Updated Oct. 29, 2021
On Oct. 20, 2021, the U.S. House of Representatives passed H.R. 3919, the Secure Equipment Act of 2021, in a nearly unanimous vote. The bipartisan legislation introduced by Reps. Steve Scalise (R-La.) and Anna Eshoo (D-Calif.,) would require the Federal Communications Commission (FCC) to adopt rules it recently proposed prohibiting “equipment authorization” for certain Chinese telecommunications and video surveillance equipment. Its companion bill in the U.S. Senate, S. 1790, was introduced by Sens. Marco Rubio (R-Fla.) and Ed Markey (D-Mass.). H.R. 3919 was later passed unanimously in the Senate on Oct. 28 and now awaits signature by President Biden to become law.
On Aug.19, the FCC had published a proposed rule that would prohibit new authorizations for equipment considered part of the FCC’s “Covered List.” FCC equipment authorization is required for many types of radiofrequency (RF) emitting electronic devices before they can be marketed or imported into the United States. In order to obtain authorization, equipment must meet the FCC’s technical requirements, primarily to prevent harmful RF interference with other devices, as well as limiting human RF exposure limits and other criteria.
The FCC Covered List was posted in March as required by the Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act). Enacted with the aim of with the aim of purging Huawei and ZTE equipment posing national security risks from U.S. communications networks, the law prohibited use of FCC subsidies for purchasing, obtaining or maintaining equipment on the Covered List developed by the FCC and created a reimbursement program available to telecommunications service providers for replacement of equipment purchased prior to the requirement. While the FCC is authorized to use several government sources to compile the list, so far it has simply incorporated the definition of covered equipment produced by certain Chinese companies found in Section 889 of the 2019 National Defense Authorization Act, as the Covered List. Section 889 prohibited federal purchase, contractor use and federal grant/loan funding for telecommunications products from Huawei and ZTE, as well as video surveillance and telecommunications products from Hikvision, Dahua and Hytera.
However, when Congress provided funding for the FCC reimbursement program through the Consolidated Appropriations Act of 2021, it also amended the Secure Networks Act to clarify that only Huawei and ZTE telecommunications equipment or services qualify – making it very clear that despite inclusion of video surveillance equipment on the FCC Covered List, replacement of this equipment is not eligible for reimbursement under the program. The FCC’s FAQs document on the program further clarifies that end user on-premises equipment (e.g., routers and Internet of Things (IoT) devices) that connect with the telecommunications service are “not reasonably necessary” for replacement and thus are ineligible for reimbursement, keeping the program focused on network infrastructure.
The FCC’s new rulemaking is aimed at addressing what supporters have described as a gap in these policies – that telecommunications service providers could possibly continue to purchase the Chinese equipment for use in their networks, especially as 5G is built out, despite the prohibition on using FCC subsidy funds and availability of the reimbursement program. Without FCC authorization, this equipment will no longer be available in the United States.
However, in part because the Covered List includes broad categories of equipment from the listed manufacturers extending far beyond network infrastructure, the proposal has garnered over 250 public comments from a range of industry associations, businesses and individuals, including a number of security industry participants and observers, many of which have identified as U.S. businesses that supply and install video surveillance equipment that would be impacted.
While most comments from information and communications technology (ICT) industry organizations like the Consumer Technology Association, U.S. Telecom and the Information Technology Industry Council agreed generally with the cybersecurity goals of the rulemaking, they expressed serious reservations with transforming a process focused simply on radiofrequency interference into an instrument to implement cybersecurity and national security objectives and the impact on broad categories of devices used in a number of industries outside the FCC’s traditional role – despite IoT cybersecurity authorities and initiatives by other agencies like the Federal Trade Commission and the National Institute of Standards and Technology. Many commenters also questioned whether the FCC has sufficient authority under existing law governing the equipment authorization process to expand its scope in this manner.
Enactment of the Secure Equipment Act would settle this question by requiring the FCC to complete its current rulemaking within a year of enactment to ensure the FCC “will no longer review or approve any application for equipment authorization for equipment that is on the list of covered communications equipment or services published by the Commission.” According to one of the co-sponsors speaking in support of the bill in the U.S. House of Representatives, it is intended to “prevent any further Chinese state backed equipment from being used here in the United States.”
Notably, the bill prohibits the rulemaking from requiring the review or revocation of any equipment authorization granted before it is finalized based on the FCC’s Covered List (though it explicitly does not preclude the FCC from considering such a move in a separate, future proceeding). Beyond the limitation detailed in the proposed rule on any further equipment authorization for equipment on the Covered List, the FCC had sought additional comment on whether the Commission should also consider revoking existing equipment authorizations of “covered” equipment and, if so, under what conditions and procedures.
U.S. ICT trade groups were unanimous in their strong opposition to blanket revocation, arguing this approach would not be driven by cybersecurity concerns specific to a piece of equipment and would end up punishing U.S. consumers who purchased equipment relying on existing FCC authorizations. Currently the FCC may revoke an equipment authorization if it finds misrepresentations were made regarding the equipment’s operation or if it is found not to conform to the FCC’s technical requirements. It would be unprecedented for the FCC to revoke authorizations on grounds unrelated to technical details or faults in applications. As one technology association stated in its comments, “such an action would unmoor the revocation process from its firm reliance on technical data, objective performance characteristics, and the measurable harm that such products could create.”
Many of the commenters had highlighted concerns with mass scale revocation of equipment authorization for what are in many cases consumer devices and the difficult and possibly unanswerable questions it would raise. According to one group, “devices and components potentially subject to revocation may be in homes or offices, or may be incorporated into other equipment used throughout the economy. How would users be made aware of the revocation? What impact would revocation have on existing devices in the field? How will users identify, source, and replace devices subject to revocation, and would assistance be provided in doing so? Devices sold at retail may be difficult or impossible to locate, and if a device has been incorporated into other equipment, a replacement may require new engineering, testing, validation, and manufacture.”
Implications for the Security Industry Regarding Video Surveillance Equipment
In the near term, the FCC action as proposed in the current rulemaking and bolstered by passage of the Secure Equipment Act will eventually be finalized. This means the marketing, importation and sale of new video surveillance equipment from these Chinese manufacturers without current FCC authorization will be prohibited. At least until implementation of Section 889 procurement and contracting prohibitions, such products were commonly used in security systems across the consumer, commercial and government markets. When finalized, the FCC action will reduce supply and eventually eliminate future availability in the U.S. of products from these companies, which will require adjustments by all companies that may still be utilizing them, and impact product offerings, costs and other business operations – even if they are not federal suppliers.