Cyber & Technology
Bans on Foreign Equipment in U.S. Critical Infrastructure
One executive order does not a trend make, but maybe two do. On May 1, President Trump issued an executive order banning the acquisition, importation, transfer or installation of any bulk electric power system equipment where the secretary of energy has determined, first, that the equipment was manufactured by a company controlled by—or subject to the jurisdiction of—a foreign adversary and, second, that the transaction poses an undue risk to the U.S. bulk-power system, economy or national security.
The order’s issuance signals that the administration’s efforts to purge from the nation’s telecommunications network any equipment made in China may represent a new approach to critical infrastructure in general. It also indicates how the “great decoupling” of China-U.S. supply chains, previously driven by trade war-induced uncertainties, increasingly may be cast in terms of cybersecurity and national security imperatives.
Banning Chinese-Made Equipment From the Telecommunications Network
Much attention has been given to the ongoing efforts aimed at telecommunications equipment made by companies in China, most saliently Huawei Technologies Company and ZTE Corporation. (A brief history of the growing concern and the toughening response is provided in a 2019 report and order of the Federal Communications Commission [FCC].) A key milestone was the 2012 report of the House Intelligence Committee warning of the counterintelligence and security threat posed to the telecommunications network by equipment made in China, specifically by Huawei and ZTE. The report recommended that U.S. government agencies and federal contractors exclude ZTE and Huawei equipment from their systems and strongly encouraged private-sector entities to do the same.
It took a while, but in 2017, in the National Defense Authorization Act (NDAA) for Fiscal Year 2018, Congress began translating those recommendations into law, barring the Department of Defense from using telecommunications equipment or services produced or provided by Huawei or ZTE for certain critical programs. In the following year, in the 2019 NDAA (the McCain Act), Congress banned all federal agencies from procuring any equipment, system or service that uses telecommunications equipment or services made by Huawei or ZTE as a substantial or essential component of any system, effective one year after the date of enactment. Moreover, effective Aug. 13, 2020, the provision bans federal agencies from entering into contracts (or extending or renewing contracts) with an entity that uses any equipment, system or service that uses Huawei or ZTE equipment or services, thus extending the ban to all government contractors.
In May 2019, President Trump extended the potential scope of the ban beyond Huawei and ZTE, issuing an executive order that prohibited any acquisition, installation, or use of any information and communications technology or service where the transaction involves any property in which any foreign country or foreign national has any interest if the secretary of commerce has determined that the transaction poses an undue risk of sabotage to information and communications technology or services in the U.S., catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the U.S., or other harm to the national security of the U.S. or the security and safety of U.S. persons. The president cited his authority under the International Emergency Economic Powers Act and the National Emergencies Act. On May 13, 2020, pursuant to Section 202(d) of the National Emergencies Act, the president extended the order for another year.
Other processes targeted at foreign-made telecommunications equipment were initiated. (These are separate from the export controls, recently tightened and designed to hurt Huawei more broadly.) In November 2019, the FCC adopted a rule prohibiting use of the Universal Service Fund (USF) to purchase or maintain equipment or services from any company identified as posing a national security threat to communications networks or the communications supply chain. In the same report and order, the FCC initially designated Huawei and ZTE—and their subsidiaries, parents and affiliates—as companies posing such a threat, and it set in motion a process for a final designation to be made after the companies and other interested parties had a chance to respond. The FCC also sought public comment on a proposed rule that would reimburse telecommunications carriers for removing and replacing equipment and services from designated companies in their networks.
The FCC’s actions were more or less codified in March of this year, when the president signed the Secure and Trusted Communications Networks Act, banning the use of federal telecommunications subsidy funds to purchase, lease or maintain “covered communications equipment or services” as designated by the FCC. The act specifically cross-referenced the Huawei and ZTE ban in the 2019 NDAA. It directed the FCC to establish a reimbursement program for small, predominantly rural telecommunications companies to replace any covered components in their networks.
Fully implementing the ban on Huawei equipment remains a work in progress: The McCain Act’s ban on direct procurement of services that rely on Huawei equipment is now in effect. Also, rapidly approaching is the Aug. 13 deadline of the McCain Act provision prohibiting all agencies from entering into, extending or renewing contracts with an entity that uses any service that deploys Huawei or ZTE equipment or services, which would seem to reach even the smallest telecommunications providers.
However, the May 2019 executive order banned nothing without a secretary of commerce action. Not until November 2019 did the Commerce Department actually propose rules for a procedure to determine whether a particular transaction should be prohibited, and final rules have not been issued. (So it’s well past the executive order’s Oct. 19, 2019, deadline for final regulations.) Likewise, at the FCC, the November 2019 designation was not final, so the ban did not take effect immediately. On Jan. 3, 2020, the FCC sought comment on whether the initial designations of Huawei and ZTE should be made final; the proceeding is still pending. As for the Secure and Trusted Communications Networks Act, it gives the FCC until March 12, 2021, to issue its list of banned equipment and services. And the FCC has sought comment on how the act affected its rule on use of the Universal Service Fund and follow-on proceedings.
In any case, there can be no doubt about the policy direction: For reasons of cybersecurity, the U.S. government is moving to ban from the national telecommunications infrastructure equipment made by Huawei and ZTE, and probably other Chinese companies, and the authority now exists for future bans on other foreign-made equipment that may be deemed to pose a risk.
Extending Equipment Bans to the Electric Power System
Against this background, the new executive order on the bulk-power system takes on added significance.
Like the telecommunications order, the bulk-power directive was preceded by a growing drumbeat of concern about the vulnerability of foreign-made components in the grid, but the warnings were not nearly as loud as—and lacked the China focus of—the high-profile campaign against Huawei and ZTE. Until recently, most concern about the vulnerability of the electric power grid had focused on third-party hackers, including nation-states, not the equipment makers themselves. Nevertheless, public expressions of concern were there, and growing. A 2017 report sponsored by the Office of the Director of National Intelligence examined supply-chain risks posed by supervisory control and data acquisition (SCADA) and industrial control systems in the electricity sector. An August 2019 Government Accountability Office report on cybersecurity of the electric grid noted that supply chains for industrial control systems can introduce vulnerabilities that could be exploited for a cyberattack, although that was not the office’s main concern. In July 2018, the Electric Power Research Institute issued a report specifically on supply-chain risk. The findings of that report were echoed in a February 2020 paper by Ridge Global.
Whether the authors of these warnings expected an equipment ban or merely wanted better risk management is unclear, but, at least in the Trump administration, when cybersecurity concerns converge with antipathy toward foreign (and especially Chinese) imports, an equipment ban—or at least the process for one—is what you might get. The May 1 order, citing the International Emergency Economic Powers Act and the National Emergencies Act, uses language similar to the administration’s earlier executive order on telecommunications networks. It bans any acquisition, importation, transfer or installation of any bulk-power system equipment where the secretary of energy determines that the equipment is designed or manufactured by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and the transaction poses an undue risk of sabotage or subversion of the bulk-power system in the U.S.; catastrophic effects on the security or resiliency of U.S. critical infrastructure or the economy of the United States; or harm to the national security of the U.S. or the security and safety of U.S. persons.
Like the telecommunications order, and in an approach similar to that used by the Committee on Foreign Investment in the United States (CFIUS) and “Team Telecom” (the multi-agency working group that advises the FCC on the law enforcement and national security implications of applications by foreign-controlled entities to become involved in delivering telecommunications services in the U.S.), the bulk-power order allows the secretary (of energy, in this case) to design or negotiate measures to mitigate any national security concerns. Such measures may serve as a precondition to the approval by the secretary of a transaction or of a class of transactions that would otherwise be prohibited pursuant to the order.
The new executive order bans no specific equipment and designates no specific countries or products. All of that is left to the secretary of energy, who must issue implementing rules or regulations by Sept. 28. The order also requires the secretary to identify existing equipment in the bulk-power system that poses an undue risk and develop recommendations on ways to isolate, monitor or replace such items as soon as practicable, taking into consideration overall risk to the bulk-power system. As Ron Lee of the law firm Arnold & Porter and his colleagues have noted, many details remain to be defined.
Even more so than the telecommunications ban, implementation of this ban may be harder and take longer than the language of the executive order may suggest. Chinese-made equipment may be much more prevalent in the U.S. bulk power system than Huawei or ZTE equipment is in the networks of telecommunications service providers. Even less modest efforts aimed at supply-chain concerns have been delayed. Before the new executive order, the Federal Energy Regulatory Commission had approved a mandatory standard for supply-chain risk management for the bulk electric system. The standard was supposed to go into force in July 2020, but it was delayed by three months due to disruptions associated with the coronavirus pandemic.
The Trade Wars Meet Cybersecurity
Other expanded authorities aimed at reducing the foreign presence in strategically important U.S. infrastructure or services include the 2018 legislation strengthening the authority and procedures of the CFIUS, which referenced cybersecurity as an express interest of the committee’s process, and the recent chartering of Team Telecom. New rules for the CFIUS process became effective Feb. 13. Justin Sherman has commented on Team Telecom’s new assertiveness.
It seems only logical to include limits on foreign ownership and bans on foreign-made equipment within the cybersecurity toolkit of legal and policy measures, so long as policymakers and operators of critical infrastructure remember that domestically made products can be highly vulnerable to attackers too. One key question looms: Is the decoupling strategy further extensible? Are there other sectors dependent on Chinese or other foreign-made products with networked features where a cost-benefit analysis would favor a similar ban?