Recent actions by the US Federal Communications Commission (FCC or Commission) indicate that it continues to lean forward on national security issues, and that the FCC is not merely comfortable acting in this space but rather is actively seeking additional opportunities to effectively become a national security regulator.
During the prior tenure of then-Chairman Ajit Pai, the FCC’s exercise of authority on national security matters was generally limited—its most significant national security action was arguably promulgating new rules restricting a small subset of providers from using FCC funds to purchase or use telecommunications network equipment from certain Chinese-owned manufacturers. Under the leadership of Chairwoman Jessica Rosenworcel, however, the FCC has increasingly sought to insert itself in efforts to address national security risk, including by taking more expansive views of how FCC jurisdiction should be exercised.
EXPANDED EXERCISE OF FCC JURISDICTION
Most recently, at the FCC’s October 19 meeting, the FCC commissioners voted, on a party-line 3-2 vote, to issue a Notice of Proposed Rulemaking (NPRM) that would reinstate the FCC’s 2015-era Net Neutrality rules, which would reclassify broadband internet access service (BIAS) as a telecommunications service under Title II of the Communications Act.
In the 2015 Net Neutrality proceeding, national security took a back seat to other consumer-focused policy priorities, with barely a mention in the FCC’s Open Internet Order. Now, however, Chairwoman Rosenworcel is highlighting reclassification of BIAS under Title II as a way for the FCC to take further actions in the interest of safeguarding national security. Just a few days after her proposal was publicly announced, the FCC released a fact sheet outlining all of the ways that restoring Title II status of BIAS would allow the FCC greater ability to protect national security as a key component of the FCC’s regulatory objectives.
The FCC has also proposed expansions of other tools that, if adopted, would impact telecommunications providers, owners of FCC licensees, network and consumer equipment vendors and suppliers, service suppliers, and consumers.
For example, in April 2023, the Commission launched a rulemaking to overhaul its licensing requirements and review process for providers that hold “international Section 214 authorization,” by requiring enhanced disclosures about licensees’ foreign ownership, use of “untrusted” equipment and “foreign-owned managed network service providers,” as well as making those licenses subject to periodic national security reviews.
The FCC has also proposed expanding its equipment authorization rules to apply to equipment “components,” and potentially enable revocation of current authorizations for national security reasons. Furthermore, the FCC is soliciting comments about a new voluntary cybersecurity labeling program that would allow Internet of Things (IoT) manufacturers to use a “Cyber Trust Mark” as a way to allow consumers to more easily compare device security and ultimately make better informed purchase decisions.
FILLING GAPS
In the public comments submitted regarding the Cyber Trust Mark, some commenters noted that this sort of program seems to go beyond the FCC’s traditional purview. The Commission itself appears to recognize that in its efforts to lean forward on national security matters, there is potential for its actions to overlap, or even conflict, with the roles and responsibilities of other government agencies. In the NPRM issued in connection with the Net Neutrality proceeding, the FCC asked how “the Commission’s role fit[s] with that of other agencies that help to address potential security threats from foreign actors to the nation’s communications network and equipment” and how “would enhancements to the Commission’s regulatory authority as a result of reclassification bolster that role?”
Indeed, there has been at least one recent instance of the FCC getting involved in a national security matter that could also have been addressed by the US Department of Commerce (Commerce). In August, Chairman Mike Gallagher and Ranking Member Raja Krishnamoorthi of the House Select Committee on the Chinese Communist Party wrote to Chairwoman Rosenworcel about concerns that Chinese-made cellular modules used in IoT devices could be used for infiltration, tracking, and sabotage.
In response, the FCC requested that other executive branch agencies, including the Departments of Justice and Defense, provide the Commission with a determination of whether certain Chinese manufacturers of IoT modules should be added to the FCC’s Covered List, which is a list of communications equipment and services determined to pose an unacceptable national security risk.
It is notable that the congressional letter went to the FCC rather than to Commerce, which was given new authorities more than four years ago to regulate the supply chain for information and communications technology and services (ICTS), but thus far has yet to take a single regulatory action under that authority.
Specifically, Executive Order 13873 on “Securing the Information and Communications Technology and Services Supply Chain” was issued in May 2019, and initial regulations implementing the executive order were promulgated by Commerce that set forth a broad-sweeping and aggressive framework to identify, investigate, mitigate, block, and unwind transactions between US persons and ICTS equipment and services from foreign adversary vendors.
In addition, to implement a separate executive order, Commerce recently adopted a final rule to expand its ICTS supply chain regulations to specifically include connected software applications as a covered technology, and to clarify the criteria the secretary of commerce should use when determining whether transactions in connected software application present undue or unacceptable risks. Notably, the rules cover not just single transactions but also classes of similar transactions, which enables an efficient and broad control when a vendor, product or service has been found to pose an unacceptable risk.
Under the ICTS supply chain regulations, ICTS is defined broadly to include “any hardware, software, including connected software applications, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”
An “ICTS Transaction” that could be subject to restriction by Commerce includes “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.”
If a product or service will be used in communications networks—whether they are wireless local area networks, mobile networks, satellites, cable, or other wirelines, tertiary or core networks—the ICTS supply chain regulations would appear to cover that product or service, whether the underlying service offered to customers is a “telecommunications service” or an “information service.” The US government has taken a liberal interpretation of words such as “integral” and “essential” in the context of restrictions on Chinese ICTS equipment, and presumably Commerce would deem IoT modules within the scope of its jurisdiction.
However, Commerce has been extremely slow to use this four-year-old authority. Although Commerce sought comment on creating a licensing framework to give parties more certainty about whether specific ICTS equipment and services would be regulated, no licensing rules have been proposed or adopted. Commerce announced several years ago that it had launched a handful of investigations into Chinese suppliers, but to date those investigations have not resulted in any formal actions to limit, prohibit, or unwind any ICTS transactions.
For this reason, the FCC may indeed be more responsive than Commerce would have been to the letter from Representatives Gallagher and Krishnamoorthi regarding IoT modules, and more willing to act. This, combined with the FCC’s other aggressive actions on national security-related matters, indicates that the Commission is increasingly comfortable acting as a national security agency and not just as a regulatory agency.
It is also worth noting that if the Net Neutrality proceeding results in BIAS providers being subject to FCC jurisdiction, that could create yet further overlap between the Commission’s jurisdiction and Commerce’s ICTS supply chain jurisdiction. If Commerce continues to not be active in this space, the FCC could very well move into the breach.
CONTINUED FOCUS ON NATIONAL SECURITY
The FCC can be expected to continue leaning in on national security issues, and leveraging its authorities as broadly as it can to be an active partner with the other government agencies with national security functions. If some of the Commission’s pending proceedings result in new rules, the effects on companies may be significant.
As one example, currently a relatively small number of FCC licenses are subject to national security review. Specifically, applications for several types of licenses that involve foreign ownership above a certain threshold typically get referred by the FCC to the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (CAFPUSTSS, more commonly known as Team Telecom). Team Telecom then recommends whether the FCC grant the license, condition the license on mitigation measures, or deny the license.
In the FCC proceeding noted above that is examining licensing practices for international Section 214 authorizations, the FCC is contemplating an expansion of the types of licenses that get referred to Team Telecom, including licenses with no foreign ownership whatsoever; and is contemplating periodic reviews by Team Telecom of licenses previously approved.
The FCC also expanded the scope of potential Team Telecom reviews when it decided in a September order to refer (on a case-by-case basis) foreign-owned or foreign-controlled Voice over Internet Protocol (VoIP) providers seeking access to US numbering resources to Team Telecom for national security review. In the separate Net Neutrality proceeding, it will be interesting to see whether, in subjecting BIAS providers to FCC jurisdiction, the FCC also seeks to subject any of them to Team Telecom review.
These changes would likely be significant for the industry, and among other things could increase the amount of time needed to close many deals involving telecommunications companies and assets, and subject providers to licensing and national security oversight where none had previously been required. Both ICTS operators and investors should therefore keep a close eye on the FCC’s increased appetite to be proactive in national security matters and be prepared for further regulatory and compliance burdens that may result.
[View source.]
