WASHINGTON: More than two years after Congress passed two laws to strip Chinese hardware and software from US defense and telecommunications supply chains, industry is struggling to figure out how.
“No one really has the answers on some of this stuff,” Nick Jones, director of regulatory policy at the National Defense Industrial Association (NDIA), said in an interview.
One key problem, Jones explained, is that neither DoD nor the FCC have issued lists of what equipment is banned by the laws.
“Good national security intentions, but poor execution thus far,” one telecoms expert summed up.
The 2019 National Defense Authorization Act (NDAA) included section 889 which prohibits the federal government, contractors, and federal grant/loan recipients from buying or even using “covered telecommunication equipment or services” from Huawei, ZTE, Hytera, Hikvision and Dahua and their subsidiaries as a “substantial or essential component of any system, or as critical technology as part of any system.” It also allows the Defense Secretary, the Director of National Intelligence and/or the FBI Director to “add to the list at anytime.”
DoD, the General Services Agency (GSA) and NASA in July 2020 issued a Federal Acquisition Regulation (FAR) “interim rule” to implement the provision, and followed up with a second one in late August aimed at helping companies through the process of certifying compliance.
Congress in 2019 also passed the Secure and Trusted Communications Networks Act of 2019 directing the FCC to figure out how to remove and replace Chinese equipment from US telecoms networks, known as the “rip and replace” program. The bill also provided $1.89 billion in FCC funds to help small and rural broadband providers comply. The FCC issued a new draft rule Thursday that would expand the pool of potential aid recipients — upping the cap from firms with 2 million customers to those with 10 million.
While the FCC rules do not directly affect most of the defense industrial base, DoD is working closely with affected commercial telecoms providers to speed 5G wireless connectivity to military users at home and abroad.
For example, DoD in October awarded some $600 million in contracts for 5G experiments at five bases belonging to the Air Force, Army, Navy and Marine Corps. Joseph Evans, technical director for 5G in the DoD undersecretariat for research & engineering, said the awards involve “over three dozen contracts
prime contractors [and] over 100 total companies, over half of them non-traditional” – that is, commercial tech companies rather than longstanding defense contractors. (Awardees range from telecoms giants AT&T and Nokia to the tiny Shared Spectrum Company that has 14 employees.)
It is the second part of the 2019 NDAA Section 889 (Part B) — which covers third-party providers of systems, parts and services — that is causing the most trouble for defense contractors, Jones explained. Smaller firms in particular are struggling, he added, since they don’t have the resources the big primes do to engage legal and regulatory expertise to help.
Part B “has caused greater headaches for US Government contractors because of its broader reach,” stated a November blog post by law firm Baker MacKenzie. “It is not necessary that the Covered Equipment be used as part of the contract with the US Government to fall within the scope of the prohibition; rather, it is sufficient only that the offeror uses Covered Equipment as part of its overall business, making the breadth and applicability of this rule quite wide.”
For example, corporate leaders are scratching their heads over whether Chinese-made cameras for facility security are barred by Section 889, and what can be bought to replace the prohibited gear, Jones said.
“You know, security cameras looking at parking lots. So we’ve had people just rip those out, or turn them off,” he elaborated. “And there’s no replacement lists anywhere. Also cameras for things like simulation training and simulation applications that may have some of these [barred] components in there, and again, there’s no list.”
“The guidance/law is at the policy level and implementation is going to be hard, in part because nobody was watching too closely to see just how far these Chinese components and hardware have infiltrated U.S. businesses,” the telecoms expert said. “It’s going to take a while, and cost a lot, to purge them and I doubt it will be effective.
“Chip-level compromises, at the nation state level, are very hard to defeat and imposing this on industry without specific guidance makes it harder. It’s also imposing real costs on industry, which only makes sense if enforcement / market compliance incentives will follow,” the expert added.
Interestingly, the FCC regulations might actually help defense contractors implement Section 889, Jones noted, because the FCC is actually required to publish a list of barred equipment — a list that is expected to be released sometime next month. Further, that list will be based in part on determinations by DoD and the Intelligence Community as to what specific equipment should be deemed high risk, according to the FCC.
Tracking down the hundreds of subsidiaries for the five Chinese firms blacklisted in the NDAA also is a Sisyphean task, Jones said. While DoD has provided some guidelines for how contractors should conduct a “reasonable inquiry” into whether they (and their suppliers) are complying with the law, he explained, the Pentagon hasn’t actually name names of blacklisted subsidiaries. (Nor has the FCC provided a subsidiary list in its regulations implementing the rip and replace law.)