October 20, 2021

Van Hollen, Wyden, Blumenthal, Durbin and Markey Ask FCC to Act on National Security Risks from Foreign Telecommunications Services Companies

Foreign Corporations Managing U.S. Wireless Networks Poses Major Risks to Security; Senators Ask FCC to Identify Foreign Service Providers and Identify High-Risk Firms

Senators Chris Van Hollen (D-Md.), Ron Wyden (D-Ore.), Richard Blumenthal (D-Conn.), Dick Durbin, (D-Ill.), and Edward J. Markey (D-Mass.), asked the Federal Communications Commission to take action in response to national security risks posed by foreign companies that manage and service U.S. wireless phone networks. 

Although the U.S. government has responded forcefully to risks from Chinese hardware manufacturers, including Huawei and ZTE, it has not yet accounted for risks from foreign companies that operate or maintain U.S. networks. Indeed, there is not even a comprehensive accounting of how many foreign companies provide such services to U.S. networks.

“It is a widespread practice in the wireless industry, particularly among small rural carriers, to outsource the installation and ongoing administration of networking technology to managed service providers, some of which are based in foreign countries. Many of these foreign service providers are subject to foreign surveillance laws, and as such, could be forced to abuse their access to U.S. networks to help foreign intelligence services spy on American subscribers,” the senators wrote to Acting Chairwoman Jessica Rosenworcel.

Van Hollen and the other senators asked the FCC to identify foreign managed service providers, and work with the Office of the Director of National Intelligence and other agencies to identify high-risk firms that could threaten U.S. national security.

The full letter is available here and below: 

Dear Acting Chairwoman Rosenworcel:

We write to urge the Federal Communications Commission (FCC) to secure U.S. telecommunications networks from surveillance threats posed by foreign firms that provide services to U.S. telecommunications providers. 

In recent years, the U.S. government has taken action to address the serious national security threat posed by U.S. telecommunications firms using hardware made by companies subject to China’s surveillance laws, such as Huawei and ZTE. But the surveillance threats to U.S. communications infrastructure are not limited to foreign-manufactured technology.

It is a widespread practice in the wireless industry, particularly among small rural carriers, to outsource the installation and ongoing administration of networking technology to managed service providers, some of which are based in foreign countries. Many of these foreign service providers are subject to foreign surveillance laws, and as such, could be forced to abuse their access to U.S. networks to help foreign intelligence services spy on American subscribers. In addition to the threat of compelled surveillance assistance, we are also concerned by media reports suggesting that managed service providers may be partnering with for-profit surveillance companies, creating the possibility that these companies could provide their authoritarian clients with trusted access to U.S. telecommunications networks.

This threat posed by foreign managed service providers has been acknowledged by both the President and his Director of National Intelligence (DNI). In January, DNI Avril Haines told the Senate Intelligence Committee that “remote administration and management of U.S. telecommunications networks by foreign companies could potentially threaten national security.” Earlier this year, President Biden signed Executive Order 14034 recognizing that “potential indicators of risk relating to [technology] include… ownership, control, or management… by persons subject to coercion or cooption by a foreign adversary.”

The previous administration showed no interest in requiring wireless carriers to observe even baseline cybersecurity practices. But you deserve credit for repeatedly speaking out about the failure of self-regulation and the need for the FCC to use its authority and work with its federal partners to secure America’s communications networks from national security threats. For example, in 2018, you told the Washington Post that “The FCC has been studying [cyber] vulnerabilities [in U.S. phone networks] for nearly two years. Enough, it’s time for the agency to get serious and come up with a real plan to make sure that our networks are safe and secure.”

The U.S. cannot hope to get serious about network security without addressing the risks posed by foreign managed service providers. There are currently no registration requirements for foreign managed service providers, meaning that no federal agency has data identifying which foreign firms are providing this sensitive function for U.S. wireless carriers. We urge the FCC to require wireless carriers to report their use of foreign managed service providers. The FCC, the Director of National Intelligence, and other relevant agencies should then work together to identify high-risk foreign managed service providers that pose a threat to Americans’ privacy and U.S. national security, and prohibit U.S. wireless carriers from outsourcing the administration of their networks to these high-risk foreign firms.

Thank you for your continued leadership and your attention to this important matter.