Lawfare Daily: How the FCC is Tackling National Security with Enforcement Bureau Chief Loyaan Egal

[Intro]

Loyaan Egal: The telecom industry is one of the few industries similar to the financial sector and the health sector where there are specific statutory requirements for protecting sensitive data.

Scott R. Anderson: It's the Lawfare Podcast. I'm Scott R. Anderson, Lawfare Senior Editor, with Lawfare Contributing Editor, Brandon Van Grack, and Loyaan Egal, the head of the Enforcement Bureau for the Federal Communications Commission, or the FCC.

Loyaan Egal: We're going to continue to prioritize the work that I mentioned before, making sure that telecommunication companies are hardening, you know, their vulnerabilities, making sure that they're protecting sensitive data consistent with statutory and regulatory requirements and making sure they're protecting people's privacy, not using their information beyond the need to provide the service that the customer is expecting to receive.

Scott R. Anderson: Today, for the latest installment of our “The Regulators” series, co-produced with Morrison Foerster, we're discussing the FCC's growing role in addressing national security concerns.

[Main Podcast]

Brandon Van Grack: One of the reasons that Scott and I are particularly excited to have you here is at the Regulators, we've gone through sort of a number of regulators in the national security space and the FCC is one that at least I don't think is as well-known or at least is not immediately thought of when you think national security regulator and the reality is by just volume of press releases I'm getting from your office, you all are actually remarkably active in this space.

And so, really want to begin sort of taking the time really understanding the organization and the reason why it is such an important player in the national security space. And, but I think to do that before we jump into the Enforcement Bureau, and the FCC, I want to talk a little bit about your background and wondering if you can sort of walk our listeners through your background in particular, what brought you to the FCC in this role.

Loyaan Egal: Great. Thank you very much, Brandon, Scott. Very happy to be here to join you today to talk about all the great work that the FCC is doing and in particular, the Enforcement Bureau. My background prior to being at the FCC, I've ping ponged a little bit back and forth between the FCC and DOJ. I started my career after a judicial clerkship in the Southern District of New York as a criminal assistant U.S. attorney in Manhattan, working on a number of matters. Ended my tenure there working in the Public Corruption Unit. Moved down to Washington, D.C. and joined the U.S. Attorney's Office in the District of Columbia, where I worked on corruption matters as well in the Fraud and Public Corruption Section.

About 2014, I was asked to join the FCC to establish what then was the first white collar fraud unit at the FCC, the Universal Service Fund Strike Force. The Universal Service Fund is a multi-billion dollar program that the FCC administers that assist low income individuals schools, libraries, rural locations with access to communication equipment and services. And with any multi-billion-dollar program, there's always issues related to fraud. So we established a white collar unit at the time, known as the strike force and now has permanently become and transitioned into a division within the enforcement bureau known as the Fraud Division. That was between 2014 and 2017.

I then came back to DOJ to join the National Security Division, which of course you're very familiar with, overseeing the telecom foreign investment portfolio which is known as Team Telecom. I was the inaugural deputy chief asked to oversee that portfolio dealing with foreign investment, national security, law enforcement risk in the U.S. communications infrastructure. Did that until 2022, by then, the Chairwoman of the FCC Jessica Rosenworcel asked me to join the FCC and head up the FCC’s Enforcement Bureau which I currently oversee.

Brandon Van Grack: Given how active you all have been, I suppose it's no accident that a former prosecutor and someone from the DOJ is now leading the bureau, but that's my bias, not yours, so no comment on that. So maybe we can dive into the FCC then and talk a little bit about again, I think it really translates well to your background, which is: could you talk a bit about its broad scope and in particular how it connects to national security?

Loyaan Egal: Sure. So the FCC was established in 1934 under the Communications Act of 1934. And the FCC is usually not top of mind, as you stated or alluded to, when it comes to national security. But within that statute when Congress established the FCC, it stated that it was for purposes of the national defense. So, the FCC has always had a national security mandate associated with the work that it does.

The FCC is unique in that it is a licensing and rulemaking agency that has enforcement authorities. Therefore, it gets to see all of these issues from a holistic perspective, in that it gets to do the rulemaking to address the issues that are confronting the United States when it comes to communications integrity. It then also has the ability to enforce those rules. And the breadth of what the FCC regulates goes all the way from under the ocean submarine cables, which 99 percent of the communications and data across the world traverses through submarine cables under the ocean, all the way up to satellites and where those satellites orbit, and what they transmit, and everything in between.

So you can imagine anything related to communications touches what the FCC regulates. The FCC is unique in that it is a agency that has consumer protection authorities and responsibilities, but also regulates critical infrastructure, which has been defined under previous Presidential Policy Directive, PPD 21, which was replaced by National Security Memorandum 18, defining communications infrastructure as critical infrastructure. So that hopefully captures the important role that the FCC plays.

Scott R. Anderson: So, you're of course the head of the Enforcement Bureau within the FCC. Talk to us about what the role of that bureau is, how it intersects with the regulatory function, with the other functions, and kind of how that's changed in recent years, particularly with an eye towards those national security roles that the FCC plays that's a little underappreciated.

Loyaan Egal: The Enforcement Bureau is one of 18 bureaus and offices within the commission, the FCC, and we play the specific role of enforcing the statutes that the FCC is responsible for, the Communications Act, and the statutes that have amended the Communications Act, and the regulations that the FCC enacts. So that is our primary responsibility. We are also responsible for interacting with law enforcement at the state, federal, and international levels on enforcement matters on behalf of the commission. So that gives us an opportunity to build those relationships across the board.

But let me pull back a little bit and talk about the FCC generally before I get into Enforcement Bureau. The FCC in the last seven to eight years has played a pivotal role in national security, interacting with the interagency, and in addition to Congress continuing to give it additional national security responsibilities. So, well, going back to 2018, and I've been fortunate enough to have a front seat view for a lot of these events. In 2018, what's known as Team Telecom, which I mentioned previously, the interagency committee that assesses national security and foreign investment risk with regards to telecommunication services in the United States, issued its first ever recommendation to the FCC recommending that the FCC deny the application of a company called China Mobile International USA, which was the U.S. subsidiary of a state-owned enterprise company in China. That recommendation specifically stated that there were unacceptable national security and law enforcement risks, and that the FCC should not grant that license. That was a watershed moment because that license had been pending, that application for a license had been pending for seven years.

Once that recommendation was made in 2018, the next year in 2019, the Team Telecom made another recommendation to the FCC, this time to revoke an existing authorization that belonged to another U.S. subsidiary of a Chinese state-owned enterprise company called China Telecom Americas. In 2019, in addition to those actions that took place, the administration at the time issued the Executive Order 13873, which was the securing the supply chain and the information communications technology services. Commerce oversees that executive order, but specifically the FCC is enumerated and listed as an agency that Commerce must interact with when it's considering regulations and enforcement in that space.

In 2019, the FCC itself issued rules with regards to whether or not USF money could support equipment or services to certain entities that have been found to be national security law enforcement risks. 2020: the Executive Order 13913 was established, was issued, establishing Team Telecom as a formal committee which, Team Telecom previously had been ad hoc. And then after that, Team Telecom made recommendations about FCC licenses that were pending to, to submarine cable connections between the United States and Hong Kong.

After that Congress issued the Secured and Trusted Communications Network Act in 2020, again, directing the FCC to oversee what's known as the covered list. And that entails entities or equipment that come on that list not being allowed to provide services or equipment in the United States. And all the way to 2022 and 2023, where the courts basically, found the decisions that the FCC made, finding those national security risks that the committee had recommended upon, basically finding that those should be approved. So, that is a long span, you know, of a seven-to-eight-year window showing where the FCC itself has been involved in, in various aspects of national security.

Specific to the Enforcement Bureau, we have worked closely to address national security risk across the entities that the FCC regulates. So, recently we've announced consent decrees with several telecom carriers that address data breaches and, of sensitive consumer data. In addition, an example of that that touches on Team Telecom is a consent decree we entered into with a company called Latin Liberty America. In that instance that company had a mitigation agreement that required it to report breaches. They did not do so. And we then came in and enforced that provision by finding, you know, them that they had not followed that provision, and therefore we ended up entering into a consent decree with them.

So, that hopefully encompasses examples of how the Commission broadly and how the Enforcement Bureau specifically has been involved in the national security space.

Scott R. Anderson: I mean, it's an incredible trajectory of change, really, over the last decade that you've borne witness to at the FCC. Change of mandate, change of focus or expansion, perhaps, maybe more than a change.

How does the FCC's operations with the Enforcement Bureau and the FCC more broadly relate to its fairly unique structure compared to other federal agencies? Obviously, the, the last C in FCC stands for commission. It's led by commissioners. Talk to us about how that changes how it engages or approaches these issues, and changes in focus over time compared to the Treasury Department or the Commerce Department and how it doesn't change and what impact that's had on this kind of national security focus that's been coming more to the fore.

Loyaan Egal: So, the way the commission is structured, it's five commissioners led by a chairperson. In this instance, it's currently led by Chairwoman Jessica Rosenworcel. Those commissioners and the chairwoman are nominated by the president and confirmed by the Senate. When we bring enforcement actions, those matters have to be voted upon by the Commission, and you need a majority vote for an enforcement action to proceed. So, that is the context within which we work when we bring our enforcement actions.

Before we get to an enforcement action, obviously, you have the investigation phase of a case. And, you know, the other challenge that we face is, unfortunately, we have a one year statute of limitations under the Communications Act. So for us, when we are investigating matters, we are under a very tight deadline. So, it forces us to be very efficient in how we're assessing our investigation, the evidence that we're gathering, and when we're going to make the decisions on which way we're going to proceed.

Specific to looking at, you know, the national security space, when we're conducting an investigation, we're looking at it— and this is where I mentioned before having this unique perch of being both consumer protection focused and national security with critical infrastructure— we're looking at an investigation. We may be working with partners at the state attorneys general-level with regards to a breach of consumer information related to telecom services. But we're also viewing it from the national security critical infrastructure space. So we're looking at our investigation and we're asking ourselves, okay, did they protect this data consistent with the Communications Act and with the commission's regulations?

But then we're also looking at what are the vulnerabilities. What's the risk involved, right? You know, as we're, you know, if you go back to the Team Telecom and the CFIUS space, you know, there's a formula that's applied to looking at risk, right? Threat, vulnerability, consequences. And so we've taken that methodology and applied it to our investigations to determine, you know, what is the right step to happen.

So once that happens, we then bring it in front of the Commission for a vote, if we're going to bring an enforcement action that they need to vote on. In many instances, companies will engage in settlement discussions with them before it gets to that point. And as part of those negotiations, we will have conversations about specific terms, issues that we think need to be addressed, vulnerabilities that we may have identified in, in our investigations. And I think you'll see in some of the recent settlements that we've entered into, you'll see an increased scrutiny in looking at how companies are gathering sensitive data, how they're protecting the sensitive data, and then how they are protecting the networks upon which that sensitive data is housed.

Scott R. Anderson: On a related question, obviously the FCC and the Enforcement Bureau within it touch on a huge range of issues that have equities in other parts of the federal government, both because national security intersects with almost every federal agency's responsibilities to some extent, to some extent there's a lot of overlap there, and then the FCC has a very unique regulatory authority that other agencies lack.

How does the FCC and the Enforcement Bureau interact with those other agencies? How much of this is a whole of government effort? How much, or how often does it rise to a whole of government sort of conversation? And how much of it is it really focused within the FCC?

Loyaan Egal: So I'll take the broader FCC first, and then distill it down to the, to the Enforcement Bureau.

As I mentioned before, when I tick through all of those actions that have happened in the last few years, a lot of that interaction happens at various places within the FCC. So for instance, the newly created, it used to be called the International Bureau, it's now referred to as the Office of International Affairs, they're the primary interface with Team Telecom with regards to referring applications that are pending before the FCC that qualify for review, over to the Team Telecom interagency review process. So, they interact very closely with DOJ, Department of Defense, and DHS when it comes to the Team Telecom aspects.

We also have the Office Public Safety Homeland Security Bureau, which is responsible for overseeing the covered list that I mentioned previously. They interact with the interagency with regards to which entities should be put on the covered list. So, for example, the statute requires— that the covered list emanates from— requires that the commission put on the covered list if companies have been found to be national security risks, by other bodies.

Those bodies could include CIFIUS, the Committee on Foreign Investment in the United States, it could include Team Telecom, it could include the Information, Communication, Services, Technology, ICTS, under Commerce or it could include the NDAA statute. So, all of those various touch points within the interagency, the Public Safety Homeland Security Bureau interacts with the interagency upon.

There's also our Office of Engineering and Technology. They, and I didn't mention this other statute that came out in 2021, but the Secure Equipment Act, which followed the statute, the Secure Networks Act statute. The Secure Equipment Act states that if a company or entities are found to be listed on the covered list, then they cannot get an FCC authorization or certification for the equipment to be imported or sold in the United States.

And so an example of that most recently is the Kaspersky finding by Commerce Department, which found it to be an unacceptable risk to U.S. national security. That ended up on the cover list, which then means as a result under the Secure Equipment Act, it cannot receive any FCC certification or authorization.

So, that provides kind of the broader FCC agency interaction with the interagency and the rest of the government. With the Enforcement Bureau, we have, since I've been there in a little over two and a half years, we have worked tirelessly to build the connective tissue with our partners in the interagency, working with my former colleagues at the Department of Justice National Security Division working closely with, or establishing relationships with the Office of Information, Communications, Technology, Services at Commerce, working with the Office of the Director of National Intelligence, and making sure, as well as with the FBI, making sure that we understand what's happening. So, for instance, if we get reports of a data breach, being able to quickly assess, you know, is this a cybercriminal issue, or is it a state actor issue? Right? And being able to have the right people in place.

So for me, a big thing that I emphasized when I got to the FCC, to the Enforcement Bureau, was recruiting people that had that expertise and making sure that we doubled the number of people that had TS/SCI clearances to be able to have those conversations at the requisite levels.

The other area that we've also continued to develop is our partnership internationally with foreign counterparts. So we've made it a point to work with partners in Canada, regulatory partners in Canada, the UK, New Zealand, and Australia to make sure that we are exchanging information and that we are working together to, to assess, for instance, if there's overlap between an entity that we're looking at and whether or not they also have similar interests.

Brandon Van Grack: Hearing you talk about sort of this interagency action and talking about some of your enforcement actions. That there are a number of areas that sort of jump out that have a national security focus: foreign investment, Team Telecom, I'm going to talk a little bit more about that, undersea cables, supply chain, cyber security, all sort of, I think, jump out as to why from a national security and also economic security, why they're important, and one, I think, we want to talk about each of those and talk about some of your actions and sort of how they work, although you've already begun that.

But before we jump in, I just want to press you for one piece, which is, as you said, sort of 2018 was sort of a watershed moment in terms of your actions, but even beyond that, it seems like almost every month now, maybe not quite, there's another enforcement action that you all are announcing. And my question is: why? And you've managed to list a number of executive orders. I have lost count of the numbers and the acronyms. But even though there are some new authorities, that's actually not the sole basis for some of the actions, and so the question is why? Whether it's 2018 or whether it's 2024, what has precipitated, what has clearly been an expanded focus of enforcement?

Loyaan Egal: So, 2018, I think, was the interagency focus that resulted in making the FCC more involved in the process. And then I mentioned Congress passing certain statutes. Since I rejoined the FCC in 2022, I think it's been a combination of my experience and what I wanted the Enforcement Bureau to focus on, having worked in the interagency in the national security space. But it was also the chairwoman of the FCC prioritizing that the FCC should play a continue to play a stronger role in this, in this area.

And so, you know an example of that was the chairwoman creating this privacy and data protection task force. She had observed, you know, the era that we live in, right? Always connected, right? The amount of data that is, is generated with us being on our phones. And, you know, the, the high value of that data, right? Which makes telecommunication companies high target values for cyber criminals and for state actors. So understanding that and understanding what had precipitated that in, you know, in beginning in 2018 and where we currently were, it was how do we bring together through this task force, the FCC’s, you know, resources, expertise, whether in rulemaking, whether in engagement, or whether in enforcement, and how do we do that in a very targeted way?

And so that allowed the, she announced the creation of that task force in June of last year. And since June of that year, of last year, we now have entered into recent, we have had about six consent decrees that the Enforcement Bureau alone has entered into. Three which cover the three major telecom providers in the United States, which is unprecedented for the FCC, but again, illustrates the focus that the FCC has had under the chairwoman's leadership.

And those enforcement actions have allowed us to do something that I see as an area or a gap that needed to be filled. When you look at the foreign investment side of things, and you look at CFIUS, and you look at Team Telecom, and you look at the supply chain: those have very specific triggers, right? For CFIUS, it involves the risk that CFIUS is reviewing has to arise from that specific transaction, right? For Team Telecom, it's limited to certain licenses that have a threshold amount of foreign investment that the FCC then refers to Team Telecom to review. And again, with the supply chain EO that has to involve, you know, ICTS that may be owned, controlled, or subject to the direction of a foreign adversary, and those foreign adversary countries are listed out.

The FCC as a regulator can address many of those issues, even if it doesn't involve directly foreign investment. And, you know, an example I'll give is a recent settlement we entered into about a month ago with AT&T involving a supply chain breach, a vendor of theirs. And that's where, you know, AT&T is a U.S. domestic company, so it's not going to be subject to review under CFIUS or under Team Telecom. But what we saw in our investigation is AT&T has the same global supply chain as other companies that have foreign investment or ownership. And thus has the same or similar vulnerabilities when it comes to supply chain.

And so because of the global supply chain footprint, the expanded attack surface for bad actors to exploit those vulnerabilities, we focused on that in a way that the other apparatuses, the other foreign investment national security apparatuses, couldn't. And when you look at that settlement that we entered into, you see very specific terms that go to third party vendor management, making sure that third party contractors or vendors are protecting the data consistent with the FCC’s statutes and regs.

And you know, we also included things such as data retention requirements, data inventory. In many instances, you know, why are you keeping this information? Do you even know the breadth of the information that you're keeping as a company? So, you know, I think, hopefully that, to bring it back to your question, Brandon, shows as, you know, these things started off about 2018-ish. Today they've evolved to be able to address these issues holistically.

Brandon Van Grack: So let's dive a little deeper into some of those, like, and I'm going to start with Team Telecom, which is probably dear to your heart based on your experience as well with the Department of Justice and to mine as well from some of my time there. And we've mentioned it, CFIUS— and to remind everyone that that's the Committee on Foreign Investment in the United States— and when you talk about foreign investment, that is oftentimes the committee that is sort of the regulatory body that often comes to mind.

I'm wondering if we could just spend a moment talking about the differences. Why would one matter be before CFIUS? Why would sort of a matter be before Team Telecom? And also just, there's also I think a difference in terms of how you all assess and also sort of enforce in that space.

Loyaan Egal: So Team Telecom and CFIUS: I always referred to when I was, when I was overseeing the Team Telecom portfolio as being the cousins that didn't get the same attention that CFIUS received.

And that was for specific reasons. CFIUS had been around much longer. CFIUS was operating under statutory authority, whereas Team Telecom at the time was a ad hoc informal committee, led by DOJ, as the unofficial chair of Team Telecom, but with no specific authorities. And so, you know, in many instances there was frustration from the private sector that something would go to Team Telecom for a review and it would take years. In fact, a former FCC commissioner, Michael O'Reilly, referred to Team Telecom as the black hole.

So, knowing all of that, CFIUS, being a much more established with statutory authority, had the ability and capabilities to do reviews in a way that Team Telecom could not. And that was a big impetus as to why the Executive Order 13913 formally establishing Team Telecom as a committee. Unfortunately, it was named the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, with this very unfortunate acronym of CAFPUSTSS. So you will see people still refer to it as Team Telecom, and you know why now.

That then gave—

Brandon Van Grack: Well, that's like the Information and Communication Technology and Services: I like to call it ICTS. Executive Director Cannon did not, did not take to it immediately, but-

Loyaan Egal: Yeah, I won't join on that one.

Brandon Van Grack: Okay, okay, fine.

Loyaan Egal: But with Team Telecom I think it finally got the teeth it needed. It formalized the review process. It elevated DOJ to be the chair of the committee. So before that, you know, if there was a very complex matter and you know, I'll give an example: there was the major merger between, you know Sprint and T-Mobile, back in 2018.

That went to Team Telecom for review. And Team Telecom stated that it wasn't going to make any recommendations. And recently, CFIUS has mentioned, you know, some enforcement action that's taken in that space. That's to say, something of that magnitude, Team Telecom would not have been the best place to have that review conducted. That's not the case today. And where, what you've seen is with the China Mobile in 2018, before Team Telecom was established, over to China Telecom, over to the submarine cable matter, I mentioned Pacific Light Cable Network, you've seen this evolvement of the aperture and the capability.

And the other thing that differentiates Team Telecom from CFIUS, is CFIUS is confidential. So really, the only people that know about the transaction are the entities involved and CFIUS, right? Whereas Team Telecom, because it's making a recommendation to the FCC, and in many instances, that recommendation, when it results in a mitigation of risk that’s been identified, or when it results in a recommendation to deny a license application, that’s public. It's on the FCC's docket.

And so I usually tell people, if you want to know what the interagency is thinking of, as far as it comes to risk and how to mitigate risk, look at the Team Telecom mitigation agreements which are publicly available, which condition grant of the license that the FCC is going to give on compliance with those mitigation agreements. You will see in those mitigation agreements terms. You will see approaches that are consistent throughout the interagency.

And again, CFIUS has a broader scope of areas that it gets to review, right? Team Telecom, as stated by its name, is limited mostly to telecommunications-related issues. And so while not as wide as CFIUS for purposes of what it can review, it is very deep, because I've mentioned all of the things that the commission regulates. So, many of the issues that Team Telecom deals with, the companies that are coming before Team Telecom, I've stated that these are what I call foundational technologies. These are technologies, whether it was 5G, whether it's submarine cables, whether it's satellites. These are, these are technologies that other technologies rely upon, right? So when you think about artificial intelligence, it has to be able to operate on a network, right? And so that's where Team Telecom addressing risk comes into play.

Scott R. Anderson: So we already mentioned one of the big substantive issues that has gotten a lot of public attention after decades, maybe a century of getting not enough attention, is finally beginning to break through to the public eye, and that is the issue of underseas cables and the huge array of issues that arise out of that from a national security perspective, in addition to economic policy and everything else.

You've already mentioned those as one of the big areas and it's an area where we've seen a lot of activity recently in the interagency. It’s also kind from the FCC from related enforcement actions. Talk to us about why these are an increased focus at the FCC and, and with the broader U.S. government and what ways that focus is manifesting.

Loyaan Egal: One thing to note about submarine cables is that the statute that, that addresses it, it's from 1921. It's the Cable Landing License Act of 1921. So, to think about what cables provide today, the connectivity. I mentioned 99 percent of information and data across the world traverses through submarine cables under the ocean.

And there's been a big shift in the use of cables and who's actually procuring their use. Traditionally, it was the telecom companies that were the ones that owned the submarine cables. What we've seen in the last 15 to 20 years are the hyperscalers. These are the companies, for instance, Google, Facebook, Amazon, Microsoft, have become the predominant entities that are now building these submarine cable connections. And the reason for that is, main reason for that is that they're connecting data centers across the world, globally.

And the technology of the submarine cables has evolved to a place where the capacity of information that can traverse and the speed with which that information can be communicated has grown exponentially. So, therefore, the value of these submarine cables has become just basically, for lack of a better term, the value’s come through the roof with regards to what role they play and the import with which countries view them.

The other thing to think about when it comes to submarine cables is they physically connect the United States to other parts of the world, right? So just at a visceral level, you're connecting the United States to another country through a submarine cable. And so, something like that requires the United States to be involved in making sure that that connection is something that is not harmful to the United States.

So the FCC has been delegated authority by the president. That statute, the Cable Landing License Act, is actually a statute that authorized the president with that authority. The president at the time, Eisenhower referred that or sent that, delegated that authority to the FCC and now the FCC handles all of the licensing that comes with that.

The matter I mentioned in 2018, the Pacific Light Cable Network, that was a cable landing license application that was seeking to connect the United States directly to Hong Kong, via Taiwan. And what was important about that connection at the time was that there were other applications pending that were also going to be direct connections between the United States and Hong Kong. And for U.S.-Asia-Pacific connections, there are three major hubs: Japan, Hong Kong, and Singapore. Those connections, had they gone through Pacific Light Cable Network specifically, would have elevated Hong Kong to become the dominant hub between U.S.-Asia-Pacific communications, including communications that were destined for third countries, beyond Hong Kong or Taiwan.

So all of that was laid out in the recommendation that, that Team Telecom made to the FCC, specifically saying that the FCC should grant the connection between the U.S. and Taiwan, but not to Hong Kong and laid out all of the reasons for that. And actually, that recommendation, which I was privileged to work on, was before all of the national security rules laws came out, you know, making Hong Kong much closer to People's Republic of China, mainland China. Therefore, it was the first instance of describing, and again, this was a publicly available document that described the risk, the national security risk associated with those connections.

Since that time, submarine cables, for the reasons I articulated, have become geopolitical issues, right? Where are these cables being connected? It was important for the companies that are doing these connections to have some kind of certainty, because these, as you can imagine, are very complex projects to lay submarine cables across the ocean. So, you have to have a multi-year window about where you want to make that connection, what process approvals you're going to go through, to get that. It's not just the United States, it's also the other country that, or countries that the cable is, is going through. So these are very complex decisions, right? And so, we wanted to make sure that industry had an understanding of what was acceptable risk for the United States when it came to those connections.

Now coming to today where the Enforcement Bureau plays a role in that. Earlier this year, we announced a settlement with entities, Latin and PRTC, that had a submarine cable called AMX-1, a submarine cable system. They had made connections to Colombia and other Caribbean countries, but had not gotten approval from the FCC to make those connections.

We became aware of that and started to do our investigation and eventually we entered into a settlement agreement with them where we laid out that those were unauthorized connections that should have gone through the Team Telecom review process. There was not any mention in the settlement about, you know, foreign adversaries or concerns about where the connection was going. It was just for the simple principle that any connection to the United States or any connection to another country that's going to connect to the United States should go through the national security risk review process.

And so, by issuing that settlement, I think we sent a strong message so that when these transactions are happening, people are thinking about them, they're front of mind, you know, on the front end. Have we gotten the requisite approvals? Have we made the connections we need to make?

Brandon Van Grack: So now moving to the supply chain, and it really seems like the supply chain in really the last four or so years has become a major focus across, across the U.S. government, and you've mentioned it in a few instances, and wondering, sort of aside from the undersea cables piece, now focusing on the supply chain, what are the touch points?

And if I could just sort of highlight a couple things that I think you've already mentioned and to elicit, one is, you know, you talked about a covered list and the U.S. government loves lists and so part of the question is, why do we need another one? Like what is the significance of that covered list? And then the second piece is, the aptly named ICTS office in the Department of Commerce that we talked about, they obviously play a role in telecommunications and supply chain as well, and so maybe you, sort of using those two places as sort of a launching pad to talk about what you're doing in that space.

Loyaan Egal: So supply chain is broad, especially when you're talking about telecom companies, communication companies. The amount of contractors and other companies they need to use to provide services can be exhaustive. So how do you assess that? How do you allow companies to provide the services that we've all become accustomed to in a way that's not antithetical to U.S. national security interest.

So coming to the covered list, you know, I think Congress, when it decided to do the cover list, it was on the heels of the China Mobile recommendation and the executive orders that had come out and a recognition that there needed to be a, one place that everyone could look at to see where are companies that we should avoid for purposes of being inconsistent with U.S. national security interests. And so the FCC was tasked by Congress as the holder of that list.

Now, as I mentioned before, the FCC cannot actually put companies on the list. It has to be able to get that from other bodies having made determinations that certain companies are national security risks. And I use the example of the, you mentioned, you call them ICTS, I'll refer to them as ICTS, recently listing Kaspersky antivirus, antiviral maker as a risk. That then, resulted in or allowed the FCC to place Kaspersky on the covered list.

So I think the thought there was there's one area, one place that industry can go to when it's making procurement decisions, when it's trying to assess, you know, where it should do business, right? Because they also want to be able to do it in a way that, you know, limits costs for them and for their consumers. And so having a list available to point to and to be able to tell your C-suite executives why you should go with this company versus that company, I think it’s very helpful.

As far as the office of ICTS that's been established in Commerce that's responsible for doing the enforcement under the executive order: we have not worked with them directly yet. We have established relationships with them. As you mentioned, Liz Cannon oversees that office. Worked with her previously at, National Security Division at DOJ. But we think there are going to be plenty of opportunities for us to work together.

And, you know, an example of that will be, for instance, if we come across certain equipment that we've seen in one of our investigations, which for whatever reason is not complying with either statutory or regulatory requirements, that might be, for us, based on our investigation and based on the fact that we have people that can do you know, national security risk assessments, we may be able to make referrals to that office for it to do further assessments about the risk associated with that equipment.

So it's, almost a bit of a, right now it's a one way street where they take action and they end up on an FCC covered list, potentially, the company does. What we want to establish, through, you know, our work at the Enforcement Bureau when we're doing investigations is, if we come across potential equipment that we think could be harmful to U.S. national security interests being able to make referrals over to that office and see if that is something that, you know, they can take on under their authorities.

Scott R. Anderson: So, a kind of final area with our time together, we should touch on and talk about that. It's already been raised. The focus is the question of cybersecurity, including data privacy issues. You've already mentioned a few times the privacy and data security task force that's been set up that you're helping to lead. And we've seen a lot of enforcement action in this space in the last few years. Talk to us a bit about how this is fitting into the national security picture and why we're seeing the spike enforcement activity, this new task force. What is the strategic vision about what role it's going to play looking forward?

Loyaan Egal: So, I think one thing we could look at and FCC's statutory authorities under the Communications Act. The telecom industry is one of the few industries similar to the financial sector and the health sector where there are specific statutory requirements for protecting sensitive data.

And that arises from the fact that, you know, to provide you that service, that communications, telecommunication service, they need to have access to certain sensitive data. So therefore, they are, you know, restricted in many ways, statutorily and regulatory perspective. They are restricted in how they can use that information.

And, you know, I'll refer to what's known as CPNI, Customer Proprietary Network Information. I view that as the metadata of your calls, right? It's not the content of the communication. You know, it doesn't talk about, you know, what you were saying in a conversation. But it provides information about your location, your call plan, your call detail records: who did you call? Where did you call? How long did you speak? These are all sensitive data that would be very valuable to bad actors and to threat actors. So, telecommunication companies have very specific requirements that they must adhere to.

And so that is an area that we have focused on when we're looking at data breaches. You know, are these companies adhering to those requirements? An example of that is the commission took recent action about a year or so ago with regards to location data, where it issued forfeiture orders against, at the time, the four major, now three, because Sprint and T-Mobile have merged, where those companies were allowing other companies to have access to customers’ data. And so we issued a significant forfeiture order. That issue is currently being appealed. But that was an example of an action there, in the privacy side.

To the data protection cybersecurity side, as we've looked at these investigations, you know, we look at privacy, data protection, cybersecurity, as three separate disciplines, with significant overlap. So when we're looking at data protection, we're looking at: are you protecting this information, the CPNI, consistent with the regulations? Are they reasonable steps that you've taken to protect them? We know breaches are going to happen, right? If you have sophisticated, determined threat actors, a breach is going to happen. But the protections you had in place to protect that sensitive data, were they reasonable? And then your network, right? The network that housed that sensitive data, the protections you had there, were those reasonable?

And so, what you'll see in these recent settlement that we've announced is some of the methodology, the disciplines that are applied, for instance, in Team Telecom, when Team Telecom's trying to mitigate risk you'll see that in these consent decrees that we've entered into. So, things such as I mentioned previously: data retention, right? Why are you holding on to the data? How long are you holding on to the data? Do you have a business reason to continue to hold on to that data?

Data minimization. Should you be collecting the amount of information you're collecting to provide the service that you're going to be providing? Your supply chain oversight: are you making sure that your vendors are adhering to the same requirements that you're responsible for adhering to, right? So those are reflected in many of these terms that we've entered into.

In addition, we've taken things, you know, things such as NIST requirements, right, as guidelines for these companies to follow. That is something that the Team Telecom agencies, you'll see in many of their mitigation agreements, right? So we've brought that into this space as well.

So I think what you've seen is with the telecom companies being high value targets and the value of their data being because it's, I describe it as tier one data, right? It's your pattern of life information. Who are you talking to? Where are you when you're talking to these people? Who's in your plan? You know, who are your family members? That is information you can't necessarily get from a breaching, you know a bank per se, right? Or from a healthcare company. So because of that value of that information we are proceeding in a way to make sure that these telecom companies understand the necessity of protecting that information and as well protecting the networks that that information is housed on.

Scott R. Anderson: So, before we wrap up, let's take a look to the future. Obviously, you've seen a real trajectory in the FCC’s work over the last decade and we're not done there. It's going to continue growing, evolving, changing in response to the rapidly changing terrain of the telecommunications industry and technology that it's operating on and national security terrain that's operating on.

So what are you looking at in the next few months and next few years? Where do you think the FCC's work is headed? And what are some of the issues, emerging issues that you're got your eye on as the things that FCC is going to have its eye on moving forward?

Loyaan Egal: We're going to continue to prioritize the work that I mentioned before, making sure that telecommunication companies are hardening, you know, their vulnerabilities, making sure that they're protecting sensitive data consistent with statutory and regulatory requirements and making sure they're protecting people's privacy, not using their information beyond the need to provide the service that the customer is expecting to receive.

But other areas that we're also going to focus on include a lot of the work we're doing in the robocall space. And, you know, when I came back to the FCC and, you know, heard that, you know, robocalls were the number one consumer complaint issue that the FCC receives. You know, having been in a SCIF for four years, I was a victim of robocalls, but it wasn't something I thought about, you know, from a national security space. But as I've worked on that issue, I see the through line between the work we're doing in the data protection cybersecurity space and then the illegal communications, unlawful communications that are targeting the public.

So, for instance, if a data breach occurs and, you know, bad actors are able to get sensitive information that allows them to then target you more precisely when they try to phish you or send you a smish, you know, a text message where they're pretending to be someone else or if they spoof a number where it comes across as a number of someone you know, because they've hidden the actual number they're calling you from. You add to that now generative AI and the ability to clone voices. And so that is a significant area of concern for us and an area that we're focused on.

And just this year we've taken enforcement actions, including one that involved election interference in the primary in New Hampshire in January of this year, where a political operative spoofed the phone number of someone else to be able to direct calls at voters. And then used President Biden's voice, including a phrase that many people are familiar with President Biden using, what a bunch of malarkey. Sounded just like the president asking people to hold their vote in the primary and hold it till November. And so we moved quickly, being able to use our authorities to identify the traffic, where it was coming from. Then from there, we were able to identify who was behind the actual calls. And it allowed us to then take that traffic down and bring enforcement actions.

And so an area of focus for us has been know your customer in that space, making sure that telecom companies that are carrying traffic know whose traffic they're carrying. Also, know your upstream provider. An area that we're focused on is communications fraud as a service. Making sure that, you know, cyber criminals are not taking advantage of the U.S. communications infrastructure to then look legitimate when they're targeting you with, you know, spoofed calls or trying to defraud you. So that is an area of focus for us. It's also an area that's allowed us to work more closely with our international partners.

An area that I think, you know, you don't necessarily see the connection between national security and robocalls, but, you know, three major foreign adversaries have interest, whether it's Taiwan, Ukraine, or what's happening in the Middle East. If those threat actors, sophisticated threat actors, are able to target people with generative AI voice coining technology, spoof the number to make it look like it's coming from someone you trust, you can imagine, you know, what that could, the result of that could be. So again, that's an area of significant importance for us.

Scott R. Anderson: Well, that brings us to the end of our time today, but Loyaan, thank you so much for joining us here today on the Lawfare Podcast.

Loyaan Egal: Thank you, Scott. Thank you, Brandon. Appreciate it.

Scott R. Anderson: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Also be sure to check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening