Today, I submitted written testimony to the U.S. Senate, Committee on Appropriations, Subcommittee on Financial Services and General Government. Click here to download a pdf of the testimony.
Chair Van Hollen, Ranking Member Hagerty, and members of the Subcommittee,
I am writing on behalf of the Foundation for American Innovation to encourage this Subcommittee to provide additional funding to the Federal Communications Commission (FCC) to fully fund the Secure and Trusted Communications Networks Reimbursement Program. I further encourage the Subcommittee to include report language in this year’s appropriations package requiring the Commission to conduct a study of the national security risks posed by consumer routers, modems, and devices that combine a modem and router.
Background
The FCC regulates interstate and international communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia, and U.S. territories. The Commission develops regulatory programs, manages and licenses the use of radio spectrum within the United States, encourages innovation and investment in communications technologies, and contributes to public safety and homeland security. As part of these responsibilities, the FCC takes a leading role in strengthening and monitoring the nation’s communications infrastructure.
Congress passed the Secure and Trusted Communications Network Act of 2019 and the Secure Equipment Act of 2021 to address national security vulnerabilities in our nation’s telecommunications networks and to remove vulnerable equipment. One component of the FCC’s responsibilities under these laws is managing the List of Equipment and Services Covered by Section 2 of the Secure Networks Act, also known as the Covered List. This list was created by the enactment of the Secure and Trusted Communications Networks Act of 2019 to address vulnerabilities within telecommunications networks that included equipment made by Chinese Communist Party-backed firms Huawei and ZTE. The law requires the Commission to publish a list of companies, communications equipment, and services that pose an unacceptable risk to the national security of the United States or the security of U.S. persons and to deny authorization applications for equipment produced by companies on the Covered List.
Complementing the covered equipment list, Congress also created the Secure and Trusted Communications Networks Reimbursement Program, also known as the Supply Chain Reimbursement Program, to help mitigate the cost of removing and replacing covered equipment in certain networks. The program received an initial allocation of $1.9 billion to reimburse providers with 10 million or fewer customers for equipment produced or provided by Huawei or ZTE before June 30, 2020. After evaluating the cost of approved applications, the FCC determined that it would cost $4.98 billion, $3.08 billion more than allocated. As a result of this shortfall, many network operators—primarily small and rural operators—are unable to finish this process without additional funds, leaving our broadband networks vulnerable.
Importance of Funding the Reimbursement Program and Studying Routers
The “rip and replace” process is the culmination of years of work highlighting the threats posed by domestic telecommunications networks using equipment produced by Chinese manufacturers. Chinese law requires that all domestic firms comply and assist with intelligence gathering or military operations if asked by the Chinese Communist Party (CCP). This means that a company could be compelled to compromise certain products to further intelligence operations for the CCP. Indeed, the Commerce Department is reportedly investigating China Mobile, China Telecom, and China Unicom—providers that the FCC has already found to be national security threats—over national security risks related to their U.S. cloud and internet services businesses.
This potential threat is coupled with evidence of vulnerabilities that have been found in products produced and provided by Chinese firms, specifically Huawei and ZTE. Reporting has shown Chinese intelligence and state-affiliated hacker groups exploiting vulnerabilities within digital infrastructure in the United States and other western nations. Such vulnerabilities could be exploited to conduct intelligence gathering activities, cripple infrastructure, and exert leverage over American firms.
Beyond the strategic considerations, it is important for Congress to uphold its commitment to operators who took steps to secure their networks. Such networks are often smaller, independent, or rural networks that do not have the financial resources to rip and replace technology that may be only a few years old. A failure to make such networks whole would set a harmful precedent for federal efforts focused on securing infrastructure. Removing and replacing all equipment produced or provided by Huawei and ZTE is a critical step toward strengthening our networks, promoting national security, and protecting the freedom and privacy of Americans.
When it comes to the FCC’s efforts to secure our nation’s telecommunications infrastructure, the importance of studying the vulnerability of routers is hard to overstate. Consumer routers, modems, and combination devices found in millions of American homes, including those used by federal government agencies, represent a critical and often overlooked component of our national communications infrastructure. These devices are not only gateways to personal and sensitive information but also potential entry points for cyber threats. The National Institute for Standards and Technology has identified numerous cybersecurity vulnerabilities in routers produced by CCP-backed companies such as TP-Link, underscoring the risks. Given that Chinese companies must support China’s intelligence operations, the vulnerabilities in these devices could be exploited for espionage, infrastructure disruption, and data theft. Studying these vulnerabilities is a first and essential step in formulating effective countermeasures to protect national security, ensuring the integrity of communications networks, and safeguarding the privacy of American citizens.
Recommendations
The Subcommittee should provide an additional $3.08 billion to the FCC’s FY 2025 budget to fully fund the Secure and Trusted Communications Networks Reimbursement Program.
Congress and the FCC have worked together to highlight and mitigate the risks posed by Chinese-produced and -provided equipment being used in domestic telecommunications networks. But they cannot allow the effort to go unfinished. Network operators have done their best to comply with the law. Now, Congress must uphold its end of the agreement and fully fund the Reimbursement Program.
The Subcommittee should include report language in the FY25 appropriations package encouraging or requiring the FCC to study the national security risks posed by consumer routers, modems, and devices that combine a modem and router produced by companies primarily located in a covered nation as defined in 10 U.S. Code § 4872.
Congress has provided the FCC with the authority it needs to better protect our telecommunications networks from national security vulnerabilities. The Commission has worked diligently to secure our nation’s backbone internet infrastructure. Now it should turn some of its attention to the pieces of our broadband networks that are closest to everyday Americans and, in many cases, the government itself.