National Security NPRM Sees Clashes Over Scope, Agency Authority
The FCC proposal to bar USF spending on products or services from companies seen as posing a national security risk is meeting with mixed reaction, with disagreements about whether rules should be limited to USF-funded equipment and services or should have broader reach, recent docket 18-89 comments show. Huawei called the rulemaking launched in April (see 1804170038) an "improper and imprudent" blacklist, and some critics questioned the efficacy of the proposed approach. Comments were due Friday, replies July 2.
Filers said any effort needs to be part of broader, coordinated effort involving other agencies, and the commission shouldn't independently decide which suppliers are subject to a prohibition but look to action by the White House or agencies with national security expertise and congressional statutory language. Several said the FCC would be the natural home for creating and publishing a list of prohibited suppliers. CTIA said the Department of Homeland Security should spearhead securing the nation's supply chain, and NCTA said if the FCC acts unilaterally, it needs to do a cost-benefit analysis to ensure it doesn't cause undue economic harm and to make clear the rule's boundaries so companies have certainty about the scope of blacklisting. It should make clear such issues as grandfathering of already-deployed equipment from subsequently prohibited suppliers, NCTA said.
The communications regulator should use the DHS supply chain risk assessment as a basis for decisions, USTelecom said. Motorola Solutions said the FCC could generate the list of prohibited suppliers identified by Congress and executive branch agencies that have security-based expertise, and the agency needs to identify the actions that would trigger a company being included on the list and develop criteria for how and why companies are on the list. It said the NPRM should have a broader scope, also encompassing public safety communications like land mobile radio systems and FirstNet.
The Telecommunications Industry Association, backing the NPRM, said the actions will be an example for other agencies and there's ample evidence state actors such as Russia and China are supporting cyber espionage. It said the proceeding should focus on suppliers of concern rather than supply chain risk management overall, given the complexity of the latter, and focus on specific suppliers would be "the most immediate and surgical approach."
Many Detractors
There were several detractors.
The NPRM's goals are commendable, but the proposed rules "are a misguided way to accomplish them," ITTA said. Criticizing the FCC's cybersecurity authority as "at best dubious, if not altogether spurious," ITTA said withholding USF disbursements would jack up USF equipment and service costs but not achieve national security objectives since such security vulnerabilities aren't limited to universal funding recipients.
The Competitive Carriers Association called the NPRM "seriously flawed" and warned it would "gravely impair" wireless providers' abilities to serve low-income, rural and underserved communities. The proposed rule "has already sent a chill of uncertainty throughout the market," deterring investment since carriers don't know what foreign companies could end up on the prohibited list. It said a 2012 House Committee report that's the major basis for the proposed rule is "very thin justification for a rule that threatens to upend an industry," especially since the FCC hasn't said why it waited six years to act, what warrants such action, or how the nation's telco networks would be safer since the rule focuses on the few that rely on USF funding. It said the FCC at least should provide a waiver process and a compensation fund for carriers.
The FCC has no factual basis for designating Huawei a threat "as it clearly intends to do," the company said. It said the agency's proposal exceeds statutory authority, would cost more than benefits and violates constitutional and statutory procedural requirements. It said the Communications Act directs the FCC to base the USF program on specific principles, and national security concerns aren't among them. It said the NPRM doesn't give criteria for deciding which companies end up on the list or a route for challenging that accusation. The telecom gearmaker called the proposed rule arbitrary because China-headquartered Huawei would be prohibited, but it would allow purchases from companies with a big footprint in China. The company said the FCC doesn't have a method for evaluating the validity of an alleged threat to national security, and the proposal hurts the U.S. telco market by decreasing competition.
Risk Assessment
In addition to cost benefit analyses, some sought risk assessment before the regulator acts.
The first step needs to be federal agencies with the right expertise doing such an assessment of the communications supply chain to find risks exist and what equipment is vulnerable, and only then should the federal government start working on a strategy, NTCA said. It said the NPRM "lacks clarity, definition and coordination" with national security and isn't clear how FCC plans to define and enforce a ban. It said the initial questions in the NPRM require study and discussion and are more like those in a notice of inquiry. Without knowing what the FCC proposes, it's impossible to say if it's prudent, NTCA said, adding that the NPRM is "a stark departure" from the FCC's past risk-management approach. The Computer and Communications Industry Association also said action should come only after the FCC first determines what network vulnerabilities the U.S. faces, and rules should focus on those.
There are rifts on other issues. AT&T said restrictions should apply to all telecom and information network operators equally, not just USF recipients, so as not to distort competition. But the company said the notice doesn't identify authority that would let the FCC address national security threats outside the USF context. It said modifications on restrictions based on helping smaller operators or promoting network deployment would undermine legitimacy, as would allowing upgrades of existing equipment coming from restricted suppliers or grandfathering existing contracts with such suppliers. CTIA said there needs to be a clear process for USF recipients still receiving USF support even though maintenance and reasonable upgrades for their now-restricted equipment may require continued transactions with restricted vendors. CTIA suggested phasing in the prohibitions. USTelecom argued the rules should apply only to USF funding, saying Section 201(b) of the Communications Act -- giving the agency power to set rules to carry out the provisions of the act -- doesn't equate to authority for a farther-reaching proposal.
The Satellite Industry Association, Global VSAT Forum and EMEA Satellite Operators Association said "collaboration, not regulation" is the best route, citing satellite industry best practices and noting a statement on cybersecurity best practices they issued in May. Any prohibition on USF support being used to buy equipment or services from a provider posing a national communications network security threat needs to apply to complete pieces of hardware or software, not components or subparts of a finished product, EchoStar/Hughes said. They said telco equipment buyers have "limited visibility" into components used by their suppliers. The American Library Association said E-rate service providers, not libraries or schools, should be the party responsible for compliance.