The US Office of National Intelligence and other national security agencies have described the risk of intrusion by the People’s Republic of China (PRC) enabled through technology like Huawei smartphones, Hikvision video cameras, and Lenovo laptops. Substantive federal policy enacted by the National Defense Authorization Act (NDAA) may restrict some products and firms from federal procurement, but these products are still widely available for consumers and enterprise and are unwittingly purchased by state governments. The Federal Communications Commission (FCC) wants to close this loophole. Its Congressional authority and mandate to do so is described among other legislation in the 2019 Secure and Trusted Networks Act which established the FCC’s “Covered List” and the roadmap for adding entities which pose an unacceptable risk to national security.
Co-sponsor Senator Marco Rubio (R-FL) noted that “Chinese state-directed companies like Huawei and ZTE are known national security threats and have no place in our telecommunications network. I am grateful that the Senate and House passed this bill, which will help keep compromised equipment from bad actors out of critical American infrastructure.”
“This legislation adds an extra layer of security that slams the door on entities that pose a national security risk from having a presence in the U.S. telecommunications network,” said House co-sponsor Republican Whip Steve Scalise (R-LA). Co-sponsor Rep. Anna G. Eshoo (D-CA) added, “Equipment made by Huawei and ZTE, companies linked to the Chinese government, increases the vulnerabilities of our telecommunication systems and puts our national security at risk. Our bipartisan, bicameral bill prohibits the FCC from issuing licenses for any telecommunications equipment made by Huawei or ZTE.”
FCC Commissioner Brendan Carr welcomed the Act, noting it “would close a glaring loophole that Huawei and others are exploiting today to place their insecure gear into our networks” and applauded “strong bipartisan support for this legislation.” Carr called for the expansion of the FCC’s Covered List during a China Tech Threat event and suggested starting the process for the addition of DJI, the Chinese drone maker whose sensitive data calling makes it a “Huawei on wings.”
Cyberattacks on Americans are increasing in sophistication, severity and frequency. An analysis by the Carnegie Endowment for International Peace found that major global attacks on financial institutions alone increased more than 350 percent between 2017 and 2019. As policymakers have largely focused on software threats, malicious hardware has largely flown under the radar. America’s use of equipment and devices produced by PRC state-owned and military-aligned companies facilitates PRC intrusion.
Indeed the FCC reports that Huawei received some 3,000 equipment authorizations since 2018. A 2019 report by the Department of Defense Inspector General found that the Pentagon continued to purchase millions of dollars of off-the-shelf products from Lenovo and Lexmark, companies with known ties to the PRC government and military.
A letter to Senate and House leaders from China Tech Threat and more than 20 bipartisan organizations praised the swift passage of the legislation and called on the FCC to expand the Covered List aggressively. “There are many other PRC entities making products, services, and components which pose an unacceptable national security risk to Americans and which should be considered for Covered List addition” including the Yangtze Memory Technologies Corp (YMTC), Lenovo, and TikTok.
Cybersecurity expert and author of Cybersecurity for Dummies Joseph Steinberg has warned of the cyberthreat posed by China for over a decade. He observes the Secure Equipment Act as a positive development but woefully deficient in size and scope. “Is the FCC going to ban all modern smartphones and laptops… Where do you think the components inside your Apple or HP laptop are made? And what about the constant flow of off-brand, inexpensive IoT devices available online, and shipped to American homes directly from China?” asked Steinberg, who recently joined the Advisory Board of Sepio Systems, a leader in identifying and addressing hardware component cybersecurity vulnerabilities. “We need far more than just the FCC not approving equipment authorizations; we need government to actually prevent the flow of potentially compromised components into Americans’ devices, and to ensure that users across the nation have methods of detecting and addressing the serious dangers posed by poisoned components.”