The US Office of National Intelligence and other national security agencies have described the risk of intrusion by the People’s Republic of China (PRC) enabled through technology like Huawei smartphones, Hikvision video cameras, and Lenovo laptops. Substantive federal policy enacted by the National Defense Authorization Act (NDAA) may restrict some products and firms from federal procurement, but these products are still widely available for consumers and enterprise and are unwittingly purchased by state government. The Federal Communications Commission (FCC) wants to close this loophole. Its Congressional authority and mandate to do so is described among other legislation in the 2019 Secure and Trusted Networks Act which established the FCC’s “Covered List” and the roadmap for adding entities which pose an unacceptable risk to national security.
Today the U.S. House of Representatives passed the Secure Equipment Act by a decisive vote of 420-4. This bipartisan legislation sponsored by House Republican Whip Steve Scalise and Congresswoman Anna Eshoo (D, CA-18), now heads to Senate under the sponsorship of Markey (D-MA) and Rubio (R-FL). It requires that the FCC to update its equipment authorization process to end the review and approval of equipment and devices made by companies deemed an unacceptable risk to our national security.
Speaking on the FCC’s proceeding on the matter at China Tech Threat earlier this week, FCC Commissioner Brendan Carr called drone maker Shenzhen DJI Sciences and Technologies Ltd. (DJI) “a Huawei on Wings” and said it should be added to the Covered List. Carr highlighted numerous reports from national security agencies describing how DJI drones employ surveillance technology collecting vast amount of sensitive and personal data which can be accessed by the PRC.
The event Unacceptable Risk: Expanding the FCC’s Covered List to Reflect Reality featured reactions from tech and natsec experts including Center for New American Security Martijn Rasser, natsec attorney Jordan Brunner, Georgetown Center for Security and Emerging Technology Emily Weinstein, and Telecommunications Industry Association Colin Andrews. There is a “very strong case” that YMTC, a top chipmaker in China with military ties, ought to be added as well, Rasser said. Brunner observed that for consumers, that FCC and NDAA restrictions ensure that tax dollars are not directed to malicious entities.
The panel discussed how Covered List entities could attempt to skirt restrictions. “Fundamentally, we need to focus on where we have leverage—what are the chokepoint technologies,” he explained. “The Chinese have been very good at creating cutout companies and intermediaries [to circumvent U.S. regulations],” which creates a “game of whack-a-mole” that expends U.S. resources, noted Rasser.
For example under section 889 of the NDAA, contractors to the US military must ensure that they do not deliver products or services containing restricted items. However, such a rule could be circumvented by changing the label on a restrited product, as Sepio depicts in a video. Sepio provides hardware access control solutions with fingerprinting technology and machine learning to give organizations visibility into their hardware assets, whether connected as a computer peripheral or network device. It then triggers an alert if any of the enterprise’s assets are acting abnormally or are identified as rogue devices spoofing as legitimate ones. The application administrator can enforce specific hardware usage policies, creating granular access control based on roles or device characteristics.
Estimating the level and scale of intrusion on US as perpetrated by the PRC is difficult given historic reluctance of US government authorities to discuss it. However, Congress has mandated some public reporting, for example the recent publication by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency on cyberactivity between 2011-2013 in which the PRC infiltrated several US pipelines. Some reports may take 30 years or more to enter the public domain.
Taiwan’s Ministry of Foreign Affairs reported that cyberattacks by the PRC increased 40-fold in 2020 from 2018. It has recorded 778,000 intrusions in 2020, or 2,100 per day. This suggests that the related figure for the US could be significant.