One group suggested the proposed rule to ban U.S. entities from buying information technology from foreign adversaries could be illegal.
Stakeholders providing feedback to the Commerce Department on rules for executing a May executive order that would ban U.S. entities from purchasing information and communications technology from “foreign adversaries” say they should put the proceeding on hold, and examine how they might be affected by related efforts by other parts of the government.
And according to comments submitted on the Jan. 10 deadline by the Rural Wireless Association, “the proposed rules may even violate existing federal law.”
Smaller rural carriers represented by the RWA would be particularly affected by the executive order, which—while company and country “agnostic”—is seen to be aimed at Chinese telecom equipment providers like Huawei and ZTE.
U.S. intelligence agencies have long warned—in classified settings—of the companies’ uncomfortable ties to the Chinese government, contributing to a bipartisan push to remove them from U.S. critical infrastructure due to concerns the companies could be used to infiltrate and compromise networks and conduct espionage.
But smaller entities have used lower cost equipment offered by the companies to make internet connections available in harder to cover rural areas.
The Commerce proposal is to conduct evaluations of transactions constituting a national security threat and to make determinations on a “case-by-case basis.”
“It is erroneous and premature of the Commerce Department to determine, without explanation, that the proposed rules do not constitute an unfunded mandate, wrote RWA General Counsel Caressa Bennet in the comments, noting the proposed rules do not include an assessment of qualitative and quantitative anticipated costs and benefits of the federal mandate, including those to the private sector as well as future compliance costs, as required by the Unfunded Mandates Reform Act of 1995.
“The Commerce Department needs to reverse its preliminary decision that the proposed rules do not violate the UMRA,” she wrote, adding, “Thereafter, the Commerce Department should proceed immediately with researching and drafting the ‘comprehensive written statement’ required under Section 202 of the UMRA.”
Because this will take time, Bennet said, the procedure should be put on hold.
Bennet noted a parallel effort underway at the Federal Communications Commission that would ban money flowing to Huawei and ZTE from the Universal Service Fund—an annual pool of $ 8.5 billion collected from consumers for expanding broadband access—which she says, along with Congress, puts estimates for replacing the suspect equipment anywhere from $1 to $2 billion. That’s far more than the $100 million threshold incurring UMRA requirements, she said.
Comments from USTelecom, which represents larger telecom operators, struck a more conciliatory tone, commending Commerce for seeking industry collaboration, but also stressed the importance of the department coordinating its evaluations “formally with other agencies at every step.”
In addition to the FCC activities, USTelecom highlighted other procurement-focused initiatives in Section 889 of the National Defense Authorization Act of 2019 being overseen by the General Services Administration; the Department of Defense’s development of a Cybersecurity Maturity Model Certification program for its contractors; the Federal Acquisition Security Council’s future “exclusion orders” for the federal government; and the National Telecommunications and Information Administration’s efforts to improve software security by bringing more transparency to that industry’s supply chains through regular use of a Software Bill of Materials.
In general, due to the scope and vagueness of the proposal, BSA | The Software Alliance—members of which have supply chains that are deeply interwoven with international collaborators—told Commerce the rules would make it “impossible for companies to create responsive compliance programs or to conduct business with a predictable and reliable understanding of the risks.”
The group added the “proposed framework would likely have only a marginal impact on improving supply chain security, while severely constraining US companies’ ability to innovate.”
Stakeholders interested in protesting the FCC’s initial designation of Huawei and ZTE as national security threats have until Feb. 3 to submit comments, which will be reviewed by the commission’s Public Safety and Homeland Security Bureau.