DOES CALEA PERMIT THE FCC TO BAN “UNTRUSTWORTHY” EQUIPMENT VENDORS SUCH AS HUAWEI AND ZTE?
The Federal Communications Commission rarely adopts rules directed at certain named communications companies. It is unprecedented for the Commission to use the CALEA lawful surveillance statute as a tool of cybersecurity. Yet the FCC just cited CALEA as one basis to restrict the use of communications equipment by China’s two leading communications equipment vendors: Huawei Technologies Company and ZTE Corporation. Can the FCC do that?
The USF ban on Huawei and ZTE
On November 26th the Commission released an order that significantly modified a subsidy program called the Universal Service Fund. The USF promotes the buildout of broadband networks for rural areas, as well as schools and libraries. According to the FCC order, USF funds may no longer be used to buy equipment or services from vendors that pose “a national security threat” to the U.S. The order explained that the FCC would make a list of such “untrustworthy” vendors. Then the order imposed an initial designation of untrustworthiness on Huawei and ZTE.
To justify its action against vendors such as Huawei and ZTE, the Commission cited multiple sources of authority. Among the named laws was CALEA. CALEA requires telecommunications carriers to equip their networks with certain technical capabilities needed to implement court orders for surveillance. The FCC asserted that under CALEA it may ban untrustworthy vendors to protect against unauthorized surveillance.
One issue raised in the USF order was how to compensate carriers that may be forced to “remove and replace” FCC-banned equipment with acceptable gear. The Rural Wireless Association estimated that the potential replacement of the infrastructure could cost its members about $1.2 billion.
On December 4th Huawei challenged the FCC order before the U.S. Court of Appeals for the Fifth Circuit, where the company’s U.S. headquarters is based. Huawei’s petition claimed the FCC lacked authority to impose the USF ban and failed to provide evidence supporting its determination that Huawei posed a cybersecurity threat. For over a decade Huawei had battled U.S. accusations that the Chinese government could exploit the vendor’s technology for spying. But that did not stop the U.S. Defense Department or Commerce Department from imposing their own blacklists of Huawei gear.
How the FCC interpreted CALEA to justify the USF ban on Huawei and ZTE
After stating that the FCC may condition the disbursement of USF funds on public interest factors such as national security, the order then presented a more specific justification for its USF ruling under CALEA. It cited CALEA Section 105, titled “System Security and Integrity.” Section 105 states that a CALEA-covered telecommunications carrier must ensure that any interception on its network is activated only with the authorization of a court and the approval of an appointed member of the carrier’s staff. The Commission theorized that an untrusted supplier could insert malicious code in a carrier’s network that would enable the supplier to activate surveillance without the awareness of a court or the carrier’s staff. According to the agency, Section 105 imposes a duty to avoid the risk of such unauthorized surveillance.
The above characterization of CALEA Section 105 as a defense against cybersecurity attacks marks a curious departure from the conventional interpretation of the 25-year-old statute. Because cybersecurity was a relatively new term at the time, and cyberattacks were rare, nothing in the text of Section 105 even mentioned cybersecurity. The language spoke only of the need for surveillance to be done with certain legal approvals.
The legal nature of Section 105 was also the focus of CALEA’s legislative history. The October 4, 1994 House Judiciary Committee Report 103-827, titled “Telecommunications Carrier Assistance to the Government,” established the official purpose of CALEA. Among other things, the Report explained the Congressional intent behind Section 105:
within the switching premises of a telecommunications carrier … All executions of
court orders or authorizations requiring access to the switching facilities will be made
through individuals authorized and designated by the telecommunications carrier.
Clearly, the goal of Section 105 was to prevent law enforcement from activating a carrier’s embedded surveillance solution themselves or without obtaining the proper legal approvals. The Section was not intended to prevent equipment vendors or others from threatening the carrier’s cyber defenses.
Even the FCC’s own rules governing CALEA interpret Section 105 as a protocol to ensure the legality of surveillance. The rules do not mention cybersecurity. Rule Section 1.20003, titled “Policies and procedures for employee supervision and control,” requires the carrier to:
interception of communications or access to call-identifying information
within its switching premises can be activated only in accordance with a
court order or other lawful authorization and with the affirmative intervention
of an individual officer or employee of the carrier.
Based on the above, the Fifth Circuit Appeals Court review of Huawei’s petition may well overturn the USF restriction to the extent it relies on the FCC’s revisionist reading of CALEA.
How CALEA-covered carriers may respond to the USF ban on Huawei and ZTE
Not many large U.S. carriers have outfitted their networks with Huawei equipment. On the other hand, the core network elements of Huawei and ZTE are reportedly cheaper than those of other vendors that serve the U.S. market. Cost is an important factor among the small, rural competitors that receive USF funding. Now those entities face the dilemma of buying non-Huawei/ZTE products or foregoing USF subsidies.
The impact of the USF order reaches far beyond the realm of small and rural carriers to all CALEA-defined telecommunications carriers: telephone companies, wireless carriers, broadband providers, interconnected VoIP providers, cable providers, satellite operators, potentially other voice and data service providers and their resellers.
For this broader scope of industry players, the conservative approach to CALEA compliance would be to avoid Huawei, ZTE, and perhaps other Chinese equipment manufacturers. Any network design that unwittingly permits a foreign government to spy on U.S. citizens or monitor U.S. surveillance practices could be disastrous for national security.
However, it is far from certain that the Commission’s USF order will survive judicial scrutiny. As explained, the FCC’s reliance on CALEA to regulate communications network security is doubtful. The Commission may lack any jurisdiction over network security. Even if the Fifth Circuit finds grounds for the FCC to regulate network security, the question remains whether the agency has produced enough evidence to demonstrate that Huawei or ZTE pose a threat to network security. The evidence disclosed in the USF order is vague. The order emphasizes the fact that the Chinese government has strong powers of cyber espionage and ties to Huawei and ZTE. But it lacks examples of any Chinese telecom network elements found to contain spyware. Adding to the mystery, most of America’s allies have not treated Huawei or ZTE as a national security threat.
In this climate of regulatory uncertainty, carriers mapping their CALEA compliance strategies may decide to wait for the Fifth Circuit to address the USF order before they foreclose any opportunities to buy the infrastructure products of Huawei, ZTE, or other Chinese vendors.
Implications for CALEA safe harbor protection
Suppose the Fifth Circuit upholds the FCC’s newly conceived CALEA authority to blacklist untrustworthy telecom equipment vendors, but carriers have already installed industry-published “safe harbor” CALEA surveillance solutions in their networks using Huawei or ZTE switches. Could the FCC force the carriers to replace those switches despite the validity of the safe harbor set-ups? The answer is a qualified “yes.”
CALEA Section 107 treats safe harbor solutions as presumptively valid, but the presumption could be overcome. If the FCC considers a solution “deficient” because it does not adequately “protect the privacy and security of communications not authorized to be intercepted,” it could open a rule making proceeding to explore methods of closing the stated security gap. The resulting rule could exclude network elements deemed untrustworthy from inclusion in the safe harbor standard. Industry could then appeal the rule, just as Huawei appealed the USF order. And if the new safe harbor standard is upheld, the FCC would be required to provide “reasonable time and conditions” for industry to implement the new standard.
Notice the potentially sweeping implications of the USF order. If upheld, the ruling could cause significant disruption to the USF-dependent sector of the communications industry and even more widespread disruption to industry overall.