Client Advisory: Communications equipment and services from certain manufacturers may threaten national security
On November 22, 2019, the Federal Communications Commission (“FCC”) adopted rules banning the use of federal universal service fund (“USF”) subsidies to purchase equipment and services from any company posing a national security threat to communications networks or communications supply chains. The FCC also set out (1) a certification and audit-based process to streamline the process to ban USF-subsidized purchases from any company that might in the future be found to threaten national security and (2) a process to identify and replace suspect network equipment already in use. Consistent with the new rule, the FCC banned the USF-subsidized purchase of communications equipment made by Huawei Technologies Company (“Huawei”) or ZTE Corp (“ZTE”). The FCC’s decision was unanimous, and the new rule will take effect upon publication in the Federal Register, possibly before the end of 2019.
While the FCC’s action applies only to equipment purchased by USF recipients, it may signal the presence of a much more widespread threat that warrants attention from any company that buys or uses communications network equipment. Electric utilities, pipeline operators, power generation companies, and similar companies that do not provide communications services to customers but nevertheless build and use networked facilities may also have cause for concern. The FCC’s decision cited a variety of concerns about intellectual property theft, bribery, corruption and espionage, as well as software and hardware-based network “backdoors” that hostile agents can use to distribute viruses and malware or access confidential and sensitive government, corporate or personal data.
It is also worth noting that, according to a Wall Street Journal report, more than a dozen U.S. electric utilities of varying size were hit recently by a series of hacking attacks. Some of the targeted companies, which collectively operate in 18 states including Texas, are located near critical infrastructure like federal dams and important transmission lines. The Journal reports that the FBI is investigating the cyberattacks, which might be ongoing, and is in contact with some of the targeted companies. The report indicated that the hackers, who apparently left identifying information on a server in Hong Kong, were attempting to install malware that could allow them to control and steal information from their target’s computers.
We are unaware of any connection between Huawei or ZTE equipment and these cybersecurity attacks. However, the concurrence of these events may signal the need for increased attention to cybersecurity and supply chain management risks when purchasing networked communications equipment.
Please feel free to contact us to discuss your concerns and needs regarding privacy and cybersecurity-related legal and regulatory matters, including policy development, compliance, transactions, data governance, and employee training.
Katherine K. Mudge
John A. Menchaca