What to Make of New U.S. Actions Against Foreign Telecoms

On April 4, President Trump signed an executive order on “Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.” Just five days later, the Department of Justice issued a press release detailing interagency action on a similar issue, stating that:

Today, interested Executive Branch agencies unanimously recommended that the Federal Communications Commission (FCC) revoke and terminate China Telecom (Americas) Corp.’s authorizations to provide international telecommunications services to and from the United States. China Telecom is the U.S. subsidiary of a People’s Republic of China (PRC) state-owned telecommunications company.

The “interested” agencies involved in the recommendations, as specified in a footnote, were the Departments of Justice, Homeland Security, Defense, State, and Commerce and the United States Trade Representative.

These two actions have significance on their own. But taken collectively, they mark another concrete step in the United States’s campaign to limit the digital and economic influence of Chinese telecommunications companies both within and outside U.S. borders. The moves also demonstrate that current American efforts to limit the influence of the Chinese telecommunications sector are much broader than just the well-publicized targeting of Chinese telecom giant Huawei.

And where the Huawei saga was characterized by a confused messaging campaign by different components of the U.S. government that yielded extremely limited results, there is an opportunity with these recent moves for the U.S. government to think much more carefully about how it communicates the national security risks posed by foreign telecommunications companies and the reasons for taking actions against specific firms.

The Executive Order

The executive order establishes the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (elegantly captured by the acronym CAFPUSTSS). Members of the new committee have 90 days from the enactment of the executive order to specify when the committee will first convene. Its primary objective is to “assist the FCC in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” In short, the committee is meant to limit foreign influence on U.S. telecommunications where security risks are identified—and it will do this by looking at Federal Communications Commission licenses and applications.

The executive order charges the Department of Justice with providing funding and administrative support for the new committee. The attorney general is to serve as the chair, and the committee’s other members include the secretary of defense, the secretary of homeland security, and “the head of any other executive department or agency, or any Assistant to the President, as the President determines appropriate.” Advisory roles are given to the secretaries of state, treasury and commerce; the director of national intelligence (DNI); the U.S. trade representative; the president’s national security adviser; and several others. But importantly, the chair (who today would be Attorney General William Barr)—except where specified otherwise in the order—“shall have the exclusive authority to act, or to authorize other Committee Members to act, on behalf of the Committee.”

The committee will have the authority to review both new applications for licenses to the FCC as well as licenses already granted. While the executive order’s title focuses on telecommunications, the FCC issues licenses for a variety of companies such as television and radio broadcasters, and the language in the order is quite broad. The committee can look for various kinds of information to inform its decision on these licenses and applications, including “classified information and otherwise privileged or protected information.” It may also “provide such information to the FCC as necessary on an ex parte basis.” For applicants that refuse to turn over information in response to particular committee requests, the committee can factor that noncooperation into its recommendation.

After the review process, the committee can recommend several actions to the FCC: dismissal of an application, denial of an application, granting an application only if mitigation measures are taken by the applicant, modifying an existing license with the condition of complying with mitigation measures, and revoking a license altogether.

For those familiar with the Committee on Foreign Investment in the United States, or the CFIUS, this general idea may sound familiar—an interagency commission screens a particular decision (in this case, FCC applications and licenses; in the CFIUS’s case, foreign investments) and then recommends anything from a slight change in the structure of a license or an investment to completely undoing a license or investment altogether. This recommendation is determined by a committee member vote, which is to be broken by the chair in case of a tie. However, many of the considerations the committee is supposed to weigh in making these recommendations remain unclear: for instance, whether factors such as a company’s data storage practices matter, and, if so, how much they matter and how they should be assessed. It is also not stated explicitly in the executive order whether the FCC can ignore a recommendation from the committee.

One important element of this executive order is that information reviewed by the committee is, generally speaking, to stay with the committee. Some exceptions are carved out, including for selective ex parte communication with the FCC and for potentially sharing information in an appropriately classified manner with the CFIUS. But the executive order is clear on the classification requirements, and these provisions seem intended to keep the nascent committee in compliance with existing laws and policies around classified or otherwise privileged or protected information.

It’s worth noting as well that the intelligence community will play a central role in this committee. The executive order mandates that for each license or application the committee reviews, the DNI “shall produce a written assessment of any threat to national security interests of the United States posed by granting the application or maintaining the license,” soliciting and incorporating the views of the intelligence community “as appropriate.” The DNI is also required to ensure that the intelligence community continues analyzing additional relevant information and disseminating it to the committee during the review process.

Finally, the order ascribes significant responsibility to the committee members and the DNI in operationalizing the executive order and specifying certain parameters of its operation:

Within 90 days from the date of this order, the Committee Members shall enter into a Memorandum of Understanding among themselves and with the Director of National Intelligence (or the Director’s designee) describing their plan to implement and execute this order. The Memorandum of Understanding shall, among other things, delineate questions and requests for applicants and licensees that may be needed to acquire information necessary to conduct the reviews and assessments described in sections 5 and 6 of this order, define the standard mitigation measures developed in accordance with section 2(e) of this order, and outline the process for designating a Lead Member as described in section 4 of this order.

The Department of Justice Press Release

The Department of Justice’s April 9 announcement—that a collection of executive branch agencies recommend that the FCC revoke and terminate China Telecom’s authorizations to provide telecom services in the U.S.—relates to this executive order. That’s because this action, the department says, “was taken under the legacy, ad hoc arrangement of the Departments of Justice, Defense, and Homeland Security, formerly known as Team Telecom, the operation of which was recently formalized by Executive Order dated April 4, 2020, establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.” In other words, an informal process in the executive branch led to the recommendation to revoke China Telecom’s license.

It then adds: “Applications referred by the FCC after the date of the Executive Order will be handled under the process outlined therein.” The Justice Department announcement reveals that the executive order is formalizing a process already informally set up in the executive branch. This ad hoc group had a similar purpose of reviewing foreign influence in the U.S. telecom sector, looking for security risks. It’s possible, then, that this recent recommendation about China Telecom is one of the last such recommendations, if not the last, to be made without the formal review process set up in the executive order. Team Telecom has made such recommendations before as well, including the recommendation that informed the FCC’s decision last year to block China Mobile from operating in the U.S.

The Justice Department lists five main reasons for the executive branch recommendation for China Telecom:

• the evolving national security environment since 2007 and increased knowledge of the PRC’s role in malicious cyber activity targeting the United States;
• concerns that China Telecom is vulnerable to exploitation, influence, and control by the PRC government;
• inaccurate statements by China Telecom to U.S. government authorities about where China Telecom stored its U.S. records, raising questions about who has access to those records;
• inaccurate public representations by China Telecom concerning its cybersecurity practices, which raise questions about China Telecom’s compliance with federal and state cybersecurity and privacy laws; and
• the nature of China Telecom’s U.S. operations, which provide opportunities for PRC state-actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications.

Some of this relates to broader concerns already raised about Chinese technology companies, such as the extent to which Beijing can compel firms to turn over data or insert backdoors into telecommunications equipment, for example. The Justice Department statement also mentions other potential concerns with the company that the U.S. government does not express as frequently about Chinese telecommunications firms.

The FCC published a trove of documents on its website that give further insight into Team Telecom’s investigation into the Chinese telecommunications company. For one, there is a Foreign Intelligence Surveillance Act notice, filed by the Department of Justice to China Telecom on April 9 about intent to “use or disclose in any proceedings [in the investigation into China Telecom] information obtained or derived from electronic surveillance conducted pursuant to the Foreign Intelligence Surveillance Act of 1978.” What does this reveal? Clearly, classified information-gathering went into Team Telecom’s review process, much like the executive order formally sets out for the new committee going forward.

In the full (though redacted) PDF document of the executive branch’s recommendation, there is also reference to “disruption and misrouting of U.S. communications.” The PDF explicitly confirms what I initially suspected when reading the press release’s mention of “disruption and misrouting of U.S. communications.” The PDF makes clear that this refers to China Telecom’s role in manipulations of the Border Gateway Protocol, or BGP—an important internet protocol that routes global internet traffic. Malicious actors are able to redirect the path of internet traffic flows by manipulating the routing information that feeds into this protocol, enabling the actors to instead route data through particular locations. This allows the traffic to be redirected to capture data as it flows across the internet in real time, potentially compromising the data’s availability in the present (that is, stopping it from or delaying it in reaching its destination) as well as potentially compromising the data’s confidentiality in the future (that is, uncovering what the traffic contained).

In 2019, to give one example, China Telecom was involved in a BGP hijacking that sent European traffic through China Telecom for two hours. A widely cited 2018 study in Military Cyber Affairs—which the recommendation explicitly referenced—likewise pointed to “China Telecom [seeming] to employ its distributed points of presence (PoPs) in western democracies’ telecommunications systems to selectively redirect internet traffic through China.” The reference in the report to China Telecom’s involvement in the concerning rerouting is commendable—BGP hijacking is a key vulnerability in global internet architecture that merits further scrutiny.

But the interagency challeng

[…]

Read the original article: What to Make of New U.S. Actions Against Foreign Telecoms