The notice of inquiry seeks comment on whether a cyber security certification program “would create business incentives for providers of communications services to sustain a high level of cyber security culture and practice.” Assuming it has legal authority to implement such a program, the Commission should ask itself two questions to help determine whether a certification program is necessary.

First, the Commission should ask itself whether a market failure exists that requires action by the FCC. Are there externalities that might cause under-investment by firms in cyber security? Alternatively, is there an information failure such that firms do not understand the benefits of purchasing a sufficient amount of cyber security? Are communications services providers unable or ill equipped to adopt security standards and ensure vigilant cyber security? Second, even if there is evidence of a market failure, will a certification program be helpful? We see little evidence that these questions can be answered in the affirmative.