The FCC today voted unanimously to prohibit carriers that receive Universal Service Fund support from using that support to purchase, maintain, or otherwise support equipment or services purchased from “covered companies” deemed to pose a national security threat to communications networks, and designated Huawei Technologies Co. and ZTE Corp. as covered companies.
The Commission also adopted a process for future bureau-level designations of covered companies, as necessary, along with an expedited process for appealing such decisions to the full Commission. It also adopted a requirement for carrier recipients of USF support (eligible telecommunications carriers, or ETCs) to certify compliance with the supply chain restrictions adopted today and a mechanism for the Universal Service Administrative Co. to audit compliance.
The report and order, further notice of proposed rulemaking, and order adopted today in WC docket 18-89 also proposes requiring ETCs to remove and replace equipment in their networks that was supplied by covered companies and directs staff to collect information on the extent to which such equipment exists in networks and the projected cost of removing and replacing it.
The further notice seeks input on how to fund the removal and replacement of equipment supplied by covered companies.
Today’s action follows a 2018 notice of proposed rulemaking seeking input on a proposal to prohibit the use of universal service support for purchases from companies deemed to pose a threat to national security (TR Daily, April 17, 2018).
Although all the Commissioners voted for the item, they did raise some concerns, including a warning from Commissioner Mike O’Rielly against expanding the use of the FCC’s statutory authority to protect national security to network security issues that don’t raise national security issues.
In his separate statement, Commissioner O’Rielly said, “For a multitude of reasons, I support today’s item. But, I do have a few reservations. Let me caution the critics: raising concerns on certain portions doesn’t make me a sympathizer of those seeking to harm the U.S. I am just trying to enact sound policy and prevent potential abuses down the [road]. Being skeptical of and trying to protect from an authoritative government is the very nature of being American.”
Among his concerns was the possibility that “innocent companies [could] be implicated by mistake. We must get these decisions right and have a process to challenge if the Bureau, which I am not all that comfortable delegating to, gets them wrong. I appreciate that the Chairman accommodated my concerns by implementing a 120-day timeline to expedite appeals of Bureau-level decisions to the Commission. This will ensure that affected parties have some timely recourse, if necessary,” he said.
Commissioner O’Rielly added that he fears the Commission is “underestimating the costs of our action today.” He said that although he “appreciate[d] that the Chairman’s Office and staff clarified how and when USF funds can be used when a network contains covered equipment, our decision to prohibit the use of USF funds to maintain, modify, or support covered equipment in any way may result in some providers having to replace equipment earlier than scheduled when minor changes or repairs need to be made. Not to mention that our communications providers will have fewer equipment options, which could raise costs and delay new and expanded offerings. Unfortunately, these costs will mostly affect the nation’s smaller providers, which are more likely to have covered equipment and may be relying on USF dollars to remain viable.”
Commissioner O’Rielly also criticized the item’s cost-benefit analyses.
“Instead of figuring out what the true benefits are of our decision, the cost-benefit analysis states that the cost of $960 million, which as I just stated seems low, is justified if our action prevents a minimal—well less than one percent—disruption to the economy and annual growth. There is no data provided to verify these assertions or support the theory that preventing USF funds from being used to buy and maintain this equipment will be effective in reducing these hypothetical disruptions to our economy.”
With regard to the potential expanded use of national security authority, he said, “It is important to note that the Commission doesn’t retain significant authority—or much at all—to affirmatively act on network security issues. That means we cannot transcribe requirements, mandates, or other burdens on providers in the name of network security. The ‘national security’ language of the statute is not a catch-all, otherwise it can be abused in many harmful ways. However, we do have and rightfully maintain authorization authority where we take Team Telecom views into account and can condition USF in various ways to meet our policy objectives.”
Commissioner Brendan Carr and Commissioner Jessica Rosenworcel both cited concerns raised by visits to Montana where underground silos housing intercontinental ballistic missiles are surrounded by cell towers that contain Huawei equipment.
Commissioner Car emphasized, “This is not just a concern for the military. Everything we do in modern society now runs on interconnected networks, from banking, to transportation, and even our power grids. This will become only more so as carriers continue to build out 5G networks. If these networks are threatened, everything we have come to rely on is threatened.”
He added that “it’s not hard to see the threat that companies like Huawei and ZTE pose to our networks and to our national security. Indeed, China’s National Intelligence Law requires that all ‘organizations … cooperate with the State intelligence work,’ and it provides them no right to refuse. It also gives the Chinese government the power to take over a company’s communications equipment. And because the networks in the U.S.—from rural America to big city—are interconnected, even a small amount of compromised equipment could be devastating to U.S. security.”
Regarding the Montana missile silos, Commissioner Rosenworcel said, “If a foreign government ever chose to exploit the radio transmitters that have been placed alongside key military installations, it could suck up sensitive data, shut down service, or launch denial of service attacks. And it gets still worse, because as we transition to next-generation 5G networks, insecure equipment in the telecommunications supply chain could take cybersecurity risks to entirely new levels. That’s because 5G networks will allow us to move and access vastly higher quantities of data, and we will depend on them more than prior technologies for a range of mission-critical applications.”
She added, “I support this effort. And I also appreciate that my colleagues were willing to consider changes I offered to this decision and rulemaking we adopt today. In critical part, those include exploring our authority over carriers under the Communications Assistance for Law Enforcement Act to expand our prohibition beyond just the universal service program; providing additional guidance to companies so that our rules do not needlessly disrupt day-to-day service and operations in rural America; implementing the lessons learned from the 600 [megahertz] incentive auction in order to maximize funds available for replacing insecure equipment; and seeking to accelerate the FCC’s review of a reimbursement program.”
Commissioner Rosenworcel said that “the FCC has more work to do when it comes to network security. Because our present efforts to remove and replace insecure equipment are not bold enough. We need a coordinated, national plan for managing the future of 5G security—and the evidence all around us makes crystal clear we don’t have one.”
She also expressed concern that “these issues can easily get swept up into broader trade matters. Despite our actions today, we have to grapple with the fact that at any moment the Administration could trade away our security objectives for some momentary advantage in bilateral trade negotiations. I hope that does not occur, but let’s be honest, it has happened before, when this Administration reversed course on banning ZTE from doing business in the United States. If it happens again, it will have serious consequences for our credibility.”
Commissioner Rosenworcel urged that, going forward, the FCC needs “an approach to supply chain security that recognizes that despite our best efforts [to] secure networks in the United States, they will only go us so far because no network stands alone. Our networks still will connect to insecure equipment abroad. So we need to begin researching how we can build networks that can withstand connection to equipment vulnerabilities around the world. One way to do this is to virtualize and diversify key parts of our networks.”
She reiterated suggestions for supporting “improved security though open radio access networks—or open RAN”; for transforming the Internet of things into “the Internet of Secure Things” by using the FCC’s equipment registration process “to encourage device manufacturers to build security into new products”; and developing “smarter spectrum policy” by shifting the focus from high-band spectrum to mid-band spectrum needed to send signals over greater distances in rural areas.
Commissioner Geoffrey Starks emphasized his calls for an approach that will “find this untrustworthy equipment, fix the problem, and fund the remedial effort – Find It, Fix It, Fund It.”
He noted that he released a white paper yesterday detailing findings from a stakeholder workshop he held earlier this year (TR Daily, Nov. 21).
“Here’s what I’ve learned. These carriers are made up of hard-working men and women that serve hard-to-reach communities that the major carriers can’t or won’t serve, operating with small teams and tight budgets. And they’re worried. They’re concerned that they’ll be punished for using Chinese equipment in their networks that they bought lawfully and in good faith, in many cases before the full strength of our concerns about network vulnerabilities linked to Chinese telecoms manufacturing surfaced. They now understand the significant security risks associated with their having Chinese equipment in their networks. They understand how manufacturers are obligated under Chinese law to cooperate with the government’s demands for network access. They understand how their vulnerable equipment could be used for surveillance, disruption of critical services, or cyber-attacks. And they want to fix it. They need our help, and this FNPRM is the first step on the road to doing so,” Commissioner Starks said.
“But such assistance shouldn’t come without considering how we got into this situation and how to avoid duplicating it in the future. Based on information available today, the item indicates that replacing untrustworthy equipment in our networks could cost as much as $2 billion, and the actual figure could be even more. We can’t afford to do this again. That’s why I proposed the addition of questions seeking comment about what factors led to the dependence of certain carriers on untrustworthy equipment and what measures the Commission could and should take to ensure that all telecommunications carriers obtain and rely on equipment only from trusted vendors. I’m particularly interested in hearing about American-made alternatives—both hardware and software-based—to untrustworthy or insecure telecom equipment,” he added.
He called for the creations of an FCC National Security Task Force; encouraging “the growth of American technology for next generation networks”; “learn[ing] more about the measures that we can take, if any, to prevent the Chinese government from eavesdropping, blocking or tampering” with communications carried by a proposed undersea cable between Los Angeles and Hong Kong; and taking steps to address election security. “The FCC has a statutory obligation to protect the national defense and the security of our elections clearly qualifies in my mind,” he said.
Chairman Ajit Pai noted concerns expressed by FBI Director Chris Wray and Attorney General Bill Barr about the importance of protecting communications networks from companies controlled by foreign governments that “don’t share our values,” as Mr. Wray told Congress last year.
Mr. Pai said that the FCC took today’s actions “based on evidence in the record as well as longstanding concerns from the executive and legislative branches about the national security threats posed by certain foreign communications equipment manufacturers, most particularly Huawei and ZTE. Both companies have close ties to China’s Communist government and military apparatus. Both companies are subject to Chinese laws broadly obligating them to cooperate with any request from the country’s intelligence services and to keep those requests secret. Both companies have engaged in conduct like intellectual property theft, bribery, and corruption.
“Moreover,” he added, “we know that hidden ‘backdoors’ to our networks in routers, switches, and other network equipment can allow a hostile adversary to inject viruses and other malware, steal Americans’ private data, spy on U.S. companies, and more.”
“These concerns are by no means hypothetical. This summer, for example, an independent cybersecurity firm found that over half of the Huawei firmware images they analyzed had at least one potential backdoor and that each Huawei device they tested had an average of 102 known vulnerabilities,” Chairman Pai added.
House Energy and Commerce Committee ranking member Greg Walden (R., Ore.) praised the FCC’s action.
“We all know the potential threats Chinese companies like Huawei pose to the security of America's communications infrastructure. We have a duty to protect American networks and our national security. Chairman Pai and the FCC are leading in this effort by putting a stop to American consumers funding foreign state actors who do not have our best interests at heart. The Energy and Commerce Committee just approved legislation to help our small internet service providers replace and upgrade the security of their networks without unduly burdening their consumers [TR Daily, Nov. 21]. The Secure and Trusted Communications Networks Act of 2019 will help the FCC carry out this important work,” he added.
In a statement, Huawei called the FCC’s actions “unwarranted” and predicted they “will have profound negative effects on connectivity for Americans in rural and underserved areas across the United States.”
Huawei added that it “believes this order is unlawful as the FCC has singled out Huawei based on national security, but it provides no evidence that Huawei poses a security risk. Instead, the FCC simply assumes, based on a mistaken view of Chinese law, that Huawei might come under Chinese government control.”
It said that it “has remained open to engaging with the U.S. government to verify productive solutions to safeguard U.S. telecommunications systems. Huawei would never breach its customers’ trust.”
“Huawei urges the FCC and Chairman Ajit Pai to refrain from finalizing its inappropriate designation of Huawei and to rethink its profoundly mistaken order. The FCC’s process for labeling Huawei a security threat violates bedrock principles of due process and is based on nothing more than irrational speculation and innuendo. Yet this course of action is not inevitable. The FCC is aware of best practices that could actually improve U.S. network security without unlawfully and irrationally targeting Huawei. Huawei would welcome the opportunity to work with the FCC and other U.S. government authorities to ensure that these best practices are incorporated fully in the U.S. telecommunications system to the ultimate benefit of U.S. commerce and consumers,” it added.
Responding to a question during a press conference after the Commission’s meeting, Chairman Pai said, “I find it hard to believe … that the company would resist such a request” for access to communications from the Chinese government.
USTelecom President and Chief Executive Officer Jonathan Spalter said, “Securing the nation’s communications supply chain and infrastructure against the growing global cyber threat is a top priority for USTelecom and our members. Let’s be clear: a cohesive national policy on supply chain requires a ‘whole of government’ approach, which the FCC has appropriately embraced. Today’s action to bar prospective use of USF funds for equipment from companies that pose an undue risk to our nation’s security is smart policy and will make us safer. The FCC’s call for a review on ‘rip and replace’ for existing equipment will also inform the international conversation on risk tolerance, particularly on matters of national security.”
In a statement, the Rural Wireless Association said it “remains cautiously optimistic that the FCC’s recently-adopted Report and Order, Order, and Further Notice of Proposed Rulemaking will take a holistic approach to eliminating the threats posed by telecommunications equipment manufactured by “covered companies,” namely Huawei and ZTE. Specifically, RWA believes that: (1) the Report and Order will allow for a handful of impacted rural carriers, including RWA members, to maintain existing critical communications services so long as USF funding is not used to directly or indirectly fund Huawei or ZTE by purchasing additional equipment manufactured by these covered companies, or, contract for new services performed by these covered companies; and (2) the Further Notice of Proposed Rulemaking will have a fully-adequate funding program in place and approved by Congress before there is any physical removal of existing equipment.”
It added, “RWA also appreciates that Commissioner O’Rielly recognizes that rural wireless carriers are ‘innocent companies’ in this important matter and that the Commission is likely ‘underestimating’ the true financial impact of today’s decision on American consumers and small and rural carriers.”
“RWA is awaiting the FCC’s release of the final version of the entire Report and Order, Order, and Further Notice of Proposed Rulemaking adopted by the full Commission before it can comment on any particular matter or component of the find it, fix it, and fund it solution,” it said.
Telecommunications Industry Association CEO David Stehlin said, “With 5G technology ushering in unprecedented connectivity, ensuring global networks are safe and reliable is more important than ever before. TIA applauds the FCC’s actions to protect USF-funded network equipment from foreign adversaries. We believe this is a necessary step to safeguard the U.S. national telecommunications network and establish a system of diverse, competitive and trusted suppliers.”
He added, “The telecommunications industry must protect the integrity of networks, equipment, [and] connected devices. We appreciate the FCC’s commitment to partnering with industry leaders throughout this process and look forward to working together to establish a high bar for security throughout the telecommunications supply chain while fostering innovation and investment in network infrastructure.” —Lynn Stanton, [email protected]
MainStory: FederalNews FCC Cybersecurity BroadbandDeployment WirelessDeployment
Interested in submitting an article?
Submit your information to us today!Learn More