Under rules that went into effect this summer, federal agencies and contractors are barred from using telecommunications equipment made by Chinese companies that policymakers see as untrusted. But the ban hasn’t touched most of the nation’s privately-owned networks — at least not yet.
The Federal Communications Commission is about to consider its own set of rules that would give it more authority to decide what network gear is and isn’t allowed on the commercial networks it oversees as those firms continue the early stages of construction on their new 5G wireless capabilities.
The rule, set for a vote on Nov. 19, would prohibit U.S. telecom companies from using any money they get from the federal Universal Service Fund to buy equipment from companies the FCC designates as national security threats. The same proposed order would designate ZTE and Huawei as “covered companies” from the very outset.
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
As a practical matter, it would likely mean wireless carriers couldn’t buy anything new from ZTE or Huawei, since it would be extremely difficult to disentangle their USF funding from private capital on any given project. They would likely also have to replace what they’ve already bought, since the $4.5 billion the FCC distributes from the fund each year couldn’t be used for upkeep on any existing Huawei or ZTE equipment either.
“We need to ensure that our Universal Service Fund, which provides billions annually to help support broadband in rural America, will not be used to purchase insecure network equipment,” Jessica Rosenworcel, an FCC commissioner who backs the proposal told the Senate Homeland Security and Governmental Affairs committee last week. “Chinese companies own 36% of all 5G standard essential patents. Here in the U.S., our companies hold just 14%. In fact, there are no longer any United States-based manufacturers of key 5G network equipment.”
The FCC estimates that 106 U.S. telecom companies already buy equipment from ZTE and Huawei. And partly because the China-backed firms tend to offer their gear at lower prices than their South Korea and Europe-based competitors, the American companies who’ve bought it tend to be smaller, regional carriers.
Based on feedback the FCC has gathered so far, big-name companies, for the most part, have already made the decision to procure their 5G hardware from outside China, expecting that federal regulations would come sooner or later, and because they’re worried about the security risks too.
The rule the commission will vote on later this month would also begin a more formal study process to determine how entrenched ZTE and Huawei already are in the U.S. market. But the commission currently estimates the cost to replace that hardware would be between $700 million and $1 billion.
That also raises the question of who should bear those costs, said Christopher Krebs, the director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency. He said CISA is also worried about untrusted equipment on private-sector networks, but the government needs more data to determine how to get rid of it.
“I think what we also need to focus on what the economic realities are of a flash cut — pulling this equipment out today from 4G networks,” he said. “How are they going to age this stuff out? If it’s going to happen over the next 12, 18, 24 months and we can contain or mitigate or manage the risk, maybe we let it go naturally through the process. I think we’re on the right track, and I think an RFP or an RFI process is likely a good way to elicit information as well.”
Federal agencies’ worries about ZTE and Huawei hardware on U.S. telecom networks aren’t just about specific cyber flaws or vulnerabilities in those systems — though they claim that’s a problem too. A bigger, overriding concern has to do with how those companies are governed under Chinese law.
“Our assessment is that the PRC could compel Chinese equipment vendors to act against the interest of us citizens and citizens of other countries around the world,” said Robert Strayer, the State Department’s deputy assistant secretary for cyber and international communications and information policy. “If allowed to construct and service 5G networks, Chinese equipment vendors will be in a privileged position in these critical networks. They can be required by China’s National Intelligence Law to cooperate with Chinese intelligence and security services, and to keep that cooperation secret. And there is no independent judiciary or rule of law to prevent them from being required to take those actions. This will provide the Chinese Communist Party the capability to disrupt critical infrastructure, intercept sensitive transmissions, and acquire sensitive technology and intellectual property as well as the information of private citizens.”
Another motivation behind the push against Huawei and ZTE has to do with eliminating the competitive edge China currently holds in the wireless technology market, a position that had been dominated by American firms when 4G and LTE were still the up-and-coming technologies.
But Krebs said he sees that role-reversal as a “temporary blip” that has mostly to do with China’s investments in radio and other equipment that’s tailor-made for 5G networks.
The balance will begin moving back in the other direction if the federal government helps invest in research that turns that 5G hardware into an off-the-shelf commodity, and relies on software to do most of the heavy lifting involved in 5G deployments, he said. The concept is known in the wireless industry as the Open Radio Access Network (O-RAN). It aims to make key portions of 5G technology stacks common and interoperable.
“If we can unlock O-RAN, the vendor base in the United States and the innovation base is going to explode. So I think there are a series of incentives that need to be put in place to provide test beds — for example, some of the work DoD is doing in experimentation on their bases, and some of the work that I’m doing with my agency at Idaho National Labs,” Krebs said. “Achieving true interoperability globally is going to be critical. Not just interoperability in the sense that a Huawei technical stack works together, but that you can start putting bits and pieces of different vendors together. That’s true interoperability. Think about Microsoft, Amazon, Google, all these cloud service providers. We dominate the hyperscale cloud market in the world. What we’re talking about here with virtualized networks and ORAN is cloud. That’s all it is. It’s dumb metal with software riding on top, and we own that space. So let’s make it a compelling economic incentive to get in there.”
And from the FCC’s perspective, there may be more that federal regulators can do to ensure all the wireless devices that connect to 5G networks are also relatively free from unknown security flaws.
For decades, the commission has been in the business of certifying that every device that sends or receives radio transmissions meets the commission’s standards before it can be sold in the U.S.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Rosenworcel says there’s no good reason the commission couldn’t impose similar requirements for cybersecurity.
“Just pull out your smartphone or look at the back of your computer or television, and you’ll see an identification number from the FCC. It’s a stamp of approval. It means the device complies with FCC interference rules and policy objectives before it is marketed or imported in the United States,” she said. “The FCC needs to revisit this process and use it to explore how we can encourage device manufacturers to build security into all new products. And to do this, we could build on the National Institute of Standards and Technologies’ draft set of security recommendations for devices in the Internet of Things. But the most important thing we need to do is get started. Right now.”