Some state regulatory commissions have reportedly kicked off efforts to gather information on the cybersecurity practices of rural broadband providers operating within their states using a survey developed by the National Association of Regulatory Commissioners (NARUC). The NARUC cybersecurity survey contains 100 questions seeking precise details on issues ranging from network vulnerability assessments to personnel background checks. Is this a fact-finding mission, or another case of regulatory creep?

State regulatory commissions are not rookies when it comes to the cybersecurity game. They are familiar with many current cyber threats and defenses in use today due to their oversight of electric utilities and the electric grid. Cybersecurity has become an important part of an electric utility’s regulated service – providing electricity. Thus, state regulators have an obligation to be involved in electric providers’ cybersecurity habits.

It now looks like state regulatory commissions have decided to begin creeping into rural broadband providers’ cybersecurity practices. This, of course, should raise some eyebrows because state commission typically have very limited, if any, regulatory authority over broadband providers and non-regulated broadband service. So what’s going on here?

First, let’s take a quick look at the NARUC survey, and then let’s consider one of the risks of responding to the survey.

In a future post, we’ll explore whether state commissions have sufficient authority over rural broadband providers to require them to respond to a cybersecurity survey (spoiler alert, they don’t).

The NARUC Cybersecurity Primer

In January 2017, NARUC released Cybersecurity, A Primer for State Utility Regulators, Version 3.0, to help state utility regulators understand basic cybersecurity issues.[1] NARUC’s Cybersecurity Primer provides a high-level explanation of cyber threats and how to defend against them, but it focuses entirely on cybersecurity in the context of operating and maintaining the electric power grid. The final section of the document recommends state utility commissions take a strong approach to cybersecurity, and offers up the following five steps they can take to get there:

1.    Convene an internal team of staff to set aside time in addition to normal duties to work on cybersecurity to develop essential expertise.

2.    Develop a strategy that outlines the commission’s desired approach, goal, and timeframe for proceeding, and sets expectations for utility performance.

3.    Ask questions – especially to utilities – and handle answers carefully.

4.    Engage with companies and other stakeholders in a context that’s geared to dealing with cybersecurity as a discrete issue.

5.    Take action and revisit the strategy and ensuing steps in a cycle of continuous improvement.[2]

The Cybersecurity Primer states that step three, asking questions, “may be the key role for commissions in cybersecurity.”[3] Appendix A to the document is a list of cyber questions that a state regulatory commission can use to survey utilities. Responses to those questions will enable a state commission to become informed, foster a dialogue, and develop a strategy to improve cybersecurity in its state. Obviously, step three is what has caused state regulatory commissions to send a cybersecurity survey to rural broadband providers.

State commissions becoming more informed on cybersecurity in their states sounds like a good idea. However, on second thought, initiating a comprehensive cybersecurity information collection will create a number of problems. The first that comes to mind is the creation of a central repository detailing the cybersecurity vulnerabilities and defenses of every broadband provider in a state. In other words, a hacker’s dream and a network operator’s nightmare.

A Hacker’s Dream: Cybersecurity Vulnerabilities And Defenses Of Every Network

The NARUC Cybersecurity Primer’s survey contains 100 questions sorted into the following 12 categories: planning, standards, reporting, partnerships, procurement practices, personnel and policies, using risk management for cybersecurity, implementation, response and recovery, process questions, governance questions, and systems and operations. Some questions are looking for specific answers, while others are more general. The level of information that a state commission receives, of course, will depend on the level of detail in each survey participant’s answer. Nevertheless, some of the information will undoubtedly be highly-sensitive.

In general, the totality of the answers will contain information detailing cybersecurity vulnerabilities, defense capabilities, and other various network management practices. Certain answers will provide insight into financial considerations and decisions. Rural broadband providers - no, all broadband providers - consider this information highly-confidential. For most, if not all rural broadband providers, comprehensive cybersecurity information has never been disclosed all at once to regulators at any level of government. Moreover, it has never been revealed in such a laissez-faire manner as an informal survey. And it never should be. The internal disclosure of specific cyber information is generally restricted to key employees and made available on a need-to-know basis only. This rule should apply to interactions with state commissions, and is relevant here as there appears to be no real purpose behind the survey.

What are the reasons for protecting this sort of information? Disclosure of cybersecurity vulnerabilities, defense capabilities, and network management practices threatens the integrity of a provider’s network. It can also cause significant commercial and competitive harm. This is why cybersecurity information is safeguarded at such a high level. This is why network operators rarely ever disclose even small parts of this type of information without the guarantee of adequate safeguards.

Considering these risks, surely a state regulatory commission would guarantee the protection of all information contained in a broadband provider’s answers at the same time it requests a response to the cybersecurity survey. It is unclear whether state commissions are making such guarantees. Here is what NARUC's Cybersecurity Primer recommends state commissions consider before initiating a cybersecurity survey:

The line between knowing enough to determine that a utility’s actions are prudent and knowing so much that the information held by the Commission can pose a cybersecurity risk is a line that commissions should walk carefully. In cybersecurity, the information itself is sometimes the asset worth stealing. To address this issue, states may wish to consider establishing a critical infrastructure information policy. This policy would govern not only the type of information a commission could take possession of (or refuse to take possession of), but also under what circumstances, as well as which access, handling, and storage protocols would govern that data.[4]

Any rural broadband provider that is requested to complete the NARUC survey will expect assurances from its state commission. Certainly, state regulatory commissions, like other governmental agencies, handle sensitive information all the time and follow protocols to protect it. They are also subject to requirements limiting the disclosure of certain sensitive information under request for information laws.

Like private businesses, state commissions keep information in digital format on their network so it is easily accessible by staff. Some may even encrypt their digital data. Nevertheless, whether information held by a state commission is truly protected depends on the commission’s cybersecurity and data protection practices. Unfortunately, just like private businesses, state regulatory commissions are vulnerable to cyber-attacks and breaches. For example, in October of 2017, the Oklahoma Corporation Commission suffered a cyberattack that knocked its website, email system, and other network operations offline. The full extent of the attack and its consequences are unclear.

Does a state regulatory commission have the ability to sufficiently safeguard a database of information detailing the cybersecurity vulnerabilities and defenses of every broadband provider in its state? What steps will a state commission take to ensure that data is protected? Can protection be guaranteed? Any broadband provider that is asked to respond to the NARUC cybersecurity survey will want to know the answers to those questions. If they cannot be answered, responding to the survey will likely be too great a risk for most. Even if a state regulatory commission claims it can protect survey responses, rural broadband providers will likely still consider the survey too risky. The cyber breach of the Oklahoma commission is proof of that.

**********

[1] Cybersecurity, A Primer for State Utility Regulators, Version 3.0, Miles Keogh and Sharon Thomas, National Association of Regulatory Utility Commissioners (Jan. 2017) (NARUC Primer), available at https://www.naruc.org/naruc-research-lab/. The first edition of NARUC’s cybersecurity primer was released in 2012.

[2] NARUC Primer at 15-20.

[3] NARUC Primer at 17.

[4] NARUC Primer at 17.