The Chairman of the Federal Communications Commission has confirmed in a statement released on March 26 that the agency is moving forward with a plan to prevent carriers using equipment made in China from receiving funding from the Universal Service Fund.
The USF is a pool of about $8.5 Billion collected from communications users in the U.S. It’s used to help pay for communications services and infrastructure for poor, rural or otherwise disadvantaged communities.
Citing a set of security concerns including hidden back doors, Pai state that “Threats to national security posed by certain communications equipment providers are a matter of bipartisan concern. Hidden ‘back doors’ to our networks in routers, switches—and virtually any other type of telecommunications equipment—can provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more,” Pai stated.
His action comes in response to a letter received earlier in 2018 from the House Permanent Select Committee on Intelligence and the Senate Intelligence Committee. Attached to the letter is a 60-page report on the findings of an investigation conducted by the HPSCI in 2012 which detailed the risk.
The investigations found that it’s possible to embed covert code in communications infrastructure equipment that can disrupt communications or even forward communications from some users to unintended recipients.
While the statement by Pai didn’t mention Huawei nor ZTE by name, they are the two Chinese telecommunications vendors that operate in the U.S. The report does not call out other related equipment such as laptop computers, cell phones or tablets, perhaps because virtually all of those are made in China.
The order, if it’s adopted, would effectively cut off federal funding from communications providers such as cable and phone companies that use equipment from Huawei and ZTE.
While the major U.S. carriers don’t use Huawei or ZTE equipment, smaller networks frequently do. Partly this is because prices are lower and because those companies have aggressively marketed themselves to smaller carriers. As it happens, these same smaller carriers are the primary recipients of USF funds. The proposed FCC funding restriction would hit them especially hard.
Larger companies have already moved away from Huawei and ZTE. Both AT&T and Verizon were in the process of carrying mobile phones and other devices from those carriers until early in 2018, when both carriers dropped their plans. The intelligence community made no statements concerning risks from those phones, but apparently the carriers bowed to pressure from Congress and elsewhere and decided not to carry those devices.
The Congressional statement made that concern very clear. “We write today concerning the Chinese telecommunications equipment manufacturer Huawei and press reports that a major U.S. telecommunications provider will begin selling Huawei consumer products in the United States as early as next year, with little or no modifications to the products,” the statement began.
The letter went on to remind the FCC of the 2012 investigation report from the HPSCI, and to inquire whether the FCC used equipment from either of those Chinese companies or allowed its employees to do so.
The level of concern by the intelligence committees may seem a little paranoid by the uninitiated, but in fact it is possible to introduce functions into the ASICs (application specific integrated circuit) that operate most network equipment. Those ASICs contain hard coded instructions as well as the firmware that make up the devices operating system.
While it’s possible to see the code that is used for some of the operations of a network device, it’s completely possible to load hidden code into the device as well that can be triggered on command. Such code is actually quite common and it’s used by network equipment companies to provide an upgrade path for their products.
When service providers or equipment makers want to turn on a specific function, perhaps an advanced management capability, they can enter a license key into the device and the upgrade takes place automatically. The code was there all along, and the license key simply activated it.
But such code can be used for other purposes as well, including cheating during testing. Several years ago when I was testing an early version of a Gigabit Ethernet switch from a now-defunct vendor, we noticed that the switch performed unusually well in a test that involved transferring very short 64-byte packets at full line rate. Other packets did not transfer nearly as fast.
The reason, of course, is that at the time a popular piece of testing hardware depended on flooding the switch with 64-byte packets, so the device was designed to cheat when it saw that type of traffic, which could only be a test.
Other types of code can also be embedded in network hardware. In addition to the potential for back doors, it’s possible embed code that transfers copies of packets for specific IP addresses to a destination other than what’s intended, giving you the ability to siphon off traffic from a military installation for example. Some network engineers reportedly discovered Huawei switches doing just that 10 years ago.
So the concerns of the committees and the FCC may not be unfounded. The problem for Huawei and ZTE is that they would need to submit their products and the code that goes in them for review and so far neither company has cooperated with such investigations.
At this point, it appears that neither company has much of a future in selling network infrastructure equipment in the US. That could change, but not until they agree to a level of transparency that’s so far not been forthcoming.