ARGUMENT: China’s Telecom RisksWhy the FCC Expelled a Chinese Telecom for National Security Risks

Published 7 December 2021

After months of investigating Chinese state-owned telecommunications companies for national security risks, the Federal Communications Commission (FCC) on Oct. 26 issued an order on one, China Telecom: It can no longer provide telecommunications services in the United States. But Justin Sherman writes that “the move also highlighted that there are many security risks at play with respect to certain foreign telecommunications companies, and mitigating one of those risks still leaves other risks in play.”

After months of investigating Chinese state-owned telecommunications companies for national security risks, the Federal Communications Commission (FCC) on Oct. 26 issued an order on one, China Telecom: It can no longer provide telecommunications services in the United States.

Justin Sherman writes in Lawfare that the decision renders China Telecom Americas—the U.S. subsidiary of the Chinese state-owned telecom China Telecom—unable to offer telecommunications services in the U.S.

The FCC did at least three main things here: It kicked China Telecom out of the U.S. telecommunications market, it detailed specific national security and cybersecurity risks the company poses, and it more broadly signaled the U.S. government’s concern about Chinese technology firms under Beijing’s control. 

But the move also highlighted that there are many security risks at play with respect to certain foreign telecommunications companies, and mitigating one of those risks still leaves other risks in play. When Beijing-controlled telecoms reach into U.S. borders, the key is developing a robust, standardized national security review process focused on identifying discrete risks. The FCC rendered a decision beneficial to national security, but the U.S. executive branch writ large still needs other tools in its toolbox to mitigate the many distinct risks posed by foreign internet and telecommunications companies and technology.

….

In terms of U.S. policy and Chinese tech companies broadly, the Biden administration hasn’t made nearly as much noise as its predecessor about Huawei, for example. But the administration is continuing the campaign against Huawei, keeping in place many Trump administration restrictions such as export controls through the Commerce Department. Additionally, President Biden has signed multiple executive orders to increase security reviews of Chinese technology risks as well as digital supply chain and data risks generally. All told, the FCC decision hardly stands alone in its reprimand of Chinese telecom groups.

This overall focus on Chinese technology threats is significant because the FCC is not finished with its reviews of Chinese telecoms in the U.S. In March, the FCC initiated a proceeding to revoke the Section 214 license of Pacific Networks and its subsidiary ComNet, both of which are “indirectly and ultimately owned and controlled by the government of the People’s Republic of China through a complex series of intermediate holding companies organized in Bermuda, the British Virgin Islands, Hong Kong, and the People’s Republic of China that are controlled by CITIC Group Corporation, a Chinese state-owned limited liability company.” An order for Pacific Networks/ComNet to terminate their services is likely coming soon. The reasoning the FCC publicly provides will give further insight into how the new FCC review process accounts for various security risks. It may also provide insight into how those risks are being weighed and if any risks are not getting sufficient attention.

This FCC order should be instructive for other parts of the U.S. government (agencies, committees and interagency task forces alike) responsible for assessing foreign companies or technologies for security risks. Other government agencies focused on cybersecurity and digital supply chain security (including Commerce, Homeland Security, Justice and Defense), as well as the Committee on Foreign Investment in the United States, should see these decisions as part of a bigger picture. Some countries pose more significant technology risks than others, but supply chain and technology trust decisions should not rest entirely on a company’s country of origin. In kind, a technology company can pose many risks to national security—whether a Chinese telecom spying on data or a U.S. data broker selling location data—and government action to mitigate one particular security risk does not equal a mitigation of every security risk.

Sherman notes that there is no doubt that revoking China Telecom Americas’ Section 214 license is a beneficial national security move. This move also has an effect on other cybersecurity risks (e.g., espionage within the U.S.) – and expelling the company could very well mitigate those risks. But, he says, we should realize that “no single action can address every national security and cybersecurity risk posed by a technology company, product or service. It will take a more concerted approach across the U.S. government to better protect U.S. citizens’ data and the U.S. digital supply chain in the coming decades.”