Modern communications networks are an integral component of the U.S. economy, enabling the voice, data, and Internet connectivity that fuels all other critical industry sectors—including our transportation systems, electrical grid, financial markets and emergency services. But these networks are vulnerable to various forms of surveillance and attack that can lead to denial of service, and loss of integrity and confidentiality of network services. As the United States upgrades its networks to the next generation of wireless technologies—5G—the risk that secret “backdoors” in our communications networks will enable a hostile foreign power to engage in espionage, inject malware, or steal Americans’ data becomes even greater.
The Federal Communications Commission has barred use of its $8.5 billion a year Universal Service Fund (USF) to purchase equipment and services from companies that pose a national security threat. Both Huawei and ZTE have close ties to the Chinese government and military apparatus and are subject to Chinese laws requiring them to assist with espionage, a threat recognized by other federal agencies and the governments of other nations. The public funds in the FCC’s USF, which subsidizes U.S. broadband deployment and service through four separate programs, must not endanger national security through the purchase of equipment from companies posing a national security risk. As part of its continuing efforts to safeguard the security and integrity of the nation’s communications networks, FCC designates Huawei Technologies Company and ZTE Corp. as companies covered by this rule and establishes a process for designating additional covered companies in the future. The Order also establishes a certification and audit regime to enforce the new rule.
In an accompanying Further Notice of Proposed Rulemaking adopted today, the FCC is proposing to require carriers receiving USF funds, known as eligible telecommunications carriers, to remove and replace existing equipment and services from covered companies. The Further Notice also seeks comment on how to pay for such removal and replacement. And to aid in the design of a removal and replacement program, the FCC will conduct an information collection to determine the extent to which eligible telecommunications carriers have equipment from Huawei and ZTE in their networks and the costs associated with removing and replacing such equipment.
The rule barring purchase of equipment and services from covered companies takes effect immediately upon publication in the Federal Register.
STATEMENT OF COMMISSIONER MICHAEL O’RIELLY
Re: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Program
Communications networks – whether wired or wireless, fixed or mobile, existing or yet to be deployed – are, and will continue to be, a central component of our daily lives. They no longer are just a means to talk to our friends and family, but facilitate how we conduct business, make financial transactions, engage in commerce, and obtain needed information. This will only expand in the coming years as next-generation networks could bring about such advances as self-driving vehicles, remote surgery and other telehealth applications, and the Internet of Things, with billions upon billions of devices conveying information through the Internet. While we do not fully know all of the innovative applications that are on the horizon, it is possible to conclude that a huge amount of data, including very sensitive information, will be traveling through these networks. Therefore, they must be as secure as possible, knowing that absolute security is unachievable, and we must ensure that those with nefarious intentions cannot get access to these systems – or the information they carry – to do harm to our country.
I have spoken on many occasions about the threats to our networks by those countries and their associated businesses that do not share our market-based system or support our values and freedoms. We see time and time again efforts by these entities to attempt to monopolize and gain unfair advantages in the marketplace. Further, I agree that the hard-earned dollars of the American people should not be used to buy equipment and support entities that may do us harm.
For a multitude of reasons, I support today’s item. But, I do have a few reservations. Let me caution the critics: raising concerns on certain portions doesn’t make me a sympathizer of those seeking to harm the U.S. I am just trying to enact sound policy and prevent potential abuses down the round. Being skeptical of and trying to protect from an authoritative government is the very nature of being American.
First, I understand the gravity of the decision to exclude certain companies from the U.S. marketplace. These designated companies stand to lose significant business opportunities. Of course, I am not concerned about financial opportunities lost by companies that want to cause us harm, but sometimes innocent companies can be implicated by mistake. We must get these decisions right and have a process to challenge if the Bureau, which I am not all that comfortable delegating to, gets them wrong. I appreciate that the Chairman accommodated my concerns by implementing a 120-day timeline to expedite appeals of Bureau-level decisions to the Commission. This will ensure that affected parties have some timely recourse, if necessary.
Second, I fear that we are underestimating the costs of our action today. I was one of the first to suggest that our actions to ban certain equipment would have costs to be paid by someone, and I was criticized for doing so; now it is universally accepted. On this point, while I appreciate that the Chairman’s Office and staff clarified how and when USF funds can be used when a network contains covered equipment, our decision to prohibit the use of USF funds to maintain, modify, or support covered equipment in any way may result in some providers having to replace equipment earlier than scheduled when minor changes or repairs need to be made. Not to mention that our communications providers will have fewer equipment options, which could raise costs and delay new and expanded offerings. Unfortunately, these costs will mostly affect the nation’s smaller providers, which are more likely to have covered equipment and may be relying on USF dollars to remain viable.
More generally, I remain disappointed in our cost-benefit analyses. Instead of figuring out what the true benefits are of our decision, the cost-benefit analysis states that the cost of $960 million, which as I just stated seems low, is justified if our action prevents a minimal – well less than one percent – disruption to the economy and annual growth. There is no data provided to verify these assertions or support the theory that preventing USF funds from being used to buy and maintain this equipment will be effective in reducing these hypothetical disruptions to our economy.
Third, I am concerned that we are broadly and unnecessarily interpreting some statutory provisions to justify our authority to decide that some companies should not be able to participate in our communications economy. While I am a fervent supporter of protecting our national security, these and similar arguments are likely to be used in the future to justify mandates in the name of national security or others. It is important to note that the Commission doesn’t retain significant authority – or much at all – to affirmatively act on network security issues. That means we cannot transcribe requirements, mandates, or other burdens on providers in the name of network security. The “national security” language of the statute is not a catch-all, otherwise it can be abused in many harmful ways. However, we do have and rightfully maintain authorization authority where we take Team Telecom views into account and can condition USF in various ways to meet our policy objectives.
Regardless of these concerns about the item, I remain seriously concerned about the risks that our nation’s communications networks face. I appreciate the Chairman’s effort and thank him and Commission staff for tackling a very complex and challenging issue. I approve.
STATEMENT OF CHAIRMAN AJIT PAI
Re: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Program
Last year, testifying before Congress, FBI Director Chris Wray said, “[W]e’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks that provides the capacity to exert pressure or control over our telecommunications infrastructure.” Hearing before the Senate Select Committee on Intelligence, “Worldwide Threat Assessment of the U.S. Intelligence Community,” 115th Cong. (Feb. 13, 2018) (statement of Christopher Wray, Director, FBI), https://www.intelligence.senate.gov/hearings/open-hearing-worldwide-threats-0#.
And last week, Attorney General Bill Barr wrote to us:
[W]e are at a critical moment of technological change. Telecommunications providers in America and around the world are deciding who should build and service the Fifth Generation (5G) of wireless networks. We will become even more dependent on those networks as more and more devices and services are connected and operate at unprecedented speeds. Human life and safety as well as critical government functions will ride on them. Our national defense will depend on the security of our allies’ networks as well as our own. Protecting our networks (rural and urban alike) from equipment or services offered by companies posing a threat to the integrity of those networks is therefore a vital national security goal. Letter from William P. Barr, Attorney General, to Ajit Pai, Chairman, FCC, WC Docket No. 18-89, at 1 (Nov. 13, 2019), https://ecfsapi.fcc.gov/file/111501201939/18-89A.pdf.
At the FCC, we couldn’t agree more with the Attorney General and the Director of the FBI. That’s why today, we adopt a ban on using funds from the FCC’s Universal Service Fund (USF) to purchase equipment or services from companies posing a national security threat to the integrity of communications networks or the communications supply chain. We also initially designate two Chinese companies—Huawei and ZTE—as “covered” companies for purposes of this rule, and we set up a process for designating additional such companies in the future.
We take these actions based on evidence in the record as well as longstanding concerns from the executive and legislative branches about the national security threats posed by certain foreign communications equipment manufacturers, most particularly Huawei and ZTE. Both companies have close ties to China’s Communist government and military apparatus. Both companies are subject to Chinese laws broadly obligating them to cooperate with any request from the country’s intelligence services and to keep those requests secret. Both companies have engaged in conduct like intellectual property theft, bribery, and corruption.
Moreover, we know that hidden “backdoors” to our networks in routers, switches, and other network equipment can allow a hostile adversary to inject viruses and other malware, steal Americans’ private data, spy on U.S. companies, and more. Indeed, just last month, the European Union found 5G security risks where a “hostile state actor exercises pressure over a supplier under its jurisdiction to provide access to sensitive network assets through (either purposefully or unintentionally) embedded vulnerabilities.” European Union, “EU coordinated risk assessment of the cybersecurity of 5G networks” at 27 (Oct. 2019), https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2019/10/Report-EU-risk-assessment-final-October-9.pdf.
These concerns are by no means hypothetical. This summer, for example, an independent cybersecurity firm found that over half of the Huawei firmware images they analyzed had at least one potential backdoor and that each Huawei device they tested had an average of 102 known vulnerabilities. “Finite State Supply Chain Assessment: Huawei Technologies Co., Ltd.” at 3 (June 2019), https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf.
Similarly, in March 2019, an oversight board in the United Kingdom released a report identifying “[f]urther significant technical issues . . . in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks.” “Huawei Cyber Security Evaluation Center (HCSEC) Oversight Board Annual Report 2019: A report to the National Security Adviser of the United Kingdom” at 2 (Mar. 2019), https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf.
It also said that it “has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation program that it has proposed as a means of addressing these underlying defects.” Id. at 3.
It is unsurprising, then, that in the last 12 months, three of our closest allies—New Zealand, Japan, and Australia—have issued bans on Huawei equipment and that over 30 nations (including the U.S.) have embraced a risk-based framework called the Prague Proposals. See “Prague 5G Security Conference announced series of recommendations: The Prague Proposals” (May 3, 2019), https://www.vlada.cz/en/media-centrum/aktualne/prague-5g-security-conference-announced-series-of-recommendations-the-prague-proposals-173422/.
Given the threats posed by Huawei and ZTE to America’s security and our 5G future, this FCC will not sit idly by and hope for the best. Today, we not only ensure that the federal funds in the USF are not spent on equipment or services from these suppliers, but we also propose a process to remove such equipment already deployed in USF-funded networks. Specifically, we propose to require certain carriers receiving USF funds, known as eligible telecommunications carriers, to remove from their networks existing equipment from covered companies, starting with Huawei and ZTE. To mitigate the financial impact of this requirement, particularly on small, rural carriers, we propose to establish a reimbursement program to help offset the cost of transitioning to more trusted vendors.
Finally, to aid the design of a removal and replacement program, we require carriers to submit information on their use of equipment from Huawei and ZTE as well as the potential costs associated with removal and replacement of such equipment.
In taking these steps, we demonstrate the FCC’s commitment to doing everything we can within our statutory authority to address national security threats to our communications networks, and together with our federal partners, to secure our 5G future.
For their outstanding work on this item, I’d like to thank Callie Coker, Kate Dumouchel, Justin Faulb, Ellen Gardiner, Aaron Garza, Trent Harkrader, Billy Layton, Kris Monteith, Ryan Palmer, Gilbert Smith, Cody Venzke, and John Visclosky of the Wireline Competition Bureau; Kenneth Baker, Erin Boone, Garnet Hanley, Kari Hicks, Charles Mathias, Dana Shaffer, Sean Spivey, Donald Stockdale, Joel Taubenblatt, and Suzanne Tetreault of the Wireless Telecommunications Bureau; Steven Carpenter, Michael Connelly, Lisa Fowlkes, Jeffrey Goldthorp, Kurian Jacobs, Debra Jordan, Lauren Kravetz, Nicole McGinnis, Saswat Misra, and Austin Randazzo of the Public Safety and Homeland Security Bureau; Denise Coca, Kathleen Collins, Gabrielle Kim, David Krech, Arthur Lechtman, Thomas Sullivan, and Troy Tanner of the International Bureau; Rosemary Harold, Christopher Killion, Shannon Lipp, and Jeremy Marcus of the Enforcement Bureau; Ira Keltz, Julius Knapp, Aspasia Paroutsas, and Ronald Repasi of the Office of Engineering and Technology; Malena Barzilai, Michael Carlson, Thomas Johnson, Douglas Klein, Rick Mallen, Linda Oliver, and Bill Richardson of the Office of General Counsel; Maura McGowan and Sanford Williams of the Office of Communications Business Opportunities; and Eric Burger, Octavian Carare, Jim Eisner, Kenneth Lynch, Alec MacDonnell, Giulia McHenry, Chuck Needy, Eric Ralph, Steven Rosenberg, Craig Stroup, Emily Talaga, and Geoff Waldau of the Office of Economics and Analytics.
STATEMENT OF COMMISSIONER BRENDAN CARR
Re: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Program
Earlier this year, I had the privilege of visiting Malmstrom Air Force Base near Great Falls, Montana. I spent time there with Colonel Jennifer Reeves who is Commander of the 341st Missile Wing. Colonel Reeves and her team have one of the most significant and weighty missions in government. In their charge are150 intercontinental ballistic missiles loaded in underground silos spread across northern Montana. These are missiles that when launched can carry nuclear warheads almost 10,000 miles. Colonel Reeves told me that her job is to make sure they’re always ready to go. Set against that destructive power is a completely serene and wide-open landscape—it’s just wheat fields and Big Sky Country. Except as it turns out, there are cell towers all around the Montana missile fields running on Huawei equipment. Alex Marquardt and Michael Conte, Huawei Connects rural America. Could it threaten the country’s most sensitive military sites? CNN, (Mar. 11, 2019) https://www.cnn.com/2019/03/11/politics/huawei-cell-towers-missile-silos/index.html.
I got a firsthand look at those when I was up there.
This is not just a concern for the military. Everything we do in modern society now runs on interconnected networks, from banking, to transportation, and even our power grids. This will become only more so as carriers continue to build out 5G networks. If these networks are threatened, everything we have come to rely on is threatened. We have acknowledged the threat that Chinese telecom firms pose to our networks for some time. In 2012, the House Permanent Select Committee on Intelligence issued a report recommending that companies avoid using Huawei and ZTE equipment, and that government agencies remain vigilant and focused on the threat. Last year’s National Defense Authorization Act prohibited government agencies and contractors from using Chinese equipment. The Department of Commerce has clamped down on the Chinese firms’ abilities to do business with U.S. firms. Last year, we launched this proceeding to do our part to ensure U.S. national security. And this month Attorney General William P. Barr wrote to the Commission that, “we should not signal that Huawei and ZTE are anything other than a threat to our collective security.”
When combined with the ever increasing sophistication of cyber attacks and the fact that attacks from state actors are by far the most well-funded and advanced, it’s not hard to see the threat that companies like Huawei and ZTE pose to our networks and to our national security. Indeed, China’s National Intelligence Law requires that all “organizations…cooperate with the State intelligence work,” and it provides them no right to refuse. Chinese National Intelligence Law, Article 7.
It also gives the Chinese government the power to take over a company’s communications equipment. Chinese National Intelligence Law, Article 17. And because the networks in the U.S—from rural America to big city—are interconnected, even a small amount of compromised equipment could be devastating to U.S. security.
At the FCC, we are in a position to do something about this threat. And we are. Today, we are prohibiting carriers from using federal dollars to purchase any equipment or services from companies that pose a national security threat, including Huawei and ZTE.
And we are not stopping there. In 2018, I called on the FCC to expand our proceeding and put even more options on the table, including the removal of covered equipment that carriers have already installed in their networks. That would include some of the equipment I saw out in Montana. After all, if equipment poses a threat, it’s not enough to stop subsidizing it: it must come out of the network. I am glad that we are moving forward with that idea and proposing to take that action today.
I also want to thank my colleagues for agreeing to expand the scope of today’s Further Notice. We now go beyond the initial proposal, which focused on removing equipment if the carrier receives federal support, to asking whether we should mandate the removal of covered equipment regardless of whether the communications provider receives federal support. I appreciate that my colleagues not only supported that suggestion but called for similar edits.
Today, the U.S. has the leading 5G networks in the world. And today’s decision will help extend American leadership by ensuring the security of these vital networks.
I want to thank the staff of the Wireline Competition Bureau for their work on this item. It has my full support.
STATEMENT OF COMMISSIONER JESSICA ROSENWORCEL
Re: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Program
Picture central Montana. It’s vast. There are plains as far as the eye can see. This is, after all, Big Sky country. In this wide-open area you’ll find mostly wheat and cattle farms. But if you wander you’re likely to happen upon Malmstrom Air Force Base. It’s the home of the 341st Missile Wing of the Air Force Global Strike Command. On the outskirts of this Air Force Base, you’ll find silos with more than 100 intercontinental ballistic missiles. As CNN has reported, they “stand at the ready, buried deep underground.” These rockets can deliver nuclear warheads across the ocean thousands of miles away. They are an important part of the United States Strategic Command.
Next to those silos are something a lot more familiar to the Federal Communications Commission. There are clusters of cell phone towers that are operated by a small rural wireless carrier. You might not know it just by looking at them but these towers may represent a bigger risk to our national security than the missiles they surround. That’s because the communications equipment that hangs on these towers is from Huawei, and we have good reason to believe it is susceptible to undue foreign influence and control.
Here’s the thing. We have long known the risks of deployments that feature equipment developed by vendors like Huawei and ZTE. In fact, the federal government and our four nationwide carriers have shunned this technology because of its security vulnerabilities. But a number of small wireless carriers—serving remote areas like central Montana—have not. After all, Chinese-developed equipment is less costly to deploy and the economics of serving less populated rural communities are hard. So in some cases these insecure networks offer the only option for commercial wireless service in and around sensitive United States military bases in rural parts of the country.
It gets worse. This insecure equipment has been subsidized by the United States government and this very agency. It was purchased with money from the universal service fund at the FCC. If a foreign government ever chose to exploit the radio transmitters that have been placed alongside key military installations, it could suck up sensitive data, shut down service, or launch denial of service attacks. And it gets still worse, because as we transition to next-generation 5G networks, insecure equipment in the telecommunications supply chain could take cybersecurity risks to entirely new levels. That’s because 5G networks will allow us to move and access vastly higher quantities of data, and we will depend on them more than prior technologies for a range of mission-critical applications.
This is just one military base in Montana. But there are others like it. Just as there all kinds of essential infrastructure across our rural communities and in many cases nestled nearby are wireless networks with insecure foreign equipment.
We need to do something about it. That’s why eighteen months ago we started a rulemaking at the FCC aimed at fixing this problem. Today we take a long overdue first step to do just that. I have only one complaint with this effort: that it took us so long to get here. This is not hard. It should not have taken us eighteen months to reach the conclusion that federal funds should not be used to purchase equipment that undermines national security.
I support this effort. I also appreciate that my colleagues were willing to consider changes I offered to the decision and rulemaking we adopt today. In critical part, those include exploring our authority over carriers under the Communications Assistance for Law Enforcement Act to expand our prohibition beyond just the universal service program; providing additional guidance to companies so that our rules do not needlessly disrupt day-to-day service and operations in rural America; implementing the lessons learned from the 600 MHz incentive auction in order to maximize funds available for replacing insecure equipment; and seeking to accelerate the FCC’s review of a reimbursement program.
So while I approve today’s decision and rulemaking, I think the FCC has more work to do when it comes to network security. Because our present efforts to remove and replace insecure equipment are not bold enough. We need a coordinated, national plan for managing the future of 5G security—and the evidence all around us makes crystal clear we don’t have one.
When the United States government pursues action against Huawei or ZTE, its objective should be security. But in Washington right now, I fear these issues can easily get swept up into broader trade matters. Despite our actions today, we have to grapple with the fact that at any moment the Administration could trade away our security objectives for some momentary advantage in bilateral trade negotiations. I hope that does not occur, but let’s be honest, it has happened before, when this Administration reversed course on banning ZTE from doing business in the United States. If it happens again, it will have serious consequences for our credibility.
There is also a conspicuous lack of progress in other parts of the government tasked with addressing this set of problems. New supply chain rules from the Department of Commerce that were due last month reportedly have been derailed by interagency disputes. The Bureau of Industry and Security has extended three times—and as recently as just this week—the general license authority for United States companies to continue to work with the very companies the FCC is today trying to remove from our networks. On top of this, the national spectrum policy that was announced in last year’s Executive Order has fallen by the wayside. It was due in July but is nowhere to be found. And the Administration’s tariffs are making it harder for United States companies to invest because by adding up to a 25 percent fee on modems, antennas, and semiconductors it is driving up the cost of 5G deployment.
This does not inspire confidence. It’s not a national plan for action. It’s the right hand not talking to the left with consequences that are broader than Washington—they go directly to heart of our competitiveness in the global economy.
Nor has this gone unnoticed. Last week, The Wall Street Journal documented all the ways the federal government is tripping over itself in its efforts to support the roll out of 5G. This week, the bipartisan leadership of the Senate Select Committee on Intelligence, Committee on Homeland Security and Government Affairs, Foreign Relations Committee, and the Armed Services Committee wrote the White House expressing concern that we do not have a coordinated national strategy in place for 5G—and we need one. I agree.
Looking ahead, I have some ideas about just what a national strategy should include. Here are three to start.
First, we need an approach to supply chain security that recognizes that despite our best efforts, secure networks in the United States will only get us so far because no network stands by itself. Our networks still will connect to insecure equipment abroad. So we need to begin researching how we can build networks that can withstand connection to equipment vulnerabilities around the world. One way to do this is to virtualize and diversify key parts of our networks.
I put forward an idea at Mobile World Congress last month to start this conversation. I suggested the FCC should explore opportunities to support improved security though open radio access networks—or what is known as open RAN. The RAN sits between your device and the core of the carrier network. It is the most expensive and restrictive part of the network today. All major components of a RAN have to come from the same vendor. There is no way to mix and match. But if we can unlock the RAN by virtualizing this component of the network with software and off the shelf hardware, we will increase network diversity and improve security at lower cost. Even better, this effort would push the network equipment future to sectors where the United States is strongest—in software and semiconductors.
I offered this idea again when I testified a few weeks ago before the Senate Committee on Homeland Security and Government Affairs. It garnered support from witnesses from the Department of Homeland Security, Department of Commerce, and the Department of State. That doesn’t always happen in Washington—so we should take advantage of it. Here’s what we should do next. The FCC should explore policies to support open RAN and develop testbeds that bring together stakeholders to help promote more open and interoperable standards. We can even build this effort into our ongoing work to authorize city-wide 5G testbeds in New York and Salt Lake City.
Second, we need to transform the Internet of Things into the Internet of Secure Things. With 5G we are moving to a world with billions of connected devices all around us. But as these connected devices multiply, so do our security vulnerabilities. We need to adjust our policies now because the equipment that connects to our networks is just as consequential for security as the equipment that goes into our networks. And while we may be able to rip and replace the insecure equipment in networks, it would be impractical to think we can do the same for billions of consumer and industrial devices in the Internet of Things.
Here is what we can do. Every device that emits radio frequency at some point passes through the FCC. If you want proof, pull out your smartphone or take a look at the back of any computer or television. You’ll see an identification number from the FCC. It’s a stamp of approval. It means the device complies with FCC rules and policy objectives before it is marketed or imported into the United States. This routine authorization process takes place behind the scenes. But the FCC needs to revisit this process and explore how it can be used to encourage device manufacturers to build security into new products. To do this, we could build on the National Institute of Standards and Technology draft set of security recommendations for devices in the Internet of Things. It covers everything from device identification to device configuration to data protection to access to interfaces to critical software updates. In other words, it’s a great place to start—and with billions of new devices coming our way we should get going now.
Third and finally, we need smarter spectrum policy. To date, the FCC has focused its early efforts to support 5G wireless service by bringing only high-band spectrum to market. This is a mistake. The rest of the world does not have this singular early focus on high-band, millimeter airwaves, and with good reason. These airwaves have substantial capacity but their signals do not travel far and are easily blocked by walls. As a result, commercializing them is costly—especially in rural areas. The sheer volume of antenna facilities required to make this service viable will limit deployment to the most populated urban areas. This means this agency’s early 5G efforts will only deepen the digital divide that already plagues too many communities nationwide.
Moreover, our failure to act early on bringing mid-band spectrum to market has security consequences, too. In many mid-band airwaves worldwide there is only one Chinese vendor offering equipment. That means countries building their 5G networks using this spectrum do not have a competitive choice for secure equipment.
In the United States we have unique skill and scale. That means when deployment takes place here, vendors follow. So it’s time for us to make it a priority to make mid-band spectrum available, too. There is no reason why our next auction should be a millimeter wave auction. Instead, we should be clearing the way for the 3.5 GHz band first and following with a C-band auction thereafter. If we can do that, our carriers will build there and more vendors will compete to offer service. And when we expand the market for secure equipment at home, it also grows abroad. That’s exactly what we need if we want to encourage diversity in open RAN architectures, too. But best of all, it will mean we can extend the promise of secure 5G wireless service to everyone, everywhere in the country.
Because in the end, that’s truly the goal. We want urban America, rural America, and everything in between to know the opportunities of next generation wireless service. But as today’s decision and rulemaking make clear—it is not enough just to have access because that access also has to be secure. So if we have vulnerabilities in our networks we need to fix them. If they are in rural areas adjacent to sensitive military installations in Montana or anywhere else across the country we need to replace them. But above all we need to get started. Because this effort represents just that, it has my support.
STATEMENT OF COMMISSIONER GEOFFREY STARKS
Re: Protecting Against National Security Threats to the Communications Supply Chain Through FCC Program
Network security is national security. As we move into a 5G world where billions of IoT devices will operate our critical infrastructure, health care system, financial sector and transportation systems via mobile wireless transmissions, secure networks are not only necessary to preserve the confidentiality and integrity of our communications, but also to protect our public safety. Today, we take an important step towards protecting these networks by prohibiting the use of universal service funds for the purchase of equipment from the Chinese telecommunications companies Huawei and ZTE. While many talk of security issues surrounding “back doors,” I have said many times that the untrustworthy equipment from these companies could readily serve as a “front door” for Chinese intelligence gathering, at the expense of our privacy and national security. I fully support the effort to ban future purchases of such equipment using USF funds.
While that is necessary, it is not sufficient in addressing this issue of national security. Back in May, I published an op-ed first raising my concerns that we cannot afford to think of this issue asymmetrically, focusing strictly on prohibiting untrustworthy equipment from entering our networks, and failing to account for the reality that we already have the same equipment in our infrastructure. Lots of it. I have consistently said that the problem is real, it is here already, and our failure to address existing untrustworthy equipment leaves American citizens vulnerable to data siphoning and foreign interference. That’s why I’m glad that we’re issuing a Further Notice of Proposed Rulemaking seeking comment on the problem of such equipment and how to address it. As I said back in May, we need to find this untrustworthy equipment, fix the problem, and fund the remedial effort – Find It, Fix It, Fund It.
As today’s item discusses, although the data collection we authorize today should provide much more information, our record in this proceeding to date suggests that much of the Huawei and ZTE equipment in our networks is held by certain rural wireless carriers. Since I first spoke on this issue, I’ve traveled the country and personally met with nearly two dozen of these carriers and their representatives. I held a workshop this summer at the Commission where I heard from rural carriers, equipment manufacturers, national security experts, academics, and various other stakeholders. A few weeks ago, I met with the Department of Homeland Security and the Chamber of Commerce in Denver to discuss these issues with rural carriers. And just yesterday, I published a white paper summarizing the facts, feedback and recommendations that came from those meetings.
Here’s what I’ve learned. These carriers are made up of hard-working men and women that serve hard-to-reach communities that the major carriers can’t or won’t serve, operating with small teams and tight budgets. And they’re worried. They’re concerned that they’ll be punished for using Chinese equipment in their networks that they bought lawfully and in good faith, in many cases before the full strength of our concerns about network vulnerabilities linked to Chinese telecom manufacturing surfaced. They now understand the significant security risks associated with their Chinese network equipment and software updates. They understand how manufacturers are obligated under Chinese law to cooperate with the government’s demands for network access. They understand how their vulnerable equipment could be used for surveillance, disruption of critical services, or cyber-attacks. And they want to fix it. But they need our help, and this FNPRM is the first step on the road to doing so.
But such assistance shouldn’t come without considering how we got into this situation and how to avoid duplicating it in the future. Based on information available today, the item indicates that replacing untrustworthy equipment in our networks could cost as much as $2 billion, and the actual figure could be even more. We can’t afford to do this again. That’s why I proposed the addition of questions seeking comment about what factors led to the dependence of certain carriers on untrustworthy equipment and what measures the Commission could and should take to ensure that all telecommunications carriers obtain and rely on equipment only from trusted vendors. I’m particularly interested in hearing about American-made alternatives – both hardware and software-based – to untrustworthy or insecure telecom equipment.
As our world becomes even more interconnected, the FCC has a critical role to play in protecting that security. The Commission must be proactive, not reactive, in our national security measures in order to avoid problems like untrustworthy network equipment in the future. And though we’ve done much, much remains to be done. Here and going forward are a few leading issues on which you will be hearing from me.
First, we need to create an FCC National Security Task Force. The Commission currently reviews national security issues on a distributed basis among the various bureaus. For example, the International Bureau refers applications for Section 214 licenses involving foreign ownership to “Team Telecom” for national security review. The Public Safety and Homeland Security Bureau participates in the National Security Council’s NSPM-4 process. And the Wireline Competition and Wireless Telecommunications Bureaus consider national security in license transfers and number portability matters. It remains to be seen which bureau will administer the tremendous task that we vote on here today in setting policy to handle untrustworthy foreign equipment.
This distributed structure makes internal coordination challenging and risks inconsistent treatment of national security issues between different bureaus. These issues are not going to diminish. Quite the opposite, in fact, as I expect that the Commission will continue to see an increase in the number and complexity of issues that will touch on national security. Security issues surrounding Team Telecom, CFIUS, 214 licensing, numbering and so forth are becoming more common. We must be more intentional than ever to ensure that the whole of the FCC is more coordinated, more deliberative, and more collaborative. The FCC should issue a Public Notice creating a National Security Task Force, like other task forces established by the FCC in the past. I look forward to discussing this idea with my colleagues.
Second, as I recently wrote in the San Jose Mercury News, we must seize this opportunity to encourage the growth of American technology for next generation networks. We cannot entrust the technological solutions to the challenges of 5G to geopolitical rivals. Rather, we must support American innovation to meet these challenges. American ingenuity has historically dominated the research, development and deployment of telecommunications technology. This must continue for 5G, and American companies are already developing alternatives to traditional telecom equipment infrastructure through software-enabled 5G and virtualized radio access networks for cloud-based 5G. 5G infrastructure development must represent the next frontier of American technological leadership.
American 5G equipment will be safer because we can be confident about it observing best practices and protecting our intellectual property and privacy from foreign actors. Most importantly, American companies do not answer to the directives of adversary states with no clear rule of law. Moreover, while artificially low prices may have provided a temporary advantage to Huawei and ZTE, I believe that the telecom industry has come to realize that the cost and inconvenience of fixing and replacing untrustworthy equipment far outweighs any short-term savings. I believe America can rise to the challenge and ultimately come out of this situation more advanced, more secure and more prosperous.
Third, our network security depends on the equipment that carries our communications traffic, and critically in some instances also on traffic that leaves our domestic networks. Like many countries around the world, the United States relies on submarine cables to carry its traffic across the oceans. Pending before the Commission now is an undersea cable application from US companies that have partnered with Dr. Peng Telecom & Media Company, one of the largest telecommunications conglomerates in China, for a cable running between Los Angeles and Hong Kong. The project is designed to carry a large portion of the communications between the U.S. and Asia, and a recent Wall Street Journal report indicated that the Justice Department has expressed concerns that the communications could be stolen, blocked, or modified on the Hong Kong end. I share these concerns as an initial matter and want to learn more about what measures can be done, if any, to prevent the Chinese government from eavesdropping, blocking or tampering with these communications.
Finally, the nation’s first primaries will take place in a few months. With that in mind, I’ve been focused on the security of our election system. The threat is real – our intelligence agencies have confirmed that foreign actors sought to tamper with our election systems in 2016 and predict that they will try again in 2020. And while much of the media attention has centered on the use of social media to confuse and polarize us, our networks are also under attack. According to our intelligence agencies, Russian-affiliated cyber actors targeted all 50 state election systems during the 2016 voting cycle, including attacks on voting-related websites and voter registration databases. Although they weren’t able to change individual votes or vote totals, we should expect another round of attempts in 2020.
That’s one reason why our network security is so important. While completely disconnected voting machines are the most secure, research shows that some states still use the same networks to transmit their voting results that we use for our mobile phones. Indeed, the Federal Election Commission estimates that more than 1,000 of these machines remain in use in states like Wisconsin and Florida.
Once a device is connected to a wireless network, it’s subject to the same threats as other wireless communications. Voting results can be blocked or altered by criminals or adversary states using IMSI catchers or by hacking untrustworthy or insecure routers. Because of these risks, I’ve reached out to the major wireless carriers to discuss how they’re protecting their network security and working with election officials. The FCC has a statutory obligation to protect the national defense – the security of our elections clearly qualifies in my mind.
Moving forward, the Commission’s policies must reflect the new telecom landscape. The recent influx of new, unfamiliar actors into the telecom space has rendered the old system of operations, built upon trust and familiarity, quaint. I will do everything in my power to keep Americans secure now and in the future. Thank you to my colleagues for their support of my edits to this item and thank you to the Wireline Competition Bureau and the other Commission staff who worked on this item for your excellent work.