Protecting the U.S. telecommunications networks from security threats has long been an area of strong agreement at the FCC. Following several actions by the Pai Commission to ban Huawei and ZTE equipment deemed to pose a national security threat, Acting Chairwoman Rosenworcel has continued the effort. Indeed, in February, at the first meeting she led as acting chair, Rosenworcel called on the FCC to “revitalize” its approach to network security “because it is an essential part of our national security, our economic recovery, and our leadership in a post-pandemic world.”
At the FCC Open Meeting on June 17, 2021, the FCC took its most visible step yet toward Acting Chairwoman Rosenworcel’s vision. The Commission adopted a Notice of Proposed Rulemaking (“NPRM”) and Notice of Inquiry (“NOI”) to further address national security threats to communications networks and the supply chain. The NPRM and NOI sets its sights on the Commission’s rules relating to equipment authorization and competitive bidding. The Commission’s proposals have seeds of a much broader focus on Internet of Things (“IoT”) devices, cybersecurity and RF fingerprinting, to name a few. All participants in the telecommunications ecosystem should take notice.
The NPRM and NOI initiates an inquiry into many proposals to tighten the focus on network security in FCC procedures. Most notably, the Commission opened inquiry into the following areas:
Equipment Authorization Rules and Procedures – The NPRM seeks comment on a proposal to prohibit all future authorizations of equipment on the Covered List under the Secure and Trusted Communications Networks Act of 2019, including equipment subject to the FCC’s certification and Supplier’s Declaration of Conformity processes associated with equipment authorization. This proposal goes beyond the current rules, which prohibit recipients of Universal Service Program funding to use that funding to purchase, lease or maintain equipment on the Covered List.
Under current rules, despite the USF program prohibition, equipment on the Covered List can still obtain equipment authorization (and has already obtained authorization). The NPRM considers whether to revise the rules to ensure that any “covered” equipment cannot qualify for authorization. It also seeks comment on whether to revoke authorizations that were previously granted for equipment on the Covered List. If approved, the FCC seeks to determine which authorizations should be revoked and through what procedures.
Competitive Bidding Certification – The NPRM also seeks comment on a proposal to require applicants who wish to participate in FCC auctions to certify that their bids do not and will not rely on financial support from any entity that the FCC has designated under Section 54.9 of the FCC’s rules as a national security threat to the integrity of communications networks or the communications supply chain. The certification would require applicants to attest that no equipment (including component part) is comprised of any “covered” equipment, as identified on the current published list of “covered” equipment and would cross-reference section 1.50002 of the FCC’s rules that include the Covered List.
Manufacturing Encouragement Efforts – The NOI portion of the FCC document seeks comment on how the FCC can leverage its equipment authorization program to encourage manufacturers who are building devices that will connect to U.S. networks to consider cybersecurity standards and guidelines. The FCC inquires further about how to address security risks associated with IoT devices. Importantly, as we theorized a while back, the FCC notes the work that the National Institute of Standards and Technology (“NIST”) has done on cybersecurity and, in particular, cybersecurity for IoT devices, and asks whether the FCC’s equipment authorization rules should require manufacturers to certify in equipment authorization applications that they have considered this guidance in the design and manufacturing of their devices. The NOI also includes questions regarding the use of “RF fingerprinting” to help identify and isolate insecure devices.
As expected, the NPRM and NOI received unanimous support from the Commissioners. Acting Chairwoman Rosenworcel cited to the rash of ransomware attacks and emphasized the need for broader cybersecurity considerations of IoT. “We need to acknowledge that the equipment that connects to our networks is just as consequential for our national security as the equipment that goes into our networks,” she said. Commissioner Carr discussed the possibility of Chinese interference with missile defense systems in North Dakota and referred to this proceeding as “closing a loophole” in FCC rules. Commissioner Starks, a former staff member in the Enforcement Bureau, emphasized changes intended to make enforcement against foreign actors easier to implement, citing examples from the past decade involving illegal jamming equipment manufactured overseas. Commissioner Simington took credit for adding “RF fingerprinting” to the NOI, stating that the technology “can play a central role in interdiction and enforcement of hacking and cyber-crime.”
With this proposal’s broad support at the Commission, equipment manufacturers (including IoT device manufacturers should pay close attention to the FCC’s actions. Comments will be received over the summer and the Commission could address its rules by year-end. Affected manufacturers may wish to comment in the proceeding.