FCC failed to monitor Chinese telecoms for almost 20 years: Senate report
The Federal Communications Commission and other US agencies have failed to properly oversee Chinese telecom companies that operate in the United States, according to a bipartisan Senate report released today.
After a year-long investigation, the staff report by the US Senate’s Permanent Subcommittee on Investigations “found that the FCC and ‘Team Telecom’—an informal group comprised of officials from the Departments of Justice, Homeland Security, and Defense—have failed to monitor these three Chinese government-owned carriers,” a joint announcement by the subcommittee’s Republican and Democratic leaders said. The three carriers the subcommittee referred to are China Telecom Americas (CTA), China Unicom Americas (CUA), and ComNet USA. The companies “operated in the US for nearly 20 Years with little to no oversight from the federal government,” the senators’ announcement said.
“The Chinese government engages in cyber and economic espionage efforts against the United States and may use telecommunications carriers operating in the United States to further these efforts,” the report said.
The report comes two months after the FCC stepped up its scrutiny of telecom companies controlled by the Chinese government. The FCC issued orders to China Telecom, China Unicom, ComNet, and ComNet owner Pacific Networks, directing them “to explain why the Commission should not start the process of revoking their domestic and international section authorizations enabling them to operate in the United States.” But the FCC and other agencies had previously failed to exercise proper oversight of these companies, the Senate report said.
The lack of oversight described in the report occurred during both Republican and Democratic administrations. “An FCC spokesman said the commission looks forward to reviewing the Senate report,” according to a Reuters article today.
China Telecom faced little US review
Team Telecom—the informal grouping of the Department of Justice, Department of Homeland Security, and Department of Defense—evaluates national security and law enforcement concerns about telecom carriers and makes recommendations to the FCC.
A section of the report on China Telecom says the company “is ultimately owned by the Chinese government” and has operated in the US for nearly 20 years. The company’s “US operations provide opportunities for China to engage in economic espionage against the United States,” the report said.
When China Telecom applied for authorization to operate in the US in 2001, Team Telecom did not object, and the FCC thus “streamlined the application and approved it two weeks after accepting it for filing.” The original authorization “limited CTA to providing international services between the United States and international points, other than China,” but the FCC shortly thereafter approved another “authorization to serve as a facilities-based carrier between the United States and China.”
After those two authorizations, “Team Telecom did not interact with CTA between 2002 and 2007” and “documents suggest that Team Telecom may not have understood that, prior to 2007, CTA was providing services between the United States and China,” the Senate report said.
CTA notified the FCC of a change in ownership in July 2007, though this “change had no impact on CTA’s ultimate ownership” by the Chinese government, the report said. The restructuring triggered a new FCC review, in which CTA told the agency that “its customers were split among enterprise customers and other telecommunications carriers throughout the United States.” CTA also “provided Team Telecom with a list of its top three executives—all of whom were Chinese nationals.”
“Team Telecom determined that security measures were warranted,” and “the parties negotiated a three-page security agreement” that among other things was intended “to prevent unauthorized access to, or disclosure of the content of, communications or US records.”
But the US government barely followed up with CTA after that agreement. “Team Telecom’s oversight of CTA since 2007 has consisted of two site visits and intermittent email communication,” the Senate report said.
“When asked to explain the lack of oversight during this period, despite the security agreement being in effect, Team Telecom officials pointed to the security agreement, noting that because it was broadly written, demonstrating compliance was straightforward,” the report said.
Hands-off approach ends
Team Telecom finally began “substantive oversight of CTA” in 2017, in part with a site visit that “identified concerns related to CTA’s storage of US customer data.” The report also said there have been “allegations of China Telecom hijacking communications data dat[ing] back to 2010,” but “Team Telecom did not question CTA about these reports until January 2019.”
CTA denied the allegations, and “Team Telecom appears to have relied on CTA’s written representations regarding the alleged incidents. Team Telecom provided no records or explanation of it conducting further interviews, requesting or reviewing additional documentation, or otherwise questioning CTA’s assertions,” the Senate report said.
The hands-off approach changed by April 2020, when Team Telecom “recommended the FCC revoke and terminate CTA’s Section 214 authorizations because of ‘substantial and unacceptable’ national security risks.” Team Telecom “warned that CTA’s facilities-based authorizations allow it to request interconnections with US carriers” and that CTA had “already established relationships with major US carriers, including Verizon, CenturyLink, and AT&T.”
“Neither Verizon, AT&T, nor CenturyLink maintains any mitigation or other agreement focused on network security with CTA or its parent company,” though these US carriers “maintain company-wide cybersecurity defenses that apply to all external traffic,” the Senate report said.
The report says that “CTA is untrustworthy,” arguing that the company’s “delayed response” to document and information requests in April 2018 “called into question CTA’s willingness to comply with the security agreement.” Team Telecom also found that “CTA had breached the security agreement by failing to implement a formal written information security policy prior to December 1, 2018.”
China Telecom denies “purely hypothetical risks”
The FCC is still considering the Team Telecom recommendation to revoke CTA’s authorizations. CTA disputed the allegations in an FCC filing yesterday, saying that the FCC “inquiry unfairly and improperly places the burden on CTA to prove a negative regarding unspecified national security concerns about ‘exploitation’ and ‘influence’ of the Chinese government. These vague terms are left undefined in the Order or, to CTA’s knowledge, anywhere in the FCC’s rules or decisions.” CTA’s redacted filing says the company “serv[es] many US customers” and employs “many US citizens and permanent residents.”
“[E]ven if the commission were to credit the purely hypothetical risks suggested by the [Team Telecom] recommendation, none of which have actually occurred, the commission would have to consider whether there is a remedy short of revocation that would foreclose these risks while preserving the services used by thousands of CTA customers. Team Telecom’s summary refusal even to consider potential mitigation measures is not justified,” China Telecom wrote.
CTA also wrote that “the Communications Act and Commission precedent permit revocation of CTA’s authorizations only if there is clear and convincing evidence of egregious misconduct by CTA.”
https://arstechnica.com/?p=1682529