The FCC Covered List And The Regulatory Challenge To Deliver Security

Brendan Carr met with Taiwanese authorities for foreign, digital and telecom policy last week, the first Federal Communications Commission (FCC) Commissioner to do so in Taiwan. As the country accounts for 90 percent of the global capacity for semiconductor production, he made no overstatement saying, “A free and democratic Taiwan is vital to America’s prosperity.”

Carr also reiterated calls for complete bans on TikTok (an undertaking likely requiring action by the Committee on Foreign Investment in the United States) and the telecom equipment providers Huawei Technologies Company and ZTE Corporation. Separately Senator Mark Warner (D-VA) observed, “This is not something you would normally hear me say, but Donald Trump was right on TikTok years ago. If your country uses Huawei, if your kids are on TikTok … the ability for China to have undue influence is a much greater challenge and a much more immediate threat than any kind of actual, armed conflict.”

Indeed many Americans may think Huawei and ZTE are already banned, but that is not the case. While these entities have been restricted by the Departments of Defense, Treasury, and Commerce for certain federal and commercial uses, that does not stop them from shipping their goods to consumers. Indeed during 2018-2021, the FCC reported that it approved some 3,000 applications from Huawei for products using U.S. radio spectrum.

To its credit, the FCC has closed one loophole by banning Universal Service Funds monies for purchase of Huawei and ZTE. Going forward, the FCC is reported to reject all future applications of equipment authorizations from Huawei and ZTE, an enforcement provision the FCC was supposed to finalize within one year of the signing of the Secure Equipment Act. The law was passed by a unanimous Congress and signed by the President November 11, 2021, empowering the FCC to use its Covered List.

While banning all future sales of Huawei and ZTE is welcome to improve security and deter Chinese government intrusion, this action does little to stop thousands of other Chinese government-owned and military-aligned information technology companies. Indeed the Huawei/ZTE ban to date has created other security problems, notably the view that the ban to date blocks equipment sales in the U.S. when it does not; the inference and implication that if Huawei/ZTE equipment is banned, then other Chinese equipment is ok; and the gaming, arbitrage, and politicization of U.S. cybersecurity regulation by U.S. and Chinese players including but not limited to delaying, confining, and reducing restrictions on other malign equipment firms, white labeling/relabeling of malign equipment, counterfeit equipment, and other unwelcome acts.

Piecemeal Progress: Winning the battle but losing the war

While the piecemeal approach is better than nothing, it creates significant, long-term security consequences. The practice of protecting Americans from Chinese government intrusion relies on morass of cybersecurity policy administered by dozens of federal agencies, each with its own distinct statutory authority and regulatory instruments. It is presumed that this works together, though an audit could suggest otherwise.

Moreover, few recognize the herculean lift to execute any one piece of security policy and the associated bureaucratic army deployed to enable and deliver it. Regulation is not computer code which runs itself. It takes many people to administer, let alone enforce the prohibition on federal purchase by the National Defense Authorization Act (NDAA), the licensing required by the Entity List or the Office of Foreign Assets Control, or the cyber-hygiene protocols or vulnerabilities list outlined by the Cybersecurity and Infrastructure Security Agency of the National Institute for Standards and Techonlogy.

Naturally, Chinese parties litigate any action against them in U.S. court. They hire the top Washington law firms, many of which employ former federal regulators – an intimidating opposition. For example the single most active filer in the FCC’s Covered List proceeding is John T. Nakahata, former Chief of Staff to FCC Chairman William Kennard. Today Nakahata is counsel to the Covered List company Hikvision and has filed at least two dozen items reflecting meetings with Chair Rosenworcel and documentation to the FCC.

Despite Hikvision being restricted by the Department of Commerce Entity List for systematic human rights abuse of Muslims in Western China and by the Pentagon for its alignment with the Chinese military, the FCC loosened the rules for Hangzhou Hikvision Digital Technology Company (Hikvision) with broad exemptions for consumer use. Only “public safety” and “national security” uses face restrictions.

Notably other federal statutes already prohibit the use of this equipment for public safety and national security. Ironically Congress strengthened the FCC’s authority precisely to fill the gap because federal statues do not cover consumers. However with this exemption for Hikvision as well as Hytera Communications Corporation and Dahua Technologies Company, the FCC in fact offers no security for consumers. Sadly Hikvision can continue to profit while committing what the UN High Commission for Human Rights calls crimes against humanity.

There is no such former FCC lawyer advocating on behalf of US consumers. Indeed the most active filer supporting the FCC’s rules is IPVM, an independent provider of authoritative information and research on physical security technology including video surveillance, access control, and weapons detection based in Bethlehem, PA.

Separately China Tech Threat called the Covered List exemptions an undermining of the rules. After all, no one would deploy a video camera in the home, office, school, bank or other location if not to enable safety and security.

Ironically, this web of rules is the outcome of the rule of law—which inherently limits government intervention in the market, but does not necessarily deliver “security” as intended. Recall, the only mandated function of the U.S. Constitution is defense, and yet America’s preparedness for cyberwar and protection from cyber intrusion are far from optimal. Many U.S. companies and individuals attempt to protect themselves with a series of defensive and offensive measures, but the job to detect, identify, and deter threats is the federal domain, which today falls short.

With federal authorities failing on security, states like Florida and Georgia have stepped in. A recent Executive Order by Florida Governor Ron DeSantis bans the use and purchase products and services made by all Chinese government-owned entities, a far more comprehensive list compared than the 10 on the FCC’s Covered List.

For a related discussion on new export controls issued by the Bureau of Industry and Security, the listing of Yangtzee Memory Technology Corporate (YMTC), its is suspect relationship with Apple, tune in to this event Tuesday.

Originally published in Forbes.