Ongoing Vulnerability from Foreign Technology

By CHHS Extern Kimberly Gainey

State bans on TikTok are all the rage, with Kentucky poised to join North Carolina, Wisconsin and at least 25 other states prohibiting use on state devices. The federal government recently expanded its ban, making it illegal to have TikTok on federal government devices, and nearly the entire US military has prohibited use on government-issued devices since 2020. Even if people comply with these bans, which may be lacking in Department of Defense personnel according to a recent Inspector General report, they may be drawing attention away from more serious, systemic vulnerabilities from foreign technology.

A recent op-ed by the CEO of CyberSheath, Eric Noonan, highlights a “pervasive and omnipresent” threat posed by China, discussing TikTok and Huawei. While not household names like TikTok, Americans should be concerned about Huawei and ZTE, another Chinese telecommunications provider. Huawei provides “information and communications technology (ICT) infrastructure and smart devices.” ZTE offers “wireless, wireline, services, devices and professional telecommunications services.” CNN reporting revealed that in 2012 Congress released a report advising people to view Huawei and ZTE “with suspicion,” and in 2013 Congress passed legislation preventing NASA and the departments of Justice and Commerce from purchasing information technology systems without approval from federal law enforcement. Further, in 2018 top officials from the CIA, NSA, FBI, and the Defense Intelligence Agency testified before the Senate Intelligence Committee about global terror threats including Huawei and ZTE. The 2019 National Defense Authorization Act prohibited executive agencies from using or procuring telecommunications equipment or services from Huawei or ZTE, which Huawei unsuccessfully fought in court. Huawei and ZTE attracted the attention of the Federal Communications Commission (FCC), which designated them as national security threats in 2020. That was a particularly bad year for Huawei, which was indicted for conspiring to violate the Racketeer Influenced and Corrupt Organizations Act (RICO) and conspiring to steal trade secrets from its’ “alleged long-running practice of using fraud and deception to misappropriate sophisticated technology from U.S. counterparts.” The following year, Huawei’s Chief Financial Officer entered into a deferred prosecution agreement (DPA) to resolve bank and wire fraud charges.

Despite these actions, Huawei represents a potential threat to sensitive military sites; CNN reported various potential threats in 2019 including:  carrying out Intelligence, Surveillance and Reconnaissance; shutting down service; sending out malign text messages; or launching a denial of service attack. Huawei’s cell phone tower technology “is widely deployed by a number of small, federally-subsidized wireless carriers . . . [and] [i]n some cases those cellular networks provide exclusive coverage to rural areas close to US military bases.” These threat concerns persist and could disrupt nuclear arsenal communications. According to CNN sources, “there’s no question the Huawei equipment has the ability to intercept not only commercial cell traffic but also the highly restricted airwaves used by the military and disrupt critical US Strategic Command communications, giving the Chinese government a potential window into America’s nuclear arsenal.”

The United States’ response to this threat is the Secure and Trusted Communications Networks Act of 2019, which requires the FCC to establish “a reimbursement program for the replacement of communications equipment or services posing [national security] risks.” The FCC received a $1.895 billion appropriation for this reimbursement program, under which small providers may apply for reimbursement for replacing covered equipment. Last July, the FCC reported a $3.08 billion funding shortfall and a plan to prorate reimbursement funding to eligible applicants in the first prioritization group, those with 2 million or fewer customers, resulting in a “pro-rata factor . . . [of] approximately 39.5% of demand.” Congress responded to the funding shortfall via the Spectrum Innovation Act of 2022 (H.R.7624), increasing funding for the Secure and Trusted Communications Networks Act from $1.9 billion to $4.98 million. The Spectrum Innovation Act passed in the House in July 2022, but stalled in the Senate Committee on Commerce, Science, and Transportation.

A few days after reporting the shortfall, the FCC announced the approved applications for the reimbursement program, citing the 2021 Supply Chain Order clarifying that the program covers communications equipment or services produced or provided by Huawei or ZTE. The FCC has drawn criticism from the Rural Wireless Association, a trade group representing many “rip and replace” program participants, for “slow progress” allocating funds. The FCC reports that, as of January 2023, just under $41 million have been approved in reimbursement claims, with participants “experiencing four main challenges in their efforts to permanently remove, replace, and dispose of covered communications equipment and services in their networks: (1) lack of funding; (2) supply chain delays; (3) labor shortages; and (4) weather-related challenges.” Perhaps if some of the political capital from the TikTok bans were applied toward Huawei and ZTE we would be able to resolve the first challenge: lack of funding.