Congress and the President can work together effectively if the problem arises. A good example is the recent 2021 Secure Equipment Act which passed both houses of Congress almost unanimously and signed almost immediately by President Joe Biden. This critically important legislation strengthens the authority of the Federal Communications Commission (FCC) to deny equipment approvals from its “covered list” entities. A previous congress established a process for national security authorities (e.g. the Director of National Intelligence) to identify entities posing an unacceptable risk to national security (e.g. Huawei, ZTE) to be added to the covered list of the FCC. The bipartisan bill reflects a key principle of US communications law: Deploying equipment to use radio frequencies is a privilege, not a right.
“In today’s increasingly connected world, we need to bring our technology to life with our values. noted Senator Ed Markey (D-MA), co-sponsor of the bill. “That’s why our bipartisan legislation will keep compromised equipment out of US telecommunications networks and ensure that our technology is safe for consumers and secure for the United States.”
Co-sponsor, Senator Marco Rubio (R-FL) Noted that “Chinese state-run companies like Huawei and ZTE are known threats to national security and have no place in our telecommunications network. I am grateful that the Senate and House have passed this bill, which will help keep the compromised equipment of bad actors out of critical US infrastructure. “
“This legislation adds an additional layer of security that shuts the door on entities that pose a national security risk from having a presence in the US telecommunications network,” said House co-sponsor Republican Whip Steve Scalise (R-LA). Co-sponsor Rep. Anna G. Eshoo (D-CA) added“Equipment manufactured by Huawei and ZTE, companies linked to the Chinese government, increase the vulnerabilities of our telecommunications systems and put our national security at risk. Our bipartite, bicameral bill prohibits the FCC from issuing licenses for any telecommunications equipment manufactured by Huawei or ZTE. “
FCC Commissioner Brendan Carr welcomed the Act, noting it would “close a glaring loophole that Huawei and others are exploiting today to place their unsecured equipment in our networks” and applauded “strong bipartisan support for this legislation.” Carr called for expanding the FCC’s covered list at a China Tech Threat event and suggested starting the process of adding DJI, the Chinese drone maker whose sensitive data call makes it a “Huawei on wings “.
Cyber attacks against Americans are increasingly sophisticated, serious and frequent. Analysis by the Carnegie Endowment for International Peace found that major global attacks against financial institutions alone increased by more than 350% between 2017 and 2019. While policymakers have largely focused on software threats, malicious hardware has largely gone under the radar. The use by the United States of equipment and devices produced by PRC state-owned companies and aligned with the military facilitates intrusion into the PRC.
Indeed, the FCC reports that Huawei has received some 3,000 equipment authorizations since 2018. A 2019 report by the Inspector General of the Department of Defense, found that the Pentagon continued to purchase millions of dollars in off-the-shelf products from Lenovo and Lexmark, companies with known ties to the PRC government and military .
A letter the Senate and parliamentary leaders of China Tech Threat and more than 20 bipartisan organizations hailed the speedy passage of the legislation and called on the FCC to aggressively expand the covered list. “There are many other PRC entities that manufacture products, services and components that pose an unacceptable risk to the national security of Americans and that should be considered for addition to the covered list,” including Yangtze Memory Technologies Corp (YMTC), Lenovo and TikTok.
Cyber security expert and author of Cyber security for dummies Joseph steinberg warned of the cyberthreat posed by China for more than a decade. He sees the Secure Equipment Act as a positive development but woefully flawed in size and scope. “Is the FCC going to ban all modern smartphones and laptops … Where do you think the components are? inside your Apple or HP laptop are made? And what about the constant stream of cheap, unbranded IoT devices available online and shipped to American homes straight from China? ”Asked Steinberg, who recently joined the advisory board of Sepio Systems, a leader in identifying and resolving cybersecurity vulnerabilities in hardware components. “We need more than just the FCC that doesn’t approve equipment authorizations; we need the government to actually prevent the flow of potentially compromised components into U.S. devices and ensure that users across the country have methods to detect and deal with the serious dangers posed by poisoned components.
An overview of the legislation and its process is available here.