By: Andrew Regitsky
In the last few years Congress and the FCC have increasingly become cognizant of the dangers of hostile foreign countries using the telecommunications networks of companies they control to eavesdrop on or even potentially sabotage the U.S. networks they interconnect with or provide parts for. Formal steps to protect our networks began with Congress establishing the Secure and Trusted Communications Networks Act of 2019 (Act). The Act was designed to be (1) a mechanism to prevent communications equipment or services that pose a national security risk from entering U.S. networks, and (2) a program to remove any such equipment or services currently used in U.S. networks.
Under the Act, in June 2020, the Homeland Security Bureau designated Chinese companies Huawei and ZTE as national security threats to the integrity of our communications networks and prohibited the use of Universal Service Fund support to any company using equipment from those companies.
Last December, Homeland Security published the Covered List, which identifies “covered” equipment and services that pose an unacceptable risk to national security or to the security and safety of U.S. persons. Only Congress or another government agency can determine which equipment and services are on this list. Currently, the list includes equipment and services from five Chinese companies:
As mentioned above, telecommunications equipment produced or provided by” Huawei Technologies Company or ZTE Corporation, or their respective subsidiaries and affiliates are banned.
Also banned are video surveillance and telecommunications equipment produced or provided by” Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company, or their respective subsidiaries and affiliates.
While these actions were clearly needed, the FCC plans on taking two new steps to protect U.S. telecom networks from harmful interference from foreign actors at its upcoming June 17, 2021, meeting. Here it gets a little technical.
First, in a Notice of Proposed Rulemaking (NPRM) in Docket No. 21-232, the Commission will seek industry comments on a proposal to prohibit all future authorizations for equipment on the Covered List, including equipment subject to its own certification and all “Supplier’s Declaration of Conformity” processes associated with equipment authorization. The goal is to “establish a clear prohibition on authorization of any covered equipment in our equipment authorization process regardless of the process to which that equipment is subject.”
The agency seeks comments on whether to revise its rules on equipment currently exempted from the equipment authorization requirements to no longer permit this exemption for equipment on the Covered List. According to the Commission, exempt devices generate such low levels of RF emission that they have virtually no potential for interfering with authorized radio services, however, they could still increase security concerns if they are used with covered equipment.
Additionally, the FCC seeks comments on whether to revoke authorizations that previously have been granted for equipment on the Covered List.
Finally, the FCC proposes to require applicants who wish to participate in future Commission auctions to certify that their bids do not and will not rely on financial support from any entity that the Commission has designated as a national security threat to the integrity of communications networks or the communications supply chain. The Commission seeks comments on this proposal.
At its June meeting, the Commission is also planning on issuing a Notice of Inquiry (NOI) in Docket 21-233 in which it asks the industry how it can leverage its equipment authorization program to encourage companies manufacturing equipment that connect to networks in the U.S. to consider cybersecurity standards and guidelines. If you tried to get gas recently you know how important it is to protect our networks and supply chain from hackers. Heck, the country may even be about to suffer a meat shortage due to lax cyber security!
The industry deadline for filing comments about either the NPM or NOI will be 30 days after each appears in the Federal Register. Obviously, all companies should stay on top of these proceedings to ensure we protect our networks.