It is one of those oddities that occurs around Washington from time to time. During the same hour today, the Federal Communications Commission (FCC) was meeting at its downtown headquarters trying to stop robocalls, while a large gathering of government and industry cybersecurity experts were meeting a few miles away at Johns Hopkins Applied Physics Lab advancing the principal means for threat information sharing known as STIX. It turns out that STIX may be a perfect match for meeting FCC robocall mitigation objectives.

Structured Threat Information Sharing (STIX) emerged from industry collaboration with the DHS US-CERT as a best-of-breed platform for observing cyber threats, packaging the sighting information, and distributing the bundle in trusted ways to users to stop the threats. The platform was initially perfected by MITRE working closely with the several industry groups—especially the financial industry. It captured such a significant cross-section of security communities in the U.S. and internationally that the entire platform was turned over to the standards body OASIS where it resides today under the aegis of the Cyber Threat Intelligence (CTI) Technical Committee. STIX is now envisioned as the principle platform for implementing both the U.S. Cybersecurity Act as well as the EU Network Information Security Directive.

As many of the cyber security experts noted, unwanted calls—often with spoofed caller IDs or disguised origins—are a well-known threat faced constantly in dealing with network traffic. It makes effectively no difference if the traffic is a voice call, text SPAM, malware, or a DDoS attack. They all represent threats to users and network operators.

Indeed, during the course of the years of Federal agency proceedings and workshops, industry innovators (as opposed to legacy incumbents) have urged reliance on the capture and exchange of robocall threat patterns among providers and end users rather than heavy-handed, complicated governance models. Indeed today, the dichotomy in approaches is posed as “deterministic” (i.e., governance schemes, registrations, certificates, and registry database lookups) versus “probabilistic” (i.e., capturing and exchanging threat signatures).

So the FCC Robocall NOI/NPRM released today will doubtlessly unleash many thousands of irate complaints about the robocall/spoofed call problem. However, the FCC would be best served by eschewing onerous, deterministic platforms like STIR and SHAKEN with their certificate governance schemes, and relying instead on the more lightweight and already proven probabilistic solutions of the cyber security community and agencies like STIX. Robo/spoofed calls for STIX are simply another threat exchange profile. The latter approach is also more scalable, global, pro-competitive, encourages greater innovation, and leverages the enormous work within the cyber security community. It also comports with the minimalist approaches favored by policy makers today.