FCC to Wade into the US Telecom Supply Chain in the Name of National Security
The Federal Communications Commission (FCC) made headlines on March 26 when Chairman Ajit Pai proposed that the FCC bar several companies, in the name of national security, from participation in the FCC programs. The FCC plans to vote on this proposal at its next Open Meeting on April 17, 2018.
The proposal was prompted by letters he received from 18 Congressional leaders last December, which asserted the potential for compromised security of U.S. telecommunications networks through insecure equipment supply chains required FCC consideration. Chairman Pai responded to the Congressional letters by noting that FCC itself does not purchase or use the equipment from the named companies and would not intend to take service from a service provider that does. The Chairman however did not stop there; he is proposing that certain companies be barred from participating in the Universal Service Fund (USF) program that subsidizes carrier equipment.
The December letters referenced a 2012 Congressional House Permanent Select Commission on Intelligence (HPSCI) report that contained information about the alleged interconnectedness of Huawei, ZTE and the Chinese government, as well as Kaspersky Lab’s alleged ties to the Russian government. Each of these companies was named in an FCC draft Notice of Proposed Rulemaking (Notice) as potentially compromising the security of U.S. networks and whose products would be banned.
According to the FCC draft, the use of network equipment such as routers and switches could provide what the chairman called a “back door” avenue for hostile governments to inject viruses, launch denial of service attacks, steal data and more. While the FCC by itself cannot safeguard the integrity of the U.S. communications supply chain, the Notice of Proposed Rulemaking (Notice) is intended to be part of an overall effort to enhance network security. The FCC would in effect be targeting U.S. networks that receive USF program funds, a very indirect way of addressing the issue.
The FCC’s Interest in and Authority over Security of Communications Networks
By statute the FCC is required to promote nationwide and worldwide wire and radio communications service for the purpose of the “national defense” and preserving the “safety of life and property.” Through advisory and working groups such as its Communications Security, Reliability and Interoperability Council (CSRIC), the FCC works with industry to identify and promote best practices across a range of areas, including more recently network and device security. The latest CSRIC has been charged by the FCC to identify mechanisms to mitigate threats to 5G network reliability and security posed by vulnerable supply chains. The FCC however, has no history of oversight on supply chain management.
FCC legal authority to adopt supply chain rules stems from Sections 201(b) and 254 of the Communications Act, and the draft states that promoting national security is consistent with the public interest. The draft Notice also asks for cost benefit analysis of the proposed rule banning products from specific companies from the program.
The draft Notice asks a number of questions about how any FCC ban on the integration of equipment of particular companies into subsidized U.S. networks might work. Given the Commission’s lack of familiarity with these forms of supply chain control, it is perhaps not surprising that the Notice focuses on interdicting named companies rather than focusing on the components they make that in fact may be embedded within the products of the other entities.
The proposed USF funding ban would not be retroactive, but the draft document asks if there are better alternatives to enhance network security, including whether there are other federal agency models to be emulated. While the Notice contemplates that the ban would encompass future upgrades to existing equipment or services, it also asks how that might work. Further, given the fungibility of money, whether the prohibition should be very broadly drafted so as to ban use of USF supporter in any situation “where equipment or services produced or provided by a company posing a national security threat to the integrity of communications networks or the communications supply chain. . . ” (Draft Notice at para 16).
The draft Notice proposes to apply a ban on any purchases from the named companies that would cover not only the USF funding recipient but any contractor or subcontractor. The Notice also asks for comment on how ongoing multiyear contracts be brought into the fold through grandfathering or other means.
How Would Companies be Identified?
In order to apply any ban, the FCC would first have to identify the entities it would cover. Certainly the FCC is not generally in the business of determining which companies pose a threat to national security. The draft Notice seeks comment on whether the FCC could establish its own criteria or rely on other existing statutes that apply to the provision of services or equipment to the government. There are also lists of prohibited providers that are maintained by the GSA, for example, that might be considered.
In addition, the draft Notice seeks comment on how the FCC should enforce the proposed rule if it is adopted. The program contemplates recovery of funding paid in violation of program rules. The draft Notice asks which party, the provider or the customer, is in the best position to prevent any rule violation and who should be liable and what sort of penalty, including permanent disbarment from the program be considered.
If adopted at the April 17 meeting, the Notice would be put out for public comment prior to the promulgation of any rule. Given the unusual nature of the proposal, we will continue to follow it as the proposal develops and is shaped.