What to Make of New U.S. Actions Against Foreign Telecoms

Justin Sherman
Friday, April 17, 2020, 8:00 AM

The administration recently took two steps to address risks associated with foreign telecom firms. But there is still much to be done in architecting a broader supply chain strategy.

Attorney General William Barr addresses a crowd from a Department of Justice press conference, Feb. 2020 (https://www.justice.gov/entity-popup/file/1246966/Public Domain)

Published by The Lawfare Institute
in Cooperation With

On April 4, President Trump signed an executive order on “Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.” Just five days later, the Department of Justice issued a press release detailing interagency action on a similar issue, stating that:

Today, interested Executive Branch agencies unanimously recommended that the Federal Communications Commission (FCC) revoke and terminate China Telecom (Americas) Corp.’s authorizations to provide international telecommunications services to and from the United States. China Telecom is the U.S. subsidiary of a People’s Republic of China (PRC) state-owned telecommunications company.

The “interested” agencies involved in the recommendations, as specified in a footnote, were the Departments of Justice, Homeland Security, Defense, State, and Commerce and the United States Trade Representative.

These two actions have significance on their own. But taken collectively, they mark another concrete step in the United States’s campaign to limit the digital and economic influence of Chinese telecommunications companies both within and outside U.S. borders. The moves also demonstrate that current American efforts to limit the influence of the Chinese telecommunications sector are much broader than just the well-publicized targeting of Chinese telecom giant Huawei.

And where the Huawei saga was characterized by a confused messaging campaign by different components of the U.S. government that yielded extremely limited results, there is an opportunity with these recent moves for the U.S. government to think much more carefully about how it communicates the national security risks posed by foreign telecommunications companies and the reasons for taking actions against specific firms.

The Executive Order

The executive order establishes the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (elegantly captured by the acronym CAFPUSTSS). Members of the new committee have 90 days from the enactment of the executive order to specify when the committee will first convene. Its primary objective is to “assist the FCC in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” In short, the committee is meant to limit foreign influence on U.S. telecommunications where security risks are identified—and it will do this by looking at Federal Communications Commission licenses and applications.

The executive order charges the Department of Justice with providing funding and administrative support for the new committee. The attorney general is to serve as the chair, and the committee’s other members include the secretary of defense, the secretary of homeland security, and “the head of any other executive department or agency, or any Assistant to the President, as the President determines appropriate.” Advisory roles are given to the secretaries of state, treasury and commerce; the director of national intelligence (DNI); the U.S. trade representative; the president’s national security adviser; and several others. But importantly, the chair (who today would be Attorney General William Barr)—except where specified otherwise in the order—“shall have the exclusive authority to act, or to authorize other Committee Members to act, on behalf of the Committee.”

The committee will have the authority to review both new applications for licenses to the FCC as well as licenses already granted. While the executive order’s title focuses on telecommunications, the FCC issues licenses for a variety of companies such as television and radio broadcasters, and the language in the order is quite broad. The committee can look for various kinds of information to inform its decision on these licenses and applications, including “classified information and otherwise privileged or protected information.” It may also “provide such information to the FCC as necessary on an ex parte basis.” For applicants that refuse to turn over information in response to particular committee requests, the committee can factor that noncooperation into its recommendation.

After the review process, the committee can recommend several actions to the FCC: dismissal of an application, denial of an application, granting an application only if mitigation measures are taken by the applicant, modifying an existing license with the condition of complying with mitigation measures, and revoking a license altogether.

For those familiar with the Committee on Foreign Investment in the United States, or the CFIUS, this general idea may sound familiar—an interagency commission screens a particular decision (in this case, FCC applications and licenses; in the CFIUS’s case, foreign investments) and then recommends anything from a slight change in the structure of a license or an investment to completely undoing a license or investment altogether. This recommendation is determined by a committee member vote, which is to be broken by the chair in case of a tie. However, many of the considerations the committee is supposed to weigh in making these recommendations remain unclear: for instance, whether factors such as a company’s data storage practices matter, and, if so, how much they matter and how they should be assessed. It is also not stated explicitly in the executive order whether the FCC can ignore a recommendation from the committee.

One important element of this executive order is that information reviewed by the committee is, generally speaking, to stay with the committee. Some exceptions are carved out, including for selective ex parte communication with the FCC and for potentially sharing information in an appropriately classified manner with the CFIUS. But the executive order is clear on the classification requirements, and these provisions seem intended to keep the nascent committee in compliance with existing laws and policies around classified or otherwise privileged or protected information.

It’s worth noting as well that the intelligence community will play a central role in this committee. The executive order mandates that for each license or application the committee reviews, the DNI “shall produce a written assessment of any threat to national security interests of the United States posed by granting the application or maintaining the license,” soliciting and incorporating the views of the intelligence community “as appropriate.” The DNI is also required to ensure that the intelligence community continues analyzing additional relevant information and disseminating it to the committee during the review process.

Finally, the order ascribes significant responsibility to the committee members and the DNI in operationalizing the executive order and specifying certain parameters of its operation:

Within 90 days from the date of this order, the Committee Members shall enter into a Memorandum of Understanding among themselves and with the Director of National Intelligence (or the Director’s designee) describing their plan to implement and execute this order. The Memorandum of Understanding shall, among other things, delineate questions and requests for applicants and licensees that may be needed to acquire information necessary to conduct the reviews and assessments described in sections 5 and 6 of this order, define the standard mitigation measures developed in accordance with section 2(e) of this order, and outline the process for designating a Lead Member as described in section 4 of this order.

The Department of Justice Press Release

The Department of Justice’s April 9 announcement—that a collection of executive branch agencies recommend that the FCC revoke and terminate China Telecom’s authorizations to provide telecom services in the U.S.—relates to this executive order. That’s because this action, the department says, “was taken under the legacy, ad hoc arrangement of the Departments of Justice, Defense, and Homeland Security, formerly known as Team Telecom, the operation of which was recently formalized by Executive Order dated April 4, 2020, establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.” In other words, an informal process in the executive branch led to the recommendation to revoke China Telecom’s license.

It then adds: “Applications referred by the FCC after the date of the Executive Order will be handled under the process outlined therein.” The Justice Department announcement reveals that the executive order is formalizing a process already informally set up in the executive branch. This ad hoc group had a similar purpose of reviewing foreign influence in the U.S. telecom sector, looking for security risks. It’s possible, then, that this recent recommendation about China Telecom is one of the last such recommendations, if not the last, to be made without the formal review process set up in the executive order. Team Telecom has made such recommendations before as well, including the recommendation that informed the FCC’s decision last year to block China Mobile from operating in the U.S.

The Justice Department lists five main reasons for the executive branch recommendation for China Telecom:

  • the evolving national security environment since 2007 and increased knowledge of the PRC’s role in malicious cyber activity targeting the United States;
  • concerns that China Telecom is vulnerable to exploitation, influence, and control by the PRC government;
  • inaccurate statements by China Telecom to U.S. government authorities about where China Telecom stored its U.S. records, raising questions about who has access to those records;
  • inaccurate public representations by China Telecom concerning its cybersecurity practices, which raise questions about China Telecom’s compliance with federal and state cybersecurity and privacy laws; and
  • the nature of China Telecom’s U.S. operations, which provide opportunities for PRC state-actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications.

Some of this relates to broader concerns already raised about Chinese technology companies, such as the extent to which Beijing can compel firms to turn over data or insert backdoors into telecommunications equipment, for example. The Justice Department statement also mentions other potential concerns with the company that the U.S. government does not express as frequently about Chinese telecommunications firms.

The FCC published a trove of documents on its website that give further insight into Team Telecom’s investigation into the Chinese telecommunications company. For one, there is a Foreign Intelligence Surveillance Act notice, filed by the Department of Justice to China Telecom on April 9 about intent to “use or disclose in any proceedings [in the investigation into China Telecom] information obtained or derived from electronic surveillance conducted pursuant to the Foreign Intelligence Surveillance Act of 1978.” What does this reveal? Clearly, classified information-gathering went into Team Telecom’s review process, much like the executive order formally sets out for the new committee going forward.

In the full (though redacted) PDF document of the executive branch’s recommendation, there is also reference to “disruption and misrouting of U.S. communications.” The PDF explicitly confirms what I initially suspected when reading the press release’s mention of “disruption and misrouting of U.S. communications.” The PDF makes clear that this refers to China Telecom’s role in manipulations of the Border Gateway Protocol, or BGP—an important internet protocol that routes global internet traffic. Malicious actors are able to redirect the path of internet traffic flows by manipulating the routing information that feeds into this protocol, enabling the actors to instead route data through particular locations. This allows the traffic to be redirected to capture data as it flows across the internet in real time, potentially compromising the data’s availability in the present (that is, stopping it from or delaying it in reaching its destination) as well as potentially compromising the data’s confidentiality in the future (that is, uncovering what the traffic contained).

In 2019, to give one example, China Telecom was involved in a BGP hijacking that sent European traffic through China Telecom for two hours. A widely cited 2018 study in Military Cyber Affairs—which the recommendation explicitly referenced—likewise pointed to “China Telecom [seeming] to employ its distributed points of presence (PoPs) in western democracies’ telecommunications systems to selectively redirect internet traffic through China.” The reference in the report to China Telecom’s involvement in the concerning rerouting is commendable—BGP hijacking is a key vulnerability in global internet architecture that merits further scrutiny.

But the interagency challenge to China Telecom is certainly not just about BGP. The full recommendation elaborates on specific factors that Team Telecom has considered in the past for the China Mobile recommendation, including:

  • Whether the carrier has a past criminal history; ...
  • Whether the carrier is vulnerable to exploitation, influence, or control by other actors; ...
  • Whether the carrier will be required, by virtue of its foreign ownership, to comply with foreign requests (e.g., requests for communications intercepts) relating to the carrier’s operations within the United States, or whether the carrier is otherwise susceptible to such requests and/or demands made by a foreign nation or other actors; ...
  • Whether the carrier’s operations within the United States provide opportunities for the carrier or other actors to identify and expose national security vulnerabilities; ...
  • Whether the Executive Branch will be able to continue to conduct its statutorily authorized law enforcement and national security missions, which may include issuance of legal process for the production of information or provision of technical assistance.

The PDF also emphasizes that under Section 214 of the Communications Act, carriers must show that “present or future public convenience and necessity require” their services in order to receive an FCC certificate. The FCC has clarified that applicants have the burden to prove that their activities are in the public interest, and that includes a burden to refute or respond to, where applicable, executive branch-identified national security and law enforcement risks. Recently, the document notes, the executive branch and the FCC have had growing concerns about Chinese telecommunications companies and related security risks.

Ultimately, “the Executive Branch recommends revocation and termination of China Telecom’s existing international Section 214 authorizations to operate as an international common carrier.”

Searching for a Broader Strategy

I wrote recently about TikTok, mobile apps and national security risks, arguing that the U.S. government—broadly speaking, including executive branch agencies and legislators in Congress—ought to evaluate decisions about TikTok in a far broader context than just worries about one app. “A cohesive and repeatable strategy for making these decisions,” I argued, “is far superior—from economic, national security and rights-protection perspectives—than a whack-a-mole-style approach that might yield a sensible policy but not with a sensible process.”

While there are many differences between the national security risks posed by TikTok and those associated with Chinese telecommunications companies (TikTok is a mobile app while China Telecom is, well, a telecom), my underlying point about broader strategy (or lack thereof) remains.

We saw a lack of broader strategy around telecommunications security risks play out with the United States’s campaign against Huawei, which is, of course, a telecom. There are real national security risks attached to letting Huawei supply elements of national 5G telecommunications networks (at least from the perspective of the U.S. and many other countries). There are also real economic concerns states could raise about Huawei. Principally, what happens when a single company—and a state-backed one, nonetheless—controls the majority of the global market for a next-generation communications technology?

Yet, the U.S. has not been able to convince allies to follow suit and ban Huawei from supplying 5G components for their own 5G networks. Why has the U.S. been unable to coalesce allied support around their Huawei position? A significant part of that comes back to the Trump administration’s confused messaging campaign: one that didn’t clearly distinguish between risks, one that didn’t make it clear that national security issues weren’t being used as playing pieces in a trade war, one that wasn’t even clear what it wanted out of the campaign itself. For all the U.S. did to try and limit Huawei’s influence in global 5G networks, the effort largely fell flat amid a slapdash war on the Chinese company.

To be clear, there are certainly people in the executive branch who desire to more robustly build out the United States’s approach to telecommunications supply-chain security. This is also clear from reading the details in Team Telecom’s recommendation. A good deal of U.S. incoherence on Huawei could be attributed not to lack of desire in the executive branch to solve these complicated problems, but to the administration’s attempt to use its campaign against Huawei to bolster its image amid a trade war.

As the U.S. government continues to build out measures to work to shield the U.S. telecommunications supply chain from real or perceived foreign influence, it can learn from the Huawei saga by thinking about a few key things.

The executive branch could initiate a multi-stakeholder process (read: working with industry, academia and civil society) to create objective criteria by which to evaluate the trustworthiness of the hardware and software supply chain. One key problem with the Huawei saga was a lack of publicly presented U.S. government evidence about the supposed Huawei risks, and even a lack of private presentations by the government to U.S. companies. Team Telecom’s recommendation is already an improvement on this front, because it at least lists specific risks “which render the FCC authorizations inconsistent with the public interest.” Examples provided by the recommendation include concern that China Telecom could be influenced or controlled by authorities in Beijing. The full recommendation PDF also contains a list of specific criteria used in previous cases to render judgment about FCC licenses. That said, the U.S. government process for identifying what is and is not acceptable vis-a-vis hardware and software trust would greatly benefit from a set of criteria, or at least specific frameworks, on which to make these evaluations, especially from a technical perspective.

The executive branch could also develop a playbook to more carefully approach the messaging about which telecommunications companies might violate the supply-chain trust criteria. “China is bad” is not acceptable messaging for so many reasons (for example, not distinguishing a government from its citizens), and it also just doesn’t work. Look at what happened with the Huawei saga: The U.S., only years removed from the post-Snowden fallout, failed to persuade other countries to mirror its efforts by simply hammering a “China will spy on you” argument. In some cases, the failure to get other countries on board was perhaps a highly likely result of other political factors. But in others, a more nuanced elaboration of the risks—with evidence to back up worries—might have swayed more countries. The U.S. may struggle to navigate varying perceptions among other countries of the politicization of the U.S. intelligence community and U.S. intelligence information; presenting risks with nuance and specific evidence may go a long way to assuage those concerns.

The recent executive order and the recent recommendation against China Telecom appear to be a step in the right direction, a far more nuanced approach than was taken with Huawei and 5G networks. But it remains to be seen just how nuanced the committee will be in practice (particularly with the current attorney general at the committee’s helm). And the fact remains that many other broader questions have yet to be resolved about the administration’s current thinking on supply-chain security strategy (for example, the question about trustworthiness criteria). What is clear, though, is that scrutiny applied by the government to foreign telecommunications companies is not going away anytime soon—and that this goes well beyond Huawei.

Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare