FCC Appears to Cast Wide Net in Russia Probe; Cybersecurity Focus Expected
The FCC’s “top-to-bottom” review of communications companies’ ties to Russia, announced by Chairwoman Jessica Rosenworcel Wednesday (see 2203160031), likely has a broad focus, covering media companies, telecom and infrastructure providers, submarine cable operators and any Russian companies carrying U.S.-international phone traffic, industry experts told us. But compared with China, a recurring focus of the FCC, ties to Russia appear to be minimal.
Rosenworcel said the initial results were already shared with other federal agencies. That means DOJ and the Department of Homeland Security, in particular, said an official familiar with the investigation. In late February, the commission sought comment on vulnerabilities to the security and integrity of border gateway protocols (BGPs), citing the need to “reinforce our Nation’s readiness and to strengthen the cybersecurity of vital communications services and infrastructure, especially in light of Russia’s escalating actions inside of Ukraine.”
“This kind of cross-agency collaboration, between the FCC, DOJ and DHS, is an example of what a whole-of-government approach to cybersecurity looks like,” said Tatyana Bolton, R Street Institute policy director-cybersecurity and emerging threats. “Agencies working towards one goal bolster each other with complementary expertise and authorities,” said Bolton, a former Cybersecurity and Infrastructure Security Agency staffer. “We saw some of that positive collaboration grow during the ransomware fever last summer, and you could tell the difference with increased efficiency and rapid communication,” she said.
What the review will find is unclear, Bolton said, noting she's watching what will happen on BGP security policy and hopes for more clarity. “The good news is that packaged guidance is out there, but it’s up to the FCC to point us in the right direction and organizations to swiftly implement best practices, especially with BGP gaining more attention as a target from Russian operations,” she said. “The FCC knows that the absence of a massive Russian hack in the U.S. means nothing -- it’s critical to prepare like there’s an imminent one,” she said: “They’re reviewing everything from media companies to submarine cable operators to mitigate risk. We know risk can't be zero percent, but it’s imperative to find your weak spots and lower their risk factor as much as possible.”
The FCC has “very limited” authority to do much on Russia, said former Commissioner Harold Furchtgott-Roth, now at the Hudson Institute. It has started to take steps such as requiring “full disclosure on broadcast content, paid content,” he said: “They’re working on that.” The FCC will likely review any Russian-owned entity and “can probably take such actions,” he said.
The most likely outcome of the review is a reversal of the agency’s previous decision, under the Trump administration, to put less focus on cybersecurity issues “and for the FCC to become a leading federal agency in setting various cybersecurity requirements for networks,” said New Street’s Blair Levin, former FCC chief of staff. The work on Russia is an “accelerant” of the FCC moving toward more work on security, though it will need to “ramp up its expertise,” he said.
The FCC may find “potential involvement by the Russian government itself or various oligarchs that are on lists to be sanctioned” in U.S. media companies, said Joe Kane, Information Technology and Innovation Foundation director-broadband and spectrum policy. “Action on this front would probably be an outgrowth of the existing U.S. sanctions regime toward Russia, and I’d expect the FCC to follow executive-branch guidance on that,” he said.
Cybersecurity threats could arise “from Russian influence over certain parts of communications infrastructure, especially since the United States and Russia are more explicit adversaries,” Kane said: “Expect the response to those … threats to look like the response to Chinese companies in the telecom supply chain.”
“Team Telecom, which seemed dormant for years, has come to life again,” said John Strand of Strand Consult, referring to DOD, DOJ and DHS. The “supposedly deregulatory Trump administration found ways to reinvigorate administrative agencies, and the Biden administration is reaping those gains today,” he said: “It is laudable that FCC is working closely with other agencies. For some time, the agency was reluctant to get involved in geopolitical security issues. Now it is critical that it does.”
Strand predicted increased cybersecurity obligations will be placed on network operators “similar to what happened with banks fighting money laundering.”
The investigation is distinct from what the FCC did on Chinese-owned telecoms, “because it’s unclear … how much Russian telecoms have invested in the U.S.,” emailed Digital Progress Institute President Joel Thayer. “Similar to the U.K., Russian companies do have a media presence” so “it’s possible for the FCC to uncover some connections in various media ownership arrangements,” he said.
“It’s great to see the FCC continue the bipartisan work to root out foreign threats to America’s communications networks,” said Shane Tews, American Enterprise Institute visiting fellow. The “playbook” the Ajit Pai FCC “wrote for dealing with threats from Communist China helps streamline the work needed to address Russia and if there is a strong inter-agency process that is working on national security this is very good news,” she said.
Revocation of Section 214 authorizations would be the FCC's likely weapon of choice for any Russian telecom presence, similar to the U.S.' China strategy, national security experts told us. But unlike China, with a huge industrial and tech base, Russia's likely not present in U.S. telecoms, they said. Submarine cables could be one area of foreign influence, said Justin Sherman, Atlantic Council Cyber Statecraft Initiative nonresident fellow. Sherman said the Committee on Foreign Investment in the U.S. would have power to undo a transaction, but Team Telecom doesn't have statutory authority, giving it more limited power.
The FCC's Section 214 revocations of Chinese telecoms "were somewhat unprecedented," said telecom lawyer Marc Martin of Perkins Coie. Short of nations that were sanctioned to the degree the U.S. wasn't doing business with them at all, the country often did business "with less-than-democratic states" that controlled their own telecom networks.
The probe could also look at carriage of Russia's RT, but since it's available online it's hard to police and the FCC would have limited jurisdiction, Martin said. The Treasury Department "could snap their fingers and stop it" if it determined RT was a sanctioned entity with which U.S. businesses have to stop doing business, he said.
Foreign conflict hasn't always led to an FCC response. During Operation Desert Storm "there was no fear that Iraq was going to compromise either on the sending or receiving or monitoring side the coalition’s communications," said former FCC Chairman Alfred Sikes, referring to the Gulf War coalition. "NTIA which is more involved with government-used spectrum might have acted in some way. On the other hand, we aggressively acted in all international fora to protect U.S. Information Agency's various services."