Lawfare Daily: Peter Hyun on the Tech Supply Chain and National Security

[Intro]

Peter Hyun: Although most states have breach notifications rules, there haven't been many federal level breach notification rules, as you had mentioned, and it makes sense that because we regulate critical infrastructure, we'd want this sector to have a rule such as this.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare with Peter Hyun, at the time of recording and now previously, acting Chief for the Enforcement Bureau at the Federal Communications Commission.

Peter Hyun: The telecom sector is one of the ripest targets for threat actors all across the world, and it is because telecom carriers and those whom we regulate carry such private pattern of life information.

Justin Sherman: Today we’re talking about the FCC's data privacy, cyber security, and national security authorities and how they fit into the future of technology supply chains and U.S. national security.

[Main podcast]

We've got plenty to cover today as usual, so we'll start with what I always like to ask of guests—which is especially interesting in our world of cyber and tech and policy and law—which is how folks got started in the first place and arrived at where they are today.

So perhaps you can start by briefly telling us a little bit more about your background and then more about your current role.

Peter Hyun: Sure. Thank you for having me again, Justin. I guess I'll start with my work in the feds, without going all the way back. But I became an assistant U.S. attorney in the Eastern District of Virginia, right across the river here in D.C. in Alexandria, primarily working on civil fraud cases, cases ranging from health care fraud, government contracting fraud—say, for example, where there might be contractors who had worked on building out an agency's infrastructure and there were fraud allegations, et cetera. And so I developed a pretty extensive expertise there with respect to those kinds of white collar fraud cases and then started to work on a series of parallel criminal and civil fraud cases.

And then in 2015, I went to Capitol Hill where I eventually became chief counsel to the late Sen. Dianne Feinstein from California, who was the chair of the Intelligence Committee at the time and who had co-authored the Cybersecurity Information Sharing Act. And I worked on the judiciary side of her staff, working on a wide range of issues, everything stretching from the Stored Communications Act, reform efforts under the Electronic Communications Privacy Act, money laundering, cybercrime, ransomware, illicit finance.

And again, just going back, this was in 2015. And this, so I had joined right before the 2016 OPM hack. So, my time on Capitol Hill was very rich covering just a broad range of issues. I then returned to private practice and returned again to the government to the federal government, 2021, where I worked at the Justice Department, where I wore two hats.

One hat was, the first hat was when I was in the associate attorney general's office, where I served as chief of staff overseeing seeing 13 of the main litigating components at the Justice Department. And then I led their legislative affairs office, and during that time, there were bills like CIRCIA or having to do with cyber incident notification moving through Congress, as well as 702 reauthorization.

From there I did a short stint at the transportation department, working to build out their congressional oversight practice, and then most recently I joined the FCC Enforcement Bureau here, working on the national security portfolio and then becoming the acting chief of the bureau.

Justin Sherman: Much to dig into there, but I think we'll just start with the range of, of topics we'll cover today across tech supply chain and national security across privacy and subsea cables and other issues.

Come back to, first and foremost, authorities. So, the FCC has a number of authorities across these issues that will impact the enforcement issues we'll talk about, the risks we're going to talk about. And so can you start by just giving us a high level overview of the FCC's key authorities related to tech supply chains and national security?

Peter Hyun: Yeah, absolutely, and I'm glad you asked. We—so we regulate the communication sector and that stretches from underneath the ocean, submarine fiber optic cables that physically connect the United States to the rest of the world, and through which approximately 99 percent of global voice and data services traverse, all the way up to outer space when it comes to satellites. Our regulated entities include telecom, mobile, wireless carriers, radio, and TV broadcasters, which is probably what we're most, most conventionally known for in the public, but also satellite infrastructure, and as I mentioned, sub submarine cable infrastructure.

And the sector itself is also what is known in national security parlance as critical infrastructure. It is in some respects the critical infrastructure that other critical infrastructure sectors rely on. So whether you're talking about the financial sector, the energy sector, the healthcare sector, or what I was also familiar with, the transportation sector, all of those rely on the communication sector and so we have this broad expertise but also authority in each of these broad ranges of areas.

And to get more narrow to address the topic of supply chain risks, I can name just a couple of specific tools. The first authority that likely comes to mind probably for your listeners is what's known as the covered list.

Now the covered list. It actually comes from a law that was enacted in 2020 called the Secure and Trusted Communications Networks Act. And it was legislation that was intended to protect American communications networks from threats posed by foreign suppliers, such as Huawei and ZTE.

And I mentioned, you know, joining Capitol Hill in 2015. Back in 2012, the House Permanent Subcommittee on Intelligence had actually done an investigation into some of the threats posed by foreign suppliers including Huawei and ZTE. Well, that act also directed the FCC to publish and maintain a list of equipment and services that pose a national security risk.

Now, there were other, other components to how it actually did this and what the effect of that would be, but the law barred the use of certain federal funds to both obtain communications equipment or services on the covered list. But it also created a reimbursement program to assist carriers in removing and replacing the concerning equipment and services from our nation's networks.

Now, the second sort of supply chain authority that I'd like to highlight is also that the Communications Act authorized the FCC to adopt regulations that govern the interference potential of devices capable of emitting radio frequency energy. So this really covers most electronic devices, from a microphone to an iPhone or even if you look at your Bluetooth earbuds, the smart camera you use when you're at home. The rules require RF devices to receive an FCC authorization before being imported or marketed in the United States.

So this is kind of the scope of some of the authorities having to do with national security risks and in particular supply chain.

Justin Sherman: The mention of the cover list, I appreciate as well, given how much that, of course, has been in the news lately vis-a-vis China and other security concerns.

So let's dive then further, because at Lawfare here, we love the law and we love getting deep on legal authority—let's dive further into some of these specific authorities that, at least I would argue, are more and more relevant by the day.

So the first would be privacy, telecom networks as you mentioned within the FCC's remit carry tons of data and information today. So what authorities does the FCC have with respect to the privacy of that customer information? And how have we seen those authorities holding up or not holding up with 5G, with more software driven networks, and so forth?

Peter Hyun: Thank you, Justin. Yeah, because as I mentioned, the FCC, as a sector specific regulator focused on critical infrastructure, we kind of wear two hats when it comes to privacy.

One, like other privacy regulators, we actually—our privacy authorities also have a consumer protection mandate. So that's on the consumer protection side but we also have again this sector specific regulator role with respect to critical infrastructure.

And the reason why I just identified that nuance is because all of the authorities that we use and through the lens in which we try to employ them or have tried to employ them is by looking at both of these dual sort of missions to protect consumers and also again to focus on protecting critical infrastructure.

Now, the actual authority that I wanted to mention is Section 222 of the Communications Act and the commission rules that we've adopted since then, which affirmatively prohibit carriers from permitting unauthorized access to telecom customers’ data and requiring carriers to also take reasonable steps to protect telecom customer data. This includes what's known as CPNI, or Customer Proprietary Network Information. So, the statute defines CPNI, and there's a technical definition in the statute that it covers.

Justin Sherman: I won't make you recite that word for word. It is an interesting definition. I certainly know I've had many conversations with your colleagues about that in recent years.

So related to that, right, we sort of touched on privacy there. There's also a data security element, of course, to all of the data traversing and held by telecommunications companies. So on that front, the FCC, interestingly, is one of the few federal agencies with a breach notification rule. So what does that rule say and to which kinds of data does it apply?

Peter Hyun: Thanks for asking that. And I, if I could just mention also when it comes to the consumer protection side, one dissimilarity is that the FCC doesn't have to prove consumer harm, which brings us again now to our current data breach notification rules.

So the current notification rule is found at Section 64.2011 of the rules and today, I'm only going to talk about the current version of the rule in effect today. I won't go into, there's, there's pending litigation, etc. But the current rule has been in effect since 2007.

And what that rule requires is that as soon as practicable and no later than seven business days after a reasonable determination of a breach, the telecommunications carrier should notify law enforcement, which includes the Secret Service, the FBI, through an FCC portal. And after that carrier has completed notifying law enforcement, there's an obligation to also notify customers of breach of that customer CPNI.

So although most states have breach notifications rules, there haven't been many federal level breach notification rules as you had mentioned. And it makes sense that because we regulate critical infrastructure, we'd want this sector to have a rule such as this, because when such a breach happens, carriers must have a plan to act quickly, it's consistent again with the statutory text that I had mentioned earlier. And a key part of any incident response is to timely notify regulators. And so what this rule does is it keeps carriers accountable to ensure that they have timely incident response in place.

Justin Sherman: That's a perfect segue. We're talking about notification of, of incidents and potential issues. When it comes to then acting on these authorities, the FCC has repeatedly taken action in recent months in response to data breaches at major commission regulated entities. This draws, of course, on some of the authorities you just described. What have some of those enforcement actions been and what have been the consequences or results for companies and people whose data was impacted?

Peter Hyun: Yeah, so actually last year in 2024 was an incredibly busy time. All through the year and then through the summer, the Enforcement Bureau had entered into six consent decrees mandating changes to companies’ privacy and security practices through various adopting orders.

One sort of class of those consent decrees involved consent decrees involving all three major carriers, AT&T, T-Mobile, and Verizon, which was on behalf of Tracfone, who then committed to changing their privacy and security practices through the resolution of those investigations and consent decrease.

So I think in no small part, I think the team has been hard at work not only doing the fact finding, but also trying to work out how we can, for example, ensure that events like these and the incident responses are done responsibly and in accordance with both our rules and the law.

And I just like to note that even, for example—and I know what has been in the news quite recently—is some of the threats with respect to the intrusion by Salt Typhoon, that among the major carriers, it was interesting to note that in late November, T-Mobile itself had specifically touted its detection and hardening against intrusion by Salt Typhoon.

And if you look at that press release and you take a close look at it, and you take a look at some of the changes that were committed to within that statement, they are actually also mirror some of the changes that we had resolved with t mobile after a direct and lengthy investigation and negotiations that culminated in September of 2024 with a consent decree that we had entered with the company now placing the company under FCC order.

We had mandated significant cyber security changes, and those changes included things such as fishing, resistant, multi factor authentication and zero trust and network segmentation as well as improved logging and monitoring to again, to prevent intrusions and asset inventories, to know what is on their network and to remove them when they're not needed, as well as data minimization because the most secure data is a data that isn't being kept.

So these, I think that these changes, which were the result of really a lot of fact finding investigation, but also negotiation and, and through the consent decree had brought forth real changes. And I think we're quite proud to see that the investigative and enforcement authorities that we have surgically and effectively tried to use would set the bar for telecom companies to improve current security practices all across the board.

Justin Sherman: The point about you don't collect it, it can't be hacked—always a good one.

The FCC, on top of some of these authorities you've mentioned, also has the power to issue first time penalties. And so whether or not in a data breach context, I'm wondering if you can talk to us specifically about what that means to be able to issue first time penalties. And in practice, what does that mean for companies and what the FCC can achieve in carrying out such fines?

Peter Hyun: I'm glad you mentioned that nuance because that is what makes us dissimilar than what is another consumer protection independent agency, the FTC.

We don't have limits on seeking civil penalties for first time offenses. And again, looking at through the lens of both the obligations conferred on the Communications Act, the penal provisions under the Communications Act for which we can hold accountable the telecom providers when there are violations of the Act or its rules—it, it helps enhance both our enforcement authority, but also compliance going forward.

And as I mentioned, and I know I had spent some time just to talk about the T Mobile case, but I think you saw this in other contexts also. I had mentioned six consent decrees. We also entered a consent decree with AT&T involving a vendor cloud environment that had exposed CPNI. And the agreement was, you know, had bespoke terms that had been agreed to with respect to that breach, but it also highlighted the increasing threats and vulnerabilities with respect to third party vendors.

And the fact that telecom, the telecommunications sector and that carriers use a number of third party vendors, vendor management is a big concern. And so this consent decree that was entered into that was associated with an additional 13 million dollar penalty was one that was significant for us to obtain.

We also obtained another one with a TracFone Wireless, which I had mentioned involving data breaches involving what are known as APIs or application programming interfaces, which is a common attack vector for threat actors.

In that case, we also similarly obtained a monetary penalty in the amount of $16 million, but also had an agreement that Verizon Wireless would implement enhanced protections against subscriber identity module swaps and port outs or SIM swaps, which is a growing concern as well, or implementing a comprehensive information security program and also conducting independent third party assessments of its information security program.

Justin Sherman: The API piece, the cloud vendor piece—another good segue. As you noted, these all relate to third party vendors and supply chains and the need to, for companies to think about supply chain security and resilience and for the government to do the same.

So let's, let's shift a little bit away from the authorities and more towards that supply chain topic. One of the critical components of the telecommunications supply chain is submarine cables. There has been a lot of interesting news around submarine cables recently with some cable cuts in Europe, for example, and there was a Senate hearing at the end of December as well.

Why are submarine cables important, for listeners who might not be familiar, and then what authorities does the FCC have over submarine cables?

Peter Hyun: Yeah, going to the first question, I would say even the testimony that you had provided—extraordinarily helpful background and really a great deep dive into submarine cables. And again, with respect to some of the, the question on the importance of it and, you know, why are they important.

I had mentioned again the amount of data that traverses across submarine cables. But a good, another good resource is what was in DHS's recent white paper on priorities for DHS engagement on subsea cable security and resilience. And it was released in December.

And again, it not only highlighted all of the data traffic that runs through submarine cables, but also made clear that subsea cables were essential because they were also supporting our growing demand for newer technologies, including cloud computing, integrating 5G networks, and they're necessary for data center computing and storage, and that is absolutely necessary for the AI boom that we are seeing today.

So as to the FCC's role with respect to submarine cables, well, section 34 of what's known as the Cable Landing License Act, it requires a license to land or operate a submarine cable directly or indirectly connecting the United States with a foreign country. Now that act gave the authority to the president, which was then delegated to the commission through an executive order dating back to 1954. I mention that year because of not only how long ago it was, but the act and the commission's rules require certain authorizations for when those licenses seek modifications, assignments, transfers of controls or renewals or extensions of these licenses.

And what the FCC does is, as with other FCC licenses, like what folks in the telecom space, commonly known as international and domestic Section 214 authorizations—the FCC, when making a licensing determination, seeks input as part of its determination in the public interest from the executive branch agencies that make up what is known as more formally the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector. It’s commonly known as Team TELECOM.

And what that committee does is it provides input on the national security, the law enforcement, foreign policy and trade policy, concerns for cable landing license applications. And the licensing portion of it, it actually rests not with our Enforcement Bureau, but with our sister bureau, the Office of International Affairs, which had formerly been known as the International Bureau in the FCC.

Justin Sherman: Really helpful context. Among those different regulated areas, there was one last year that stands out, a case the FCC settled with AMX-1, a company that was involved with a pre-existing cable system in the Caribbean.

What happened in that case, and is it significant? Because you just mentioned this, that the cable system was not an entirely new one, but a pre-existing one that had some modifications?

Peter Hyun: Yeah, the AMX-1 cable system, it connects the United States to several different countries in Central and South America. As you had mentioned, it was originally granted authorization by the FCC back in 2013.

But from 2020 to 2022, the affiliates of the entities known as LATAM and the PRTC constructed and placed into operation two new segments that actually connected the United States to Colombia and Costa Rica. And they did all that without seeking the commission's authorization first.

So, as you mentioned in May of last year, we investigated the matter and we resolved the investigations with LATAM and PRTC, with each paying a $1 million civil penalty and requiring implementation of a compliance plan so that it would prevent these kinds of failures from occurring again in the future.

And in addition to failing to obtain the commission approval prior to connecting these segments to the cable system, which alone is a major concern, one of the big hallmarks of the case was that the case involved the circumvention of the important Team Telecom review process, which I had identified earlier.

Now, we've borrowed the non notified transaction term from what's known as the CFIUS world—I think your listeners are familiar with CFIUS. But here when regularities engage in a transaction that requires prior notification or authorization from the commission, that is something like a sale or transfer of license or in this case the actual construction and operation of a cable system or a segment of it, and they do so without going through Team Telecom review, the commission is then robbed of the important national security and law enforcement risk analysis that actually goes into the commission's legal obligation for public interest determination.

So just like in CFIUS, these kinds of non-notified transactions, they raise the possibility that there might be or is an unmitigated national security and law enforcement risk, particularly when it comes to critical infrastructure like this, that again carries so much of the country and global data across networks.

Justin Sherman: That last piece is, is the data flowing, of course, again, an interesting one in light of recent concerns around that issue.

So, the national security risks in this area are not just about where our networks are connected to geographically, as you were just speaking about. The national security risks also pertain—to bring us back to one of your first points—what components and equipment are actually used in the networks, what's used to build them. And Congress at the end of this last year increased its funding allocations for the Rip and Replace program to reimburse American companies for taking certain kinds of particularly risky equipment out of their telecommunications network.

So tell us about the FCC's role in these Rip and Replace efforts, and what is the ultimate strategy or goal that this funding seeks to serve?

Peter Hyun: So, as I had mentioned earlier, back in 2019, 2020, the Secure Networks Act Had directed the FCC to publish and maintain the covered list. And as part of that, it created this this reimbursement program, which you mentioned—Rip and Replace, as it's commonly known—to assist carriers with ripping and replacing communications equipments that were provided by certain entities again that had posed a national security risk.

And up until recently, that program was underfunded. Congress had initially appropriated about $1.9 billion to assist in the effort. And in December, actually just several weeks ago, with the passage of the 2025 National Defense Authorization Act, Congress then authorized the commission to borrow up to $3 billion now from the Treasury Department to fully fund the reimbursement program.

So following that, the commission had announced in a public notice at the end of last month in December, that it would take quick steps to secure this funding through this new borrowing authority. Now, again, this is during the context of all of these additional revelations coming out about various intrusions to our communications networks. Now, once the commission's request is approved after that public notice, we will, the FCC will issue another public notice announcing the date on which that additional funding will be available.

Now, the, the goal here is really in the title of the original legislation I had mentioned. It's about securing our nation's networks and ensuring that the integrity of those networks are preserved. The additional funding in the reimbursement program will help remove equipment and services from our networks that again are deemed an unacceptable national security risk.

Now, from an enforcement perspective because other bureaus and offices were overseeing the program, et cetera, I will speak just from the enforcement perspective. I will mention sort of what we've done in the past, which I anticipate will currently involve close collaborations again, with colleagues in the other bureaus, including the Wireline Competition Bureau, which oversees the effort to make sure that the funding recipients are using the money for the appropriate reason.

We have what is known in the enforcement bureaus—one of our divisions is called the Fraud Division and the Fraud Division handles investigations into the potential misuse of funds for programs that the FCC oversees.

So it's particularly important that we maintain the integrity of that program, of the Rip and Replace program, designed to address known and ongoing national security risks in our networks. And so if we discover that there are violations related to how recipients are using those use funds, we have, and we will take action when appropriate.

Justin Sherman: Global supply chains—despite some of these efforts, and these are important efforts, but global supply chains in general in this space remain highly connected and interdependent, including with networking equipment.

How do you see that evolving in the years ahead, particularly with supply chain and national security concerns around China? Any predictions you want to make about either market trends or geopolitical risks vis a vis infrastructure like subsea cables or mobile equipment?

Peter Hyun: Well, I, I think I can maybe just fashion what some of the actions that we've taken somewhat recently, just to talk about where I think we're going.

And I think those inform some of that. And I think what we've tried to do is to use the authorities that we have at our disposal to respond as rapidly as possible to the evolving threat landscape. I think as your question even highlighted, the threat really is evolving at a scale and speed that is quite significant.

And I think what some of the legislation and the programmatic things that the FCC has put forward, whether that be through things like a carrot, like the reimbursement program or things like a stick with our equipment authorization rules and ensuring that those who violate those rules are penalized. We've also just tried to make a refresh to some of these laws that have, and the rules that have been on the books for quite some time.

So for example, the commission just announced the—and this was through our Office of International Affairs, which I had, is one of the other 17 bureaus and offices that we work closely alongside—we had announced a submarine cable NPRM just a few weeks ago that marked the biggest step to review and update the commission's licensing rules. And this had, it hadn't been updated since 2001, and this is an open proceeding, so I can't really discuss specifics, but it is just one of the many steps I think that the commission has taken over the past few years to support what has really been a whole of government approach to protecting national security.

Now I can also just say that with respect to the consent decrees and the adopting of orders that impose future obligations, I think some of the theory of the case that we have tried to make clear is that the hardening of our networks, it's incumbent on really not only mobile carriers and wireless carriers, but the fact is the telecom sector is one of the ripest targets for threat actors all across the world. And it is because telecom carriers and those whom we regulate carry such private pattern of life information about consumers, about individuals who might be targeted, whether you're talking about government personnel business personnel even kids in school, etc.

And the fact that there's an incredible scope of, I'll just say, vulnerable type targets for threat actors among the communications networks ecosystem, given the fact that the communications networks and the actual physical infrastructure is incredibly complex and involves not only, as I mentioned, migration to cloud computing and data centers, but also with respect to the use of vendors, that all of these areas need additional hardening. And I think that is where you will see the direction of both legislators in Congress, as well as regulators, as well as other law enforcement authorities here in the United States as, and abroad will be looking towards.

Justin Sherman: To deviate just briefly, because I think you, I mean, you made a number of interesting points, but one in particular, it sounds like, is it your sense or perspective that the nature of the supply chain complexity today with national security risk with third party vendors, cloud and so forth, is it a continuation of things we've seen for decades? Or is there a qualitatively or quantitatively different type of supply chain and national security risk going on today.

Peter Hyun: Well, I think that what, and I think you saw this primarily, if you look, track back to what I had mentioned earlier. Like when I first joined Capitol Hill in 2015, and I joined the Senate Judiciary Committee, the range of authorities that were beginning to be enacted started to confer newer authorities to the executive branch to start addressing national security risks that hadn't been seen before. So things like, when it comes to critical infrastructure, with the enactment of these laws, the actual implementation of those authorities are becoming more mature and mature.

So Congress passed, for example, in 2018, and Dianne Feinstein was one of the co-authors of the Foreign Investment Risk Review Modernization Act that, again, expanded CFIUS's jurisdiction over transactions, particularly those with a focus on foreign access to critical infrastructure, including telecom and access to U.S. citizen PII.

And I mentioned again, 2019, you saw the Secure and Trusted Networks Communications Networks Act. You saw the, the reimbursement program and you saw just in, just last month, additional funding for the Rip and Replace program.

I think all of these kind of demonstrate that with policy makers, not only bringing new authorities for things like the covered list and new programmatic ways in which we can address national security risk that the executive branch in partnership with other authorities, both internationally and elsewhere, are recognizing that with the growing of these risks, these implementations need to be put in place faster.

So I will just say, even for example, you know, one of the things that I was looking at more recently is that even for example, our authorities under robocalls. And I mention robocalls because scam calls, because the, the threat of AI and targeting and spoofing calls and things like that. We have adopted new Know Your Customer requirements on providers who then have to vet their upstream providers.

And these Know Your Customer type rules—if you could borrow the analogy— comes from the financial sector, where Know Your Customer rules, they actually derived back from 1970 under the Bank Secrecy Act. But really even our robocalling authorities, they didn't come into place until 1991. And even our spoofing law, the Truth and Color ID Act—that didn't come into place until 2009. And we have been hard at work continuing to update the rules to make sure that they meet this moment.

And I think what you are seeing across the board, whether it's in Congress or in the executive branch, you are seeing a whole of government type approach, as well as the sharing of information and processes and, and also partnerships. Public and private partnerships are growing as well as with international partners to preserve the, the integrity of our communications networks, and again, enhance and mitigate national security risks to our, our, our communications sector.

Justin Sherman: Interesting. I agree with, with much of that, but, but good to hear your perspective on that. Thanks for joining us.

Peter Hyun: Thanks so much.

Justin Sherman: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja, and your audio engineer this episode is Isabelle Kirby McGowan of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.