We write to request information regarding the Federal Communications Commission's (FCC), Communications Security, Reliability and Interoperability Council ("CSRIC" or "Council"), and the extent to which that body may be inappropriately dominated by industry insiders. CSRIC is an advisory panel, tasked with "provid(ing] recommendations to the FCC regarding ways the FCC can strive for security, reliability, and interoperability of communications systems."1 According to its charter, the Council membership must be drawn from a "balance" of "Federal, state, tribal, territorial and/or government agencies, consumer or community organizations or other non-profit entities, and the private sector," in order to "balance the expertise and viewpoints that are necessary to effectively address the issues to be considered." 2 However, a recent investigation by the nonpartisan independent watchdog group, Project On Government Oversight (POGO), found that "the panel .. . is dominated by industry influences and falling short of legal requirements. "3 In fact, "more than half of its members represented private sector interests, either as a direct employee of a for-profit company or via affiliation with an industry trade group. "4 First established in 1992 under its previous name as the Network Reliability Council, the Council exists as an advisory panel, and cannot issue rules or regulations.5 However, the FCC has often relied on its recommendations, analysis, and research to inform its policy decisions, and, according to POGO, its input has "held heavy sway within the agency despite the obvious conflicts of interest inherent in their production." 6 1 The U.S. Federal Communications Commission, "Charter of the FCC's Communications Security, Reliability and Interoperability Council," p. 2, https://www.fcc.gov/file/ l 5773/download. 2 Id. 3 Project On Government Oversight, "Industry Influence on an FCC Advisory Panel," Andrea Peterson, June 10, 2019, https://www.pogo.org/analysis/2019/06/industry-influence-on-an-fcc-advisory-panel/. 4 Id. 5 The U.S. Federal Communications Commission, "Network Reliability Council," https://www.fcc.gov/about­ fcc/advisory-committees/communications-security-reliability-and-interoperability-9 6 Project On Government Oversight, "Industry Influence on an FCC Advisory Panel," Andrea Peterson, June 10, 2019, https://www .pogo.org/analysis/2019/06/industry-influence-on-an-fcc-advisory-panel/. According to POGO, of the Council's 22 current members, 13 are from the private sector, two are affiliated with an industry associated trade group, six are from government agencies, and only one member is from a civil society group. The industry-dominated personnel on the panel have recommended policies that are directly in line with the wishes of the companies from which their members are drawn. And to make matters worse, POGO interviews with former FCC staff also revealed that a lack of sufficient expertise among FCC staff regarding the growing world of data networks has led the agency to rely more heavily on input from the Council, giving it an outsized role in policy-making.7 For example, when the Council convened a working group to study and recommend best practices for cybersecurity under former Chairman Wheeler, the resulting 2015 report recommended making voluntary - rather than mandatory - commitments to follow the Commerce Department's National Institute of Standards and Technology cybersecurity frameworks. 8 The panel made a similar decision a year later, again recommending a set of non­ binding guidances for carriers as opposed to mandatory requirements to address significant security concerns relating to Signaling System No. 7 (SS7), a critical piece of telecommunications infrastructure that enables carrier interoperability and is famously vulnerable to hacking. 9 More recently, a March 2019 report by a CSRIC working group focusing on mitigating security risks to current IP-based protocols again only came up with voluntary best practices for the industry. 1°For this reason, the POGO investigation concluded that "instead of helping solve problems, this industry-dominated group has at times been a barrier to strengthening the security of America's communications." 11 Having the FCC's policy-making process rely on input from individuals employed by, or affiliated with, the corporations that it is tasked with overseeing is the very definition of regulatory capture. The FCC should be working on behalf of American consumers, not giant telecommunications companies. 7 Ars Technica, "Why the US still won't require SS7 fixes that could secure your phone," Andrea Peterson, April 11, 2019, httos://arstechnica.com/features/2019/04/ful ly-comprom ised-comms-how-industrv-intluence-at-the-fcc-risks­ our-digital-securitv/. 8 The U.S. Federal Communications Commission, Communications Security, Reliability and Interoperability Council, Working Group 4, "Cybersecurity Risk Management and Best Practices: Final Report," March 2015, p. 30, httos://transition.fcc .gov/pshs/advisory/csric4/CSR1C IV WG4 Final Report 031815.pdf. 9 In June 2016, the FCC established a working group under CSRIC to come up with security recommendations for improving SS7.9 The working group was overwhelmingly dominated by industry-insiders: of its 20 members, 5 were from government agencies and 15 were affiliated with the private sector. The U.S. Federal Communications Commission, Communications Security, Reliability and Interoperability Council, Working Group I 0, "Legacy Systems Risk Reductions: Final Report," March 201 7, https://www.fcc .gov/files/csric5-wg I O-finalreport031517pdf; Ars Technica, "Why the US still won't require SS7 fixes that could secure your phone," Andrea Peterson, April 11, 2019, https://arstechnica.com/features/2019/04/fully-compromised-comms-how-industry-intluence-at-the-fcc-risks-our­ digital-security/. 10 The U.S. Federal Communications Commission, Communications Security, Reliability and Interoperability Council VI, Working Group 3, "Final Report on Best Practices and Recommendations to Mitigate Security Risks to Current IP-based Protocols," March 2019, file:///C:/U sers/zd44543/Downloads/csric6wg3 final report 030819 .pdf. 11 Project On Government Oversight, "Industry Influence on an FCC Advisory Panel," Andrea Peterson, June 10, 2019, https://www .pogo.org/analysis/2019/06/industrv-intluence-on-an-fcc-advisory-pane I/. Beyond the obvious conflicts of interest and risks to consumers that this arrangement creates, we am also concerned that its current makeup may not be consistent with the Federal Advisory Committee Act, which requires that the membership of federal agency advisory committees must "be fairly balanced in terms of the points of view represented and the functions to be performed."12 In order to effectively serve the American public, it is imperative that CSRIC's membership be comprised of individuals with a diverse range of backgrounds and viewpoints, and include equal representation from various government agencies, academic experts, and consumer and community organizations, in accordance with its charter. 13 To help me better understand the extent to which CSRIC may be corrupted by undue corporate influence, as well as its role in FCC policy-making, we respectfully request that you answer the following questions no later than July 12, 2019. 1. According to its own charter, CSRIC should be made up of members from "[f]ederal, state, tribal, territorial and/or government agencies, consumer or community organizations or other non-profit entities, and the private sector,"14 in order "to balance the expertise and viewpoints that are necessary to effectively address the issues to be considered." But of the 22 current members serving on CSRIC, 15 are directly working for the private sector or are affiliated with industry associated trade groups, and only one member is from a civil society group. Please explain how the current composition of CSRIC meets this requirement in its charter. 2. The Federal Advisory Committee Act, which applies to CSRIC requires that the membership of federal agency advisory committees must "be fairly balanced in terms of the points of view represented and the functions to be performed."15 Please explain how the current membership of CSRIC is following this statutory requirement. 3. Please explain in detail your process for selecting members to serve on CSRIC, and any considerations that were made with regard to balancing members that are affiliated with the industry and members from consumer and community organizations. 4. Please provide information on the number of individuals from tribal governments or tribal organizations that have been appointed to serve on CSRIC, or its predecessor, the Network Reliability Council, since 1992. For each individual, please list their name, the tribal government or tribal organization they were affiliated with, and the dates that they served on the Council. 12 Sa U.S. Code§ S(b)(2); The U.S. Federal Communications Commission, "Charter of the FCC's Communications Security, Reliability and Interoperability Council," p. 2, https://www.fcc.gov/file/1S773 /download. 13 The U.S. Federal Communications Commission, "Charter of the FCC's Communications Security, Reliability and Interoperability Council," p. 2, https://www.fcc.gov/file/ 1S773 /download. 14 Id. 15 Sa U.S. Code§ S(b)(2) 5. Please explain CSRIC's role in the FCC policy-making process and the extent to which the agency relies on the input from CSRIC. In explaining this process, please include the following: a. A list of all FCC actions under the current administration on which the CSRIC provided advice, guidance, or recommendations. b. Any documents the CSRIC produced as a part of any advice, guidance, or recommendations, including for the three working groups that studied the 911 system's reliability and resiliency during the NG911 transition; the comprehensive re-imagining of emergency alerting; and recommendations and best practices to reduce security risks to IP-based protocols. c. Information on the role that such advice, guidance, or recommendations played in FCC actions. 6. Please include copies of any communication related to CSRIC membership between you or any FCC employee and any individuals affiliated with or representing an FCC­ regulated entity since you assumed the position of Chairman. Thank you for your attention to this matter. Sincerely, Pr~~p~~~ United States Senator Member of Congress