Ajit Pai announced Monday he would step down as chairman of the Federal Communications Commission as of inauguration day, Jan. 20. He leaves a complicated legacy with the FCC concerning cybersecurity, one that will almost certainly change under new leadership.
Pai has been chairman throughout the Trump administration and was a commissioner before that. By rule, the five commissioners of the FCC can only contain three members of a single political party, and Pai — a former lawyer for telecom companies — is a staunch free-market Republican who favored a “light-touch” approach to regulation. It was a philosophy that led the FCC to abdicate much of its regulatory standing in many cybersecurity and privacy roles. At the same time, his moves in 5G supply chain security were anything but a light touch, which will require well over a billion dollars in upgrades nationwide.
Most people who have heard of Pai know him as the official to scrap net neutrality. But that wasn’t his only controversial opinion. The Republican stance at the FCC was that the commission lacked statutory authority to affect cybersecurity. In that vein, Pai during his opening months as chair reversed an order to address known vulnerabilities in the emergency alert system and announced plans to reverse broadband privacy rules (before lawmakers made that moot). Both of those initiatives had been set up under previous chairman, Tom Wheeler.
“Early investment in risk reduction is like yeast; Pai pulled the yeast out of the dough and the nation has been suffering the consequences since then,” said Rear Admiral (ret.) David Simpson, via email. Simpson headed the commission’s Public Safety and Homeland Security Bureau under Wheeler.
Simpson can rattle off a long list of places he felt Pai’s light touch left cybersecurity lacking, starting with those listed above and extending through Pai’s removal of cybersecurity protections from internet-based television, reducing interagency engagement over cybersecurity, squelching commission economists who highlighted the need for more telecom spending on security, and removing security from the commission’s review standards for mergers.
Democratic lawmakers have lobbied for more FCC oversight of cybersecurity throughout Pai’s tenure, and will likely call for the same from an incoming commission. In particular, the FCC is uniquely placed to regulate the telecommunications sector. But opponents suggest that the government has the capacity to replace the cybersecurity role the FCC gave up through other agencies, particularly the Federal Trade Commission.
“The FCC is a second-level player when it comes to cybersecurity. It’s not normally what it wants to do,” said Jim Lewis, senior vice president and director of CSIS’s Strategic Technologies Program and cybersecurity policy veteran of the Departments of State and Commerce. “But it has a role in 5G systems. And Pai did okay with that.”
Pai set in motion what may amount to a $1.6 billion federal project to remove Huawei equipment from private telecommunications systems. The “rip and replace” movement is a drastic step for a generation-defining problem of supply chain security. The program is on hold while the FCC finalizes the plans, and will not take place until the next administration. Lewis does not anticipate any change in direction under President Elect Joe Biden, suggesting that the new presidency might merge sweeping plans to increase access to broadband with the Huawei-replacement funds.
The argument over what authorities the FCC should have with information security is not settled, but end users and those speaking on their behalf tend to argue the FCC should be more involved in protections. That’s true both of people who support Pai’s vision of the FCC’s jurisdiction and that of Simpson.
"Ajit Pai has admirably focused on the 5G rollout, securing telecommunications equipment through grants, and expanding broadband coverage. However, the billions invested and the strategies conceived pale in comparison to the scale of the problem,” said Tatyana Bolton, head of cybersecurity and emerging threats at the free-market think tank, the R Street Institute. Bolton has called for better metrics and increased focus on supply chain issues.
“This all reminds me of Chinese water torture," she said. "We keep trying to improve cybersecurity drop by drop, and the effects are predictable."
