The Covered List is Not Practicable for Regulating IoT Devices

By Jamie Moss | 4Q 2024 | IN-7628

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

The Secure and Trusted Communications Networks Act, sometimes abbreviated to The Secure Networks Act, and technically referred to as H.R.4998, was passed into law by the United States' Congress in March 2020, after being introduced in November 2019. It exists to "prevent communications equipment or services that pose a national security risk from entering U.S. networks" and "to remove any such equipment or services currently used."

The Act requires every "communications provider" in the United States to submit a report to the Federal Communications Commission (FCC) each year, detailing all equipment and services "purchased, rented, leased, or otherwise obtained" from a Covered List of companies identified by the government as a security risk, alongside said communication provider's reason for doing so. This reasoning implies a degree of latitude, i.e., that in the right circumstances, entities on the list might still supply U.S. companies. But this is not so.

Once on the Covered List, a company must be removed from every U.S. communications network, and for as long as it stays on the list, no U.S. provider will buy from it again. The reports justifying any purchases made are for the sake of assessing newly added entities to the list, so that the U.S. government can know who is using said company's equipment and services, how extensive that use is, and how great the potential security risk it poses is. This is for the sake of expediting the removal of that company's presence in the United States.

The Secure and Trusted Communications Networks Reimbursement Program exists to help U.S. communications providers with no more than 2 million customers fund the cost of removing and replacing any prohibited equipment and services. There is no "approved list," however. And it is always possible that any replacement equipment may be supplied by vendors that fall foul of the Covered List in the future. Essentially, the unspoken recommendation is to purchase from U.S. or European suppliers, for future-proofing.

In addition, H.R.4998 requires the United States' National Telecommunications and Information Administration (NTIA) to "establish a program to share information regarding supply chain security risks with trusted communications providers and suppliers." This is an action clearly intended to canvass and inform on companies that are potential and/or perceived risks, ergo candidates for addition to the Covered List as time goes by. The list has been added to on four occasions and is likely to continue to grow over time.

Congress.gov, the official website for U.S. federal legislative information, states that 16,601 bills were introduced during the 2019-2020 sitting of the U.S. Congress, out of which 344 became laws. The typical time taken for a bill to pass into law during that sitting was just over 5.5 months, with 87 bills progressing faster than The Secure Networks Act, which was itself in the top 25% in terms of speed to pass. This speaks to the importance of the issue covered by the Act, and to the degree of cross-party consensus.

The first companies to contravene the Secure and Trusted Communications Networks Act were named in March 2021, a year after the law was passed. Huawei Technologies Company, along with ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company were listed. This group still makes up almost half of the 11 companies listed, to date, all of which have been Chinese or Russian companies with significant market power in the United States.

Huawei and ZTE are both telecommunications network infrastructure manufacturers, while Hytera, Hikvision, and Dahua are video surveillance equipment manufacturers. The U.S. operations of China Mobile, China Telecom, and China Unicom, i.e., all of China's national wireless carriers, have since been added, too, as has China's lesser known Pacific Networks Corp, and two entities of the Russian security software firm Kaspersky. Each is either a foreign, state-owned entity, or works closely with and receives financial support from such a state.

Crucially, it is not a point of principle that companies closely allied to foreign governments should not be trusted. Specifically, the Chinese and Russian governments are in active opposition to the United States, to some extent ideologically, but principally in terms of foreign policy. Kaspersky was only added to the list following the Russian military invasion of Ukraine in February 2022. The creation of the Secure and Trusted Communications Networks Act, and the reason for any company to be added to it, is explicitly political.

What does this mean for other companies, especially Chinese ones, operating in the United States? First, a company's business must serve a market that is deemed critical to U.S. national security to be on the firing line. Specifically, only "equipment marketed or sold for public safety purposes, government facilities, critical infrastructure, or other national security purposes" is under scrutiny. Manufacturers of products that do not rely on communications technologies, or that are not for use by those parties are safe.

Two types of equipment have been featured in the Covered List so far: 1) telecommunications equipment-user equipment, radio access network, and core network equipment; and 2) video surveillance equipment-connected security cameras, body cameras, and any associated connected equipment. But definitions, like lists, can always be expanded, and are usually deliberately broad in interpretation.

Crucially, it is not necessary for the U.S. government to prove any given company's products and services have been compromised and so aided a foreign government. Nor is it even necessary to prove that such products and services could do so conceptually. The burden of proof lies with the accused to demonstrate innocence. But this is easier said than done, as communications equipment and services incorporate thousands of lines of code within device firmware and cloud platforms. Legitimately, any instruction could be placed somewhere in that code, and H.R.4998 is based on subjectively reasonable suspicion, not objective proof of malfeasance.

The Covered List tends to be updated every March and September, the one exception being the addition of Kaspersky Lab, Inc. in July 2024. Recommendations for new companies to add can come from the FCC, or can be submitted to the FCC by members of the U.S. House of Representatives. Module vendors Quectel and Fibocom were requested additions in September 2023 from a cross-party pairing of Mike Gallagher and Raja Krishnamoorthi, then-members of the House of Representatives China Select Committee, and House Committee on the Chinese Communist Party, respectively.

The Covered List is open to exploitation, however, with manufacturers citing it in attempts to discredit competitors, to take business from them. In July 2024, GovernmentGPT filed a lawsuit against body camera manufacturer and government supplier Axon. GovernmentGPT complained that Axon engaged in anti-competitive practices, and as a scare-mongering tactic to encourage action in favor of its claim that Axon's use of Chinese module manufacturer Quectel rendered its products unsecure. At that time, Quectel's inclusion on the Covered List was only suggested, and still has not come to pass.

The effect on companies added to the Covered List is potentially massive. It causes them to instantly lose access to the U.S. market, and to lose business in other geographies through suspicion by association; or simply as a result of an international company that is active in North America making a global Stock Keeping Unit (SKU) product that is provisioned by a single supplier. A company does not even need to be added to the Covered List to suffer, as the speculation resulting from an announcement of possible inclusion can be enough to instill enough caution to make customers choose an alternative supplier, just in case.

But in July 2024, the efficacy of the Covered List was called into question. It was revealed that most service providers required to remove Huawei's equipment from their networks had not completed the task, 3 years after being told to. The US$1.9 billion reimbursement plan intended to help fund the work was purportedly less than half as much as required, and further funding seems unlikely. Only 14 of the 126 providers enrolled in the plan had finished the job by July 2024, with 52 out of 64 extension requests citing insufficient funds as partly to blame, their original deadlines having been the during 1H 2024.

This highlights a foundational problem with the Covered List. By the time a company has become important enough to come to the attention of the U.S. government as a potential security risk, its physical presence is already so great that it is effectively impossible to retroactively eliminate its products from all U.S. infrastructure. It may be more achievable with software products, but less so with hardware. And it should be easier with network infrastructure than with terminal equipment, as there is at least a finite and more easily identifiable list of licensed network operators to instruct.

In the case of Quectel and Fibocom, so many different Internet of Things (IoT) device types contain cellular modules-from smart meters, to industrial equipment, to connected cars. And there are so many different Small and Medium Enterprises (SMEs) manufacturing such specialized equipment, all of which would need to be monitored in the replacement of any devices in their networks now using the "wrong" components. The logistics, the cost, and the likely need for so many businesses to seek funding from the U.S. government all make the task seem impossible, and the decision to invoke it pointless.

A more practical method, if the United States wishes to proceed with such actions, would be a more generalized prohibition, targeted at specific markets, that takes effect from a moment in time, without requiring the removal of extant deployments. A perfect example is the currently proposed Rule on Connected Vehicles, which aims to prohibit the importation or sale of Vehicle Connectivity Systems (VCSs), or completed vehicles containing "hardware or software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC [People's Republic of China] or [the] Russia[n Federation]." But the Covered List is to too prescriptive to possibly be applicable to IoT devices.