“Strategic Competition” is one of the hallmarks of the Biden’s administration’s approach towards China. Technology remains to be one of the highly contentious areas of competition between the United States and China, with both countries boasting highly advanced systems for research and development, manufacturing, and distribution. At present, the U.S. is going on the offensive to curb China’s dominance by implementing both import and export bans. These restrictions are also rolled out in an effort to curtail China’s ability to produce cutting-edge technology that are used to develop advanced military technology, particularly designed for surveillance and intelligence-gathering purposes. U.S. Strategic Competition takes a multi-agency approach to curtailing activities that contribute to the development of Chinese technology that can threaten U.S. national security and international stability.
On November 25, 2022, the U.S. Federal Communications Commission (FCC) implemented new rules prohibiting the importation and sale of Chinese-made communications equipment in the United States. In its official statement, the FCC is implementing a crackdown on equipment “deemed to pose an unacceptable risk to national security of the United States or the security and safety of United States persons.” This new regulation is a directive of the Secure Equipment Act of 2021, under which the FCC is prohibited from reviewing and issuing equipment licences to firms that are identified in the Covered List. The rules now further prevent equipment sourced from these companies from being authorized for sale in U.S. territories under the Supplier’s Declaration of Conformity process. The Covered List includes equipment manufactured by Chinese companies Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology. The rules also apply to “future authorizations of equipment identified on the covered list.” As a result of the new regulations, the FCC is putting a freeze on all “telecommunications and video surveillance equipment authorization applications” from Hikvision, Dahua and Hytera until they are able to submit documentation about the “safeguards they will put in place on marketing or sale.” As for Huawei and ZTE, the FCC is imposing a total restriction, meaning no Huawei or ZTE equipment can receive approval in the future regardless if they give assurance to the U.S. government that their products will not be used for “public safety, security of government facilities, & other national security purposes.” In 2020, the FCC specifically designated Huawei and ZTE as national security threats, stating that both companies have close ties to the Chinese Communist Party military operations and are subject to Chinese law that obligates them to “cooperate with the country’s intelligence services.”
Effect of Ban on Global Supply Chains
Chinese company China Telecom Corp. challenged the FCC bans in court, stating that it violated its rules by not holding hearings prior to revoking authorizations of Chinese companies to provide telecommunications services in the United States. Prior to the withdrawal of their authority to operate, China Telecom has been providing telecommunications services in the U.S. for 20 years and provided services to Chinese government facilities on U.S. soil.
In addition to affecting individual Chinese companies, the U.S. government’s strict regulations may shake up the global supply chain. In the U.S. alone, nearly half a million Hikvision video surveillance cameras are connected to the internet. A study from the Center for Security and Emerging Technology also revealed that at least 1,681 state and local governments in the U.S. purchased devices from the five companies in the Covered List between 2015 to 2021, with Vermont being the sole state that showed no evidence of using any of the prohibited devices.
The ban raises also doubts about long-standing business connections and will have an impact on American enterprises as well. For instance, ZTE procures more than one quarter of its mobile phone components from U.S. companies. Smartphones from the five firms on the Covered List also use Google’s operating system, Android. Moreover, China leads the world in the development of 5G technology, followed by South Korea and the United States. In 2021, Chinese companies generated $1.2 billion USD in revenue from 5G private networks that serve businesses and governments in China. This figure accounts for a third of global revenue for the 5G telecommunications industry and more than the combined revenue of Europe and North America. As of 2021, China has set up 1.4 million 5G base stations, which makes up 60 percent of the total 5G networks across the globe.
Considering that the U.S. has urged allies such as Japan and the Netherlands to limit semiconductor exports to China, there is a possibility that the U.S. could also rally its allies to impose a similar crackdown to telecommunications equipment sourced from Chinese companies on the Covered List or the Entity List. Under these conditions, the ban can disrupt global supply chains if the United States makes this request to its portfolio of allies and trading partners.
The Role of U.S. Cybersecurity and Telecommunications Agencies in curbing Chinese security threats
Cybersecurity and telecommunication agencies play a crucial role in safeguarding the digital infrastructure of the United States. These agencies help in identifying and mitigating cyber threats, ensuring secure telecommunications services, and promoting best practices for cybersecurity. This report identifies relevant U.S. agencies in enforcing cybersecurity standards.
National Security Telecommunications Advisory Committee (NSTAC)
The President's NSTAC is an advisory body whose mission is to meet national security challenges and emergency preparedness by providing the U.S. Government with the best possible industry advice in the areas of security and cybersecurity. NSTAC’s recommendations to the President and other government agencies include the security and resilience of the nation's critical telecommunications infrastructure. The committee is made up of senior industry executives and experts from government agencies. The NSTAC recently recommended that U.S. federal agencies take steps to limit the usage of Chinese vendors, not just Huawei and ZTE, due to long-term, persistent security threats.
Federal Communications Commission (FCC)
The FCC is an agency that regulates interstate and international communications including radio, television, wire, satellite, and cable. It ensures the availability of affordable and reliable telecommunications and broadcast services for all Americans as well as enforces regulations related to cybersecurity and privacy.
One of the most significant actions taken by the FCC in relation to China was the designation of Huawei and ZTE to be placed on the Covered List, citing national security concerns. More recently, the chairwoman of FCC, Jessica Rosenworcel, publicly endorsed the use of radio access network (RAN) for U.S. operators to bypass networks owned by Chinese telecoms. On March 29, the FCC released a proposal to assess existing authorizations of foreign-owned telecommunications companies operating in the U.S. due to mounting concern posed by the Chinese companies. The FCC will vote on proposed rules mandating foreign-owned license holders to undergo periodic reviews and renewals at its April 4 meeting.
Cybersecurity and Infrastructure Security Agency (CISA) and The National Cybersecurity and Communications Integration Center (NCCIC)
CISA is America’s cyber defense agency and the national coordinator for critical infrastructure security and resilience. CISA’s primary purpose is to build up the United States’ ability to understand and manage cybersecurity and risk to critical federal and state infrastructure. It works with public and private sector partners to identify, assess, and mitigate cyber threats and vulnerabilities. The organization's function is to help organizations prepare for, respond to, and mitigate the impact of cyberattacks.
The NCCIC is one of the components that share information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations.
In response to growing cyberattacks targeting sensitive data and information, the Biden administration is proposing legislation on critical infrastructure reporting. However, it is still being debated on the obligation to report cyber and ransomware attacks to CISA at the U.S. Department of Homeland Security within 72 hours. Additionally, the United States is working Quad members (India, Japan, Australia) on the Counter Ransomware Initiative. This initiative will protect civilian and government agencies from ransomware attacks originating both from state and non-state actors.
On the other hand, CISA has been proactive and recently published a new advisory warning system against the Royal Ransomware group that targeted critical infrastructure in the areas of manufacturing, communications, education, and healthcare. After observing incidents with the malware, the threat actors were observed disabling antivirus software on victims' machines and exfiltrating large amounts of data. China's efforts to stop ransomware attacks include collaboration with the FBI and describes tactics, techniques, and procedures as well as indicators of compromise associated with Royal ransomware, though China remains an origin point of cyber and ransomware attacks. CISA also published a set of recommendations aimed at reducing the risk and impact of ransomware attacks.
National Institute of Standards and Technology (NIST):
The National Institute of Standards and Technology is a non-regulatory federal agency that develops standards, guidelines, and best practices promoting measurement science, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time — a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany and other economic rivals at the time.
In January 2023, NIST released its modified concept paper, which includes an outline of the potential cybersecurity framework updates whose purpose is to help sectors on threat detection and response, and vulnerability management. The new version of the framework is designed to help organizations better manage and reduce cybersecurity risks across organizations.
Department of Homeland Security (DHS):
DHS is a federal agency responsible for safeguarding the nation's critical infrastructure and coordinating the government's response to cyber threats. It also provides cybersecurity training and awareness programs for government agencies and private sector partners.
On March 23, Secretary of Homeland Security Alejandro N. Mayorkas, delivered a statement in accordance with President Joe Biden’s National Cybersecurity Strategy on the press release published on the DHS website. The secretary states that the vision outlined by the President will be implemented by the agency and will spearhead collaboration with partners across sectors and around the globe to provide cybersecurity tools and resources, protect critical infrastructure, respond to, and recover from cyber incidents prior to cyber threats incidents reported on different cybersecurity agencies.
National Security Agency (NSA)
The NSA is an agency responsible for collecting and analysing foreign signals intelligence to protect U.S. national security systems and networks. The NSA works to prevent and eradicate threats to U.S. national security systems with a focus on the Defense Industrial Base and the improvement of weapons’ security. Through its Cybersecurity Collaboration Center, NSA partners with allies, industry and researchers to strengthen awareness to advance cybersecurity outcomes.
As NSA is part of the Defense Department, the agency responsible for U.S. cryptographic and communications intelligence and security. National Security Agency Director, Paul Nakasone expressed concern during congressional testimony about Chinese-owned video app TikTok's data collection and potential to facilitate the gathering of sensitive data of U.S. users with potential to end up in the hands of the Chinese government. While the U.S. The House Foreign Affairs Committee voted on giving powers to President Joe Bident the power to ban TikTok. The White House has announced that government agencies have 30 days to remove TikTok from federal devices and systems.
Future Developments
The rules issued by the FCC in November 2022 target Chinese-made communications equipment. After consulting with various government agencies, the FCC came to the conclusion that these products pose a threat to U.S. national security. The new rules prohibit the authorization of Chinese telecommunications included in the Covered List published by the FCC's Public Safety and Homeland Security Bureau following the Secure and Trusted Communications Networks Act of 2019. The FCC will not issue a certification in favor of these companies included in the Covered List, which makes it impossible for them to secure a permit to operate in the United States. At present, Chinese telecommunication companies such as Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology (and their subsidiaries and affiliates) are included in the Covered List.
We should expect to see U.S. intelligence agencies becoming more involved in cybersecurity decision making and partnership building. Both U.S. political leadership and the general public are becoming more aware of the cyber threats posed by China and other state and non-state actors, which will lead to further support for stringent regulations to protect U.S. security, consumers, and businesses.
Comments