Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Supply Chain Security
Technology & Solutions
Threat Landscape

FCC bans equipment authorization for Chinese hardware, adopts new rules for communications networks, supply chains

November 28, 2022
iFCC bans equipment authorization for Chinese hardware, adopts new rules for communications networks, supply chains

The U.S. Federal Communications Commission (FCC) has adopted new rules, under the Bipartisan Secure Equipment Act of 2021, which prohibit communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the country. The amended rules relate to equipment authorization to further secure communications networks and supply chains from equipment that poses an unacceptable risk to national security of the U.S. or the security and safety of its citizens. 

The FCC Report and Order applies to future authorizations of equipment identified on the Covered List published by the communications agency’s Public Safety and Homeland Security Bureau pursuant to the Secure and Trusted Communications Networks Act of 2019. The new rules prohibit the authorization of equipment through the FCC’s Certification process, and makes clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemption from an equipment authorization. 

Furthermore, the Covered List that includes both equipment and services surrounds communications equipment produced by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology, apart from their subsidiaries and affiliates. The new rules implement the directive in the Secure Equipment Act of 2021, signed into law by President Biden last November, that requires the Commission to adopt such rules.

While the FCC’s Report and Order, Order and Further Notice of Proposed Rulemaking was adopted Nov. 11, it was released on Nov. 25. The agency said that the comment  date will be 30 days after Federal Register publication, with reply comment date posted for 60 days after Federal Register publication.

The FCC has also prohibited the use of public funds to purchase covered equipment or services, launched the Secure and Trusted Communications Networks Reimbursement Program to remove insecure equipment that has already been installed in U.S. networks, revoked operating authorities for Chinese state-owned carriers based on recommendations from national security agencies, updated the process for approving submarine cable licenses to better address national security concerns, and launched inquiries on IoT security and internet outing security, among other measures. 

The FCC also said that according to the proposals in the Notice of Proposed Rulemaking (NOPR), the agency will adopt revisions to its equipment authorization program. The move will help prohibit authorization of equipment that has been identified on the Commission’s Covered List – published pursuant the Secure and Trusted Communications Networks Act of 2019 – as posing an unacceptable risk to national security of the U.S. Additionally, it prohibits the marketing and importation of such equipment in the country. 

“We also address what constitutes ‘covered’ equipment for purposes of implementing the equipment authorization prohibition that we are adopting,’ the FCC order said. “The actions we take today in adopting new rules and procedures comply with Congress’s directive in the Secure Equipment Act of 2021 to prohibit authorization of ‘covered’ equipment on the Covered List within one year of that Act’s enactment and lay the foundation to prohibit the authorization of any additional ‘covered’ equipment that may be added to the Covered List based on a determination that such equipment poses an unacceptable risk to national security,” it added.

The FCC Order adopts an interim freeze on further processing or grant of equipment authorization applications for equipment that is produced by any entity identified on the Covered List as producing ‘covered’ equipment, effective until the rules prohibiting such authorization become effective.

According to the new rules adopted pursuant to the Secure Equipment Act, the FCC will no longer authorize equipment that is on the Covered List because it poses an unacceptable risk to the national security of the U.S. or the safety of its citizens. The move will include telecommunications and video surveillance equipment from Huawei and ZTE. It also includes telecommunications and video surveillance equipment from Hytera, Hikvision, and Dahua that is used for the purpose of public safety, security of government facilities, physical surveillance of critical infrastructure, and other national security purposes. 

For these three companies, the FCC will require them to document what safeguards they will put in place on marketing or sale for these purposes and we are putting in place a freeze on all of their telecommunications and video surveillance equipment authorization applications until that work is done.

The FCC action also covers base station equipment that go into communication networks. It covers phones, cameras, and Wi-Fi routers that go into homes, and covers re-branded or ‘white label’ equipment that is developed for the marketplace. In other words, the approach is comprehensive. 

“However, because we recognize that these issues may evolve over time, we also adopt a further rulemaking to invite additional comment on the need to update our equipment approval process to address component parts,” according to documents released by the agency. We also ask how and if it is necessary to consider the revocation of any existing authorization for covered equipment in the future.”  

The FCC order also disclosed that the agency will adopt a Further Notice of Proposed Rulemaking on issues raised in the Notice of Proposed Rulemaking. “First, we seek further comment on potential additional revisions to the rules and procedures associated with prohibiting the authorization of ‘covered’ equipment in our equipment authorization program. Second, we seek additional comment on proposed revisions to the Commission’s competitive bidding program (EA Docket No. 21-233). We do not address, at this time, the cybersecurity-related issues raised in the Notice of Inquiry,” the order added. 

In the Further Notice of Proposed Rulemaking, the Commission seeks comment on further revisions to the equipment authorization program and competitive bidding program. On the equipment authorization program, the FCC seeks further comment on the extent to which component parts should be considered in the Commission’s prohibition on authorization of ‘covered’ equipment, and the extent to which the Commission should revoke any previously authorized equipment that is ‘covered’ equipment (and if so, based on which considerations and procedures). It also seeks feedback on whether to require all applicants seeking equipment certification to have a U.S.-based responsible party to help ensure compliance with the Commission’s equipment authorization program rules.

Regarding the competitive bidding program, the FCC seeks further comment on possible revisions to the competitive bidding rules to address national security concerns. 

Commenting on the move, Jessica Rosenworcel, FCC chairwoman said in a statement that the agency is going a step further, by addressing not just communications but the process used to authorize communications equipment in the United States. “While we’ve flagged equipment as posing a national security risk, prohibited companies from using federal funds to purchase them, and even stood up programs to replace them, for the last several years the FCC has continued to put its stamp of approval on this equipment through its equipment authorization process. So long as this equipment carries that stamp, it can continue to be imported into the United States and sold to buyers who are not using federal funds,” she added. 

Rosenworcel added that does not make any sense. “After all, there is little benefit in having these lists and these bans in place just to leave open other opportunities for this equipment to be present in our networks. So today we are taking action to align our equipment authorization procedures with the rest of our national security policies.”

U.S. House Republicans raised concerns in October that Huawei infrastructure continues to exist across the nation’s cellular network despite its threat to national security. As a result, the lawmakers have requested a briefing by Oct. 25 from the Department of Defense (DoD) and FCC on what efforts are underway to remove Huawei infrastructure from the nation’s cellular network.

Last week, the FCC published a notice in the Federal Register proposing requirements for emergency alert system (EAS) participants to report compromises of their equipment, communications systems, and services to the commission. The agency also seeks comment on whether and how to promote the operational readiness of EAS.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations