Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

Why the FCC Expelled a Chinese Telecom for National Security Risks

Justin Sherman
Tuesday, December 7, 2021, 11:05 AM

The FCC issued an order barring China Telecom from providing telecommunications services in the United States.

The China Telecom building in downtown Panzhou, Guizhou, China. (Huangdan2060, https://tinyurl.com/4ra85ck2; CC BY 3.0, https://creativecommons.org/licenses/by/3.0/deed.en)

Published by The Lawfare Institute
in Cooperation With
Brookings

After months of investigating Chinese state-owned telecommunications companies for national security risks, the Federal Communications Commission (FCC) on Oct. 26 issued an order on one, China Telecom: It can no longer provide telecommunications services in the United States.

The decision renders China Telecom Americas—the U.S. subsidiary of the Chinese state-owned telecom China Telecom—unable to offer telecommunications services in the U.S. The FCC did at least three main things here: It kicked China Telecom out of the U.S. telecommunications market, it detailed specific national security and cybersecurity risks the company poses, and it more broadly signaled the U.S. government’s concern about Chinese technology firms under Beijing’s control. 

But the move also highlighted that there are many security risks at play with respect to certain foreign telecommunications companies, and mitigating one of those risks still leaves other risks in play. When Beijing-controlled telecoms reach into U.S. borders, the key is developing a robust, standardized national security review process focused on identifying discrete risks. The FCC rendered a decision beneficial to national security, but the U.S. executive branch writ large still needs other tools in its toolbox to mitigate the many distinct risks posed by foreign internet and telecommunications companies and technology.

The FCC’s decision gives China Telecom Americas 60 days after the order’s publication to discontinue all of its U.S. services. Specifically, it revokes the company’s Section 214 license, which international telecom carriers need to provide telecommunications services in the U.S. (The “Section 214” title comes from Section 214 of the Communications Act of 1934.) As required in 47 CFR § 63.18, this application for a license must include information such as details on individuals with equity in the application and certifications of the applicants’ affiliations with foreign carriers. The purpose of the licensing process is to protect the U.S. market against “potential anti-competitive behavior by a carrier with market power in a foreign country.” That said, the U.S. government has been reviewing previously granted Section 214 licenses for security risks. This decision follows an FCC proceeding to revoke the license launched in December 2020.

In its order, the FCC enumerated specific national security and cybersecurity risks that China Telecom Americas poses. It said the firm (unsurprisingly, as it is owned by a Chinese state-owned telecom) “is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.” The order added that China Telecom Americas could be influenced into allowing Beijing to “access, store, disrupt, and/or misroute U.S. communications.” This is a reference to the Border Gateway Protocol (BGP), the internet’s “GPS” for traffic, which essentially operates on blind trust and is vulnerable to routine failure and manipulation. Chinese telecommunications companies have repeatedly exploited flaws in BGP to hijack and misroute reams of internet traffic, including from the U.S., through China.

Further, the FCC continues that China Telecom Americas demonstrates “a lack of candor, trustworthiness, and reliability” in its U.S. government engagement; willfully violated previous letters of assurance (agreements that provide security assurances to the U.S. government, which the government can request when it assesses a risk); and would not be able to mitigate national security risks to the U.S. through changes to its operations. (In that scenario, the company could negotiate a mitigation agreement with the FCC, in which it agrees to take specific steps to address national security or law enforcement issues the government has raised—which could, for instance, be operational, technical or governance related.) The FCC concludes by noting that classified U.S. government assessments, not required to issue its revocation, nonetheless corroborate its conclusions.

Washington is continuing investigations into Chinese technology that began during the previous administration. This began in earnest in April 2020, when then-President Trump signed an executive order formalizing the previously ad hoc, interagency group that investigated foreign telecoms for security risks, Team Telecom, into a formal executive committee, titled the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (or, elegantly, CAFPUSTSS). Shortly thereafter, the Senate published a report finding that Team Telecom failed to protect the U.S. from national security risks posed by Chinese state-owned telecoms, due to a “broken” process that was not supported by enough money, personnel or authorities to remain effective.

Last September, the FCC announced changes to its application review process to increase transparency and better coordinate within the government, including on security risks. For instance, the FCC formally established a set of standardized national security questions to ask when screening a Section 214-licensed foreign telecom for security review. That said, it’s unlikely that the new process influenced the final China Telecom Americas review decision.

In terms of U.S. policy and Chinese tech companies broadly, the Biden administration hasn’t made nearly as much noise as its predecessor about Huawei, for example. But the administration is continuing the campaign against Huawei, keeping in place many Trump administration restrictions such as export controls through the Commerce Department. Additionally, President Biden has signed multiple executive orders to increase security reviews of Chinese technology risks as well as digital supply chain and data risks generally. All told, the FCC decision hardly stands alone in its reprimand of Chinese telecom groups.

This overall focus on Chinese technology threats is significant because the FCC is not finished with its reviews of Chinese telecoms in the U.S. In March, the FCC initiated a proceeding to revoke the Section 214 license of Pacific Networks and its subsidiary ComNet, both of which are “indirectly and ultimately owned and controlled by the government of the People’s Republic of China through a complex series of intermediate holding companies organized in Bermuda, the British Virgin Islands, Hong Kong, and the People’s Republic of China that are controlled by CITIC Group Corporation, a Chinese state-owned limited liability company.” An order for Pacific Networks/ComNet to terminate their services is likely coming soon. The reasoning the FCC publicly provides will give further insight into how the new FCC review process accounts for various security risks. It may also provide insight into how those risks are being weighed and if any risks are not getting sufficient attention.

This FCC order should be instructive for other parts of the U.S. government (agencies, committees and interagency task forces alike) responsible for assessing foreign companies or technologies for security risks. Other government agencies focused on cybersecurity and digital supply chain security (including Commerce, Homeland Security, Justice and Defense), as well as the Committee on Foreign Investment in the United States, should see these decisions as part of a bigger picture. Some countries pose more significant technology risks than others, but supply chain and technology trust decisions should not rest entirely on a company’s country of origin. In kind, a technology company can pose many risks to national security—whether a Chinese telecom spying on data or a U.S. data broker selling location data—and government action to mitigate one particular security risk does not equal a mitigation of every security risk.

For example, China Telecom will be able to misroute U.S. internet traffic through Chinese borders (for possible spying, delay or corruption) regardless of whether it has a subsidiary licensed to provide telecommunications services in the U.S. market. Certainly, China Telecom’s having a U.S. mainland presence both grows its direct reach into American internet systems and heightens the risk that the Chinese government uses that infrastructure for espionage. However, China Telecom can so easily misroute internet traffic due to fundamental vulnerabilities in core internet protocols, not the company’s presence in the United States. These attacks are a global problem: Other state-owned telecoms, including in Russia and Iran, manipulate BGP to misroute traffic as well. China Telecom has already been hijacking BGP from China—rerouting volumes of global internet traffic, including from U.S. government and private-sector organizations, through China for potential espionage—and it will likely continue doing so even if it does not have a telecommunications service in the U.S. Until internet providers worldwide better integrate encryption and other trust mechanisms into internet routing, the threat of China Telecom and other internet providers on the global network weaponizing those flaws persists.

Of course, this doesn’t mean revoking China Telecom Americas’ Section 214 license is not a beneficial national security move. It also doesn’t mean doing so has no effect on other cybersecurity risks (e.g., espionage within the U.S.); expelling the company could very well mitigate those risks. Instead, the point is that no single action can address every national security and cybersecurity risk posed by a technology company, product or service. It will take a more concerted approach across the U.S.government to better protect U.S. citizens’ data and the U.S. digital supply chain in the coming decades.


Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare