{"id":464,"date":"2024-10-02T00:37:05","date_gmt":"2024-10-02T00:37:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=464"},"modified":"2024-10-02T00:37:05","modified_gmt":"2024-10-02T00:37:05","slug":"fcc-orders-t-mobile-to-deliver-zero-trust-and-better-mfa","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=464","title":{"rendered":"FCC orders T-Mobile to deliver zero trust and better MFA"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>T-Mobile must complete the move to zero trust and improve authentication, along with implementing better data minimization and improving asset inventory, said a US Federal Communications Commission (FCC) consent decree that the commission published on Monday.<\/p>\n<p>The settlement stems from a series of FCC investigations focused on three major T-Mobile data breaches in <a href=\"https:\/\/www.csoonline.com\/article\/571199\/the-t-mobile-data-breach-a-timeline.html\">2021<\/a>, 2022, and <a href=\"https:\/\/www.csoonline.com\/article\/574385\/t-mobile-suffers-8th-data-breach-in-less-than-5-years.html\">2023<\/a>, which impacted millions of its customers.\u00a0<\/p>\n<p>It also includes T-Mobile\u2019s agreement to pay a $15.75 million civil penalty, as well as a promise to invest the identical amount over the next two years \u201cto strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future.\u201d<\/p>\n<p>Although some have criticized the amounts as \u201cpeanuts\u201d given T-Mobile\u2019s annual revenue last year of $63.2 billion, the FCC said that it expects T-Mobile to make significantly greater cybersecurity investments on top of the $15.75 million.<\/p>\n<p>\u201cImplementing these practices will require significant \u2014 and long overdue \u2014 investments. To do so at T-Mobile\u2019s scale will likely require expenditures an order of magnitude greater than the civil penalty here,\u201d the <a href=\"https:\/\/docs.fcc.gov\/public\/attachments\/DA-24-860A1.docx\">consent decree<\/a> said. One order of magnitude greater than the $15.75 million penalty would be $157.5 million.<\/p>\n<p>\u201cThe Commission will hold T-Mobile accountable for making these mandatory changes to comply with statutory and regulatory obligations going forward and to ensure that T-Mobile does not create unnecessary cybersecurity risk for others through its business practices\u201d during activities such as mergers and acquisitions.<\/p>\n<p>The decree\u2019s specific requirements for cybersecurity enhancements were:\u00a0<\/p>\n<p>Corporate governance. Requiring that the <a href=\"https:\/\/www.csoonline.com\/article\/567029\/12-tips-for-effectively-presenting-cybersecurity-to-the-board.html\">CISO report regularly to the board<\/a>.<\/p>\n<p>\u201cMoving towards a <a href=\"https:\/\/www.csoonline.com\/article\/564201\/what-is-zero-trust-a-model-for-more-effective-security.html\">zero trust<\/a> security framework and segmenting its network to limit the blast radius when a breach occurs.\u201d<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/518296\/what-is-iam-identity-and-access-management-explained.html\">Identity and access management<\/a>: implementing \u201cphishing-resistant\u201d <a href=\"https:\/\/www.csoonline.com\/article\/563753\/two-factor-authentication-2fa-explained.html\">multifactor authentication (MFA)<\/a>. The FCC didn\u2019t define what it meant by phishing-resistant.<\/p>\n<p>Data minimization and deletion: \u201cadopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information.\u201d<\/p>\n<p>\u201cCritical asset inventory: identifying and promptly tracking critical assets on its network to prevent misuse or compromise.\u201d<\/p>\n<p>Independent third party assessments of its information security practices.<\/p>\n<p>\u201cWith companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to improve our national cybersecurity posture and help prevent future compromises of Americans\u2019 sensitive data,\u201d said Loyaan A. Egal, chief of the enforcement bureau and chair of the privacy and data protection task force, in a statement. \u201cWe will continue to hold T-Mobile accountable for implementing these commitments.\u201d<\/p>\n<p>T-Mobile declined a CSO request for an interview about the consent decree \u2014 as did the FCC \u2014 but the company did issue a brief statement:<\/p>\n<p>\u201cWe take our responsibility to protect our customers\u2019 information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Penalties should be tougher: analysts<\/h2>\n<p>Forrester senior analyst Alla Valente said the cybersecurity requirements from the decree \u201care all things that T-Mobile should have been doing all along. These are best practices that they should be doing anyway.\u201d<\/p>\n<p>As for the penalty and the required investment amounts, Valente dubbed them both \u201cpeanuts for T-Mobile. It\u2019s not something that is going to punch them in the gut.\u201d<\/p>\n<p>But, she argued, much of this is the result of July\u2019s US Supreme Court decision that <a href=\"https:\/\/www.csoonline.com\/article\/2512955\/us-supreme-court-ruling-will-likely-cause-cyber-regulation-chaos.html\">gutted the power of federal agencies<\/a>.\u00a0<\/p>\n<p>\u201cAgency power has been diminished a lot over the last year or so,\u201d she said, and the Supreme Court decision \u201ctook a lot of teeth out of the agencies.\u201d<\/p>\n<p>Had the FCC sought materially more money, T-Mobile would have likely appealed, hoping that a friendly Supreme Court would not back up the FCC.<\/p>\n<p>Michael Oberlaender, who has served as a CISO for eight enterprises and a board member of the FIDO Alliance, agreed. He compared the penalties imposed by US agencies with those of their European counterparts.<\/p>\n<p>The penalties \u201cshould have been much more stringent. A fine of ten percent of revenue would send shock waves,\u201d Oberlaender said. \u201cAs long as the minimal fines are imposed, nothing will ever change. What European regulators are doing is 10, 20 times higher than the US, and that makes a huge difference.\u201d<\/p>\n<p>He also agreed with Valente about the low-level cybersecurity requirements.\u00a0<\/p>\n<p>\u201cThese are all basics that any business should have in their environment. This is not enough. They are checklisting the pure basics,\u201d said Oberlaender, who is the author of <em><a href=\"https:\/\/www.amazon.com\/dp\/B0DFVLJHB6\/\">Raising the Bar For Cybersecurity<\/a><\/em><strong>.<\/strong><\/p>\n<p>Oberlaender also said he was concerned about the termination of the consent decree, which is in three years. \u201cI am curious: What happens afterwards? It remains to be seen which of these steps will be entertained, enforced and continuously improved afterwards. History has taught us that when the public scrutiny eye focuses elsewhere, companies tend to loosen the screws until the next one.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>T-Mobile must complete the move to zero trust and improve authentication, along with implementing better data minimization and improving asset inventory, said a US Federal Communications Commission (FCC) consent decree that the commission published on Monday. The settlement stems from a series of FCC investigations focused on three major T-Mobile data breaches in 2021, 2022, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":458,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-464","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/464"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=464"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/464\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/458"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}