FCC

Who’s Behind Monday’s 14-State 911 Outage?

Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

Image: West.com

On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

“On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT.  Our service provider is currently working to determine root cause.”

The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

Lumen’s status page indicates the company’s private and internal cloud and control system networks had outages or service disruptions on Monday.

In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

“At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

“On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

FCC Proposes to Fine Wireless Carriers $200M for Selling Customer Location Data

The U.S. Federal Communications Commission (FCC) today proposed fines of more than $200 million against the nation’s four largest wireless carriers for selling access to their customers’ location information without taking adequate precautions to prevent unauthorized access to that data. While the fines would be among the largest the FCC has ever levied, critics say the penalties don’t go far enough to deter wireless carriers from continuing to sell customer location data.

The FCC proposed fining T-Mobile $91 million; AT&T faces more than $57 million in fines; Verizon is looking at more than $48 million in penalties; and the FCC said Sprint should pay more than $12 million.

An FCC statement (PDF) said “the size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.”

The fines are only “proposed” at this point because the carriers still have an opportunity to respond to the commission and contest the figures. The Wall Street Journal first reported earlier this week that the FCC was considering the fines.

The commission said it took action in response to a May 2018 story broken by The New York Times, which exposed how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

In response, the carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, Joseph Cox at Vice.com showed that little had changed, detailing how he was able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Gigi Sohn is a fellow at the Georgetown Law Institute for Technology Law and Policy and a former senior adviser to former FCC Chair Tom Wheeler in 2015. Sohn said this debacle underscores the importance of having strong consumer privacy protections.

“The importance of having rules that protect consumers before they are harmed cannot be overstated,” Sohn said. “In 2016, the Wheeler FCC adopted rules that would have prevented most mobile phone users from suffering this gross violation of privacy and security. But [FCC] Chairman Pai and his friends in Congress eliminated those rules, because allegedly the burden on mobile wireless providers and their fixed broadband brethren would be too great. Clearly, they did not think for one minute about the harm that could befall consumers in the absence of strong privacy protections.”

Sen. Ron Wyden (D-Ore.), a longtime critic of the FCC’s inaction on wireless location data sharing, likewise called for more string consumer privacy laws, calling the proposed punishment “comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck.”

“Time and again, from Facebook to Equifax, massive companies take reckless disregard for Americans’ personal information, knowing they can write off comparatively tiny fines as the cost of doing business,” Wyden said in a written statement. “The only way to truly protect Americans’ personal information is to pass strong privacy legislation like my Mind Your Own Business Act [PDF] to put teeth into privacy laws and hold CEOs personally responsible for lying about protecting Americans’ privacy.”

Lawmakers Prod FCC to Act on SIM Swapping

Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping.

On Thursday, a half-dozen Democrats in the House and Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” reads the letter, signed by Sens. Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and Reps. Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY).

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Once in control of the stolen phone number, the attacker can then reset the password for any online account that allows password resets and/or two-factor verification requests via text messages or automated phone calls (i.e. most online services, including many of the mobile carrier Web sites).

From there, the scammers can pivot in a variety of directions, including: Plundering the victim’s financial accounts; hacking their identities on social media platforms;  viewing the victim’s email and call history; and abusing that access to harass and scam their friends and family.

The lawmakers asked the FCC to divulge whether it tracks consumer complaints about fraudulent SIM swapping and number “port-outs,” which involve moving the victim’s phone number to another carrier. The legislators demanded to know whether the commission offers any guidance for consumers or carriers on this important issue, and if the FCC has initiated any investigations or taken enforcement actions against carriers that failed to secure customer accounts.

The letter also requires the FCC to respond as to whether there is anything in federal regulations that prevents mobile carriers from sharing with banks information about the most recent SIM swap date of a customer as a way to flag potentially suspicious login attempts — a method already used by financial institutions in other countries, including Australia, the United Kingdom and several nations in Africa.

“Some carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID,” the letter continues. “Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late.”

The FCC did not immediately respond to requests for comment.

SIM SWAP (CRIM)INNOVATIONS

Legitimate SIM swaps are a common request for all carriers, and they usually happen when a customer has lost their mobile phone or when they need to upgrade to a newer model that requires a different-sized SIM card (the small, removable smart chip that ties the customer’s device to their phone number).

But unauthorized SIM swaps enable even low-skilled thieves to quickly turn a victim’s life upside down and wrest control over a great deal of their online identities and finances. What’s more, the security options available to wireless customers concerned about SIM swapping — such as personal identification number (PIN) codes — are largely ineffective against crooked or clueless mobile phone store employees.

A successful SIM swap may allow tormentors to access a victim’s email inbox even after the target has changed his or her password. For example, some email services allow customers to reset their passwords just by providing a piece of information that would likely only be known to the legitimate account holder, such as the month and year the account was created, or the name of a custom folder or label in the account previously created by the user.

One technique used by SIM swappers to regain access to hacked inboxes is to jot down this information once a SIM swap affords them the ability to reset the account’s password. Alternatively, SIM swappers have been known to create their own folders or labels in the hacked account to facilitate backdoor access later on.

A number of young men have recently been criminally charged with using SIM swapping to steal accounts and cryptocurrencies like Bitcoin from victims. This week, a court in New York unsealed a grand jury indictment against 22-year-old alleged serial SIM swapper Nicholas Truglia, who stands accused of using the technique to siphon $24 million worth of cryptocurrencies from blockchain investor Michael Terpin.

But experts say the few arrests that have been made in conjunction with SIM swapping attacks have pushed many involved in this crime to enlist help from co-conspirators who are minors and thus largely outside the reach of federal prosecutors.

For his part, Terpin sent an open letter to FCC commissioners in October 2019, urging them to mandate that wireless carriers provide a way for customers to truly lock down their accounts against SIM swapping, even if that means requiring an in-person visit to a store or conversation with the carrier’s fraud department.

In an interview with KrebsOnSecurity, Terpin said the FCC has so far abdicated its responsibility over the carriers on this matter.

“It took them a long time to get around to taking robocalls seriously, but those scams rarely cost people millions of dollars,” Terpin said. “Imagine going into a bank and you don’t remember your PIN and the teller says, ‘Oh, that’s okay I can look it up for you.’ The fact that a $9-an-hour mobile store employee can see your high security password or PIN is shocking.”

“The carriers should also have to inform every single current and future customer that there is this high security option available,” Terpin continued. “That would stop a lot of this fraud and would take away the ability of these ne’er-do-well 19-year-old store employees who get bribed into helping out with the scam.”

Want to read more about SIM swapping? Check out Busting SIM Swappers and SIM Swap Myths, or view the entire catalog of stories on the topic here.

No-fiber zone: FCC funds 25Mbps, data-capped satellite in rural areas

Illustration of a broadband satellite in space.

Enlarge / Viasat-2, a satellite launched by Viasat in 2017.

The Federal Communications Commission is giving $87.1 million in rural-broadband funding to satellite operator Viasat to help the company lower prices and raise data caps.

The FCC’s Connect America Fund generally pays ISPs to expand their networks into rural areas that lack decent home Internet access. Viasat’s satellite service already provides coverage of 98 percent of the US population in 50 states, so it doesn’t need government funding to expand its network the same way that wireline operators do. But Viasat will use the money to offer Internet service “at lower cost to consumers, while also permitting higher usage allowances, than it typically provides in areas where it is not receiving Connect America Fund support,” the FCC said in its announcement yesterday.

Viasat’s $87.1 million is to be used over the next 10 years “to offer service to more than 121,700 remote and rural homes and businesses in 17 states.” Viasat must provide speeds of at least 25Mbps for downloads and 3Mbps for uploads.

While the funding for Viasat could certainly improve access for some people, the project helps illustrate how dire the broadband shortage is in rural parts of many states. Viasat’s service is generally a last-ditch option for people in areas where there’s no fiber or cable and where DSL isn’t good enough to provide a reasonably fast and stable connection. Viasat customers have to pay high prices for slow speeds and onerous data limits.

Future services relying on low-Earth-orbit satellites from companies such as SpaceX and OneWeb could dramatically boost speeds and data caps while lowering latency. But Viasat’s service still relies on satellites in geostationary orbits about 22,000 miles above the planet and suffer from latency of nearly 600ms, much worse than the 10ms to 20ms from fiber services (as measured in customer homes by the FCC in September 2017). Viasat’s service is classified by the FCC’s Connect America Fund as “high latency,” which is less than or equal to 750ms.

The Connect America Fund is paid for by Americans through fees on their phone bills.

Prices and data caps not revealed

A Viasat spokesperson would not tell us what prices and data caps will be applied to the company’s FCC-subsidized plans. Viasat said it will provide the required 25Mbps service “along with an evolving usage allowance, and at FCC-defined prices, to certain areas, where we will be subject to a new range of federal and state regulations.”

The materials released by the FCC yesterday don’t provide price and data-cap information, either. We contacted the FCC and will update this article if we get any answers.

Viasat’s current prices and data allotments are pretty bad, so hopefully there will be a significant improvement. Plans and pricing vary by ZIP code; offers listed on BroadbandNow include $50 a month for download speeds of up to 12Mbps and only 12GB of “priority data” each month. The price rises after a two-year contract expires.

“Once priority data is used up, speeds will be reduced to up to 1 to 5Mbps during the day and possibly below 1Mbps after 5pm,” BroadbandNow’s summary says. Customers can use data without affecting the limit between 3am and 6am.

Other plans include $75 a month for speeds of 12Mbps and 25GB of priority data; $100 a month for 12Mbps and 50GB; and $150 a month for 25Mbps and “unlimited” data. Even on the so-called unlimited plan, speeds “may be prioritized behind other customers during network congestion” after you use 100GB in a month. Because of these onerous limits, Viasat lowers streaming video quality to reduce data usage. Viasat says it provides speeds of up to 100Mbps but only “in select areas.”

Viasat also charges installation fees, a $10-per-month equipment lease fee, and taxes and surcharges. Viasat offers a two-year price lock, but this does not apply to the taxes and surcharges. In order to avoid signing a two-year contract, you have to pay a $300 “No Long-Term Contract” fee.

FCC’s “illogical” claim that broadband isn’t telecommunications faces appeal

  • There are many statutory, regulatory and elective compliance standards. ITSecurity.Org have worked with all of the security related standards and can deliver cost-effectively, flexibly according to business requirements. Choose the specific compliance requirement below for more information on how we can deliver for you.
Compliance Badge ISO27001

ISO27001

The Information Security Management Systems Standards (ISMS) ISO27001

ISO27002

The more detailed Information Security Management Systems Standards (ISMS) ISO27002

Compliance Badge 22301

ISO22301

The standard for Business Continuity Business Continuity

Data Protection Act 1998/2018

The UK statutory requirements for Data Protection Data Protection

Compliance Badge GDPR

General Data Protection Regulation (GDPR)

The EU requirements for privacy and data protection GDPR

Payment Card Industry Data Security Standard (PCI DSS)

Standard for merchants taking electronic payments PCI-DSS

Compliance Graphic

Delivery throughout the compliance lifecycle

Modular and flexible

Benefits

Proven track record of successful delivery

Compliance Graphi2

Features

Modular and flexible

Our approach

We are flexible and modular. This means that we can flex and size according to your business requirements.

connect_final

Connect

We understand your business objectives and engage with the stakeholders and customers that have a vested interest in compliance and can help with successful delivery.

prepare

Prepare

Having understood your business objectives we are in a position to present what success looks like. We take on-board comments and modify as a result. The outcome is a strategy and plan for successful delivery.

visualise

Implement

We then can present the working methodologies, tools, processes, documents and training to implement your compliance requirements.

implement

Auditing and Monitor

We can now support you in the final audit being available to present the audit on your behalf or to lend assistance.

As a result of the audit, any further improvements can be quickly and easily implemented.

Why clients choose us to help with their Compliance Services

Flexible, responsive, modular and proven track record of successful delivery across industries.

Track record of successful delivery

We have worked in many different organisations and understand the trials and tribulations of many challenging environments. If you have a difficult situation please contact us. We can help.

Highly Skilled Experts

Our consultants have worked in all industries. We can select a consultant that is right for you whatever the area and level of seniority.

Timely Delivery

Delivery is everything. We always achieve our objectives no matter how difficult.

A deep understanding of IT Security

Our consultants have worked and delivered across the breadth and depth of IT Security, Information Security Governance, Compliance and Risk Management.

advice you can trust

Our consultancy and advice has withstood the test of time. Our way of working and methodologies integrate with existing business culture, maturity and internal processes.

In depth training & support

We ensure skills transfer. We do not keep skills and information to ourselves bu share easily to ensure effective and transparent handover at all times.

Compliance Training

Other services
Contact us

AT&T doesn’t want you to see its slow Internet speed-test results

A computer showing a slow-moving loading bar.

Getty Images | Steven Puetzer

AT&T doesn’t want its home Internet speeds to be measured by the Federal Communications Commission anymore, and it already convinced the FCC to exclude its worst speed-test results from an annual government report.

“AT&T this year told the commission it will no longer cooperate with the FCC’s SamKnows speed test,” The Wall Street Journal wrote in an investigative report titled “Your Internet provider likely juiced its official speed scores.”

AT&T already convinced the FCC to exclude certain DSL test results from last year’s Measuring Broadband America report. The reports are based on the SamKnows testing equipment installed in thousands of homes across the US.

“AT&T was dismayed at its report card from a government test measuring Internet speeds” and thus “pushed the Federal Communications Commission to omit unflattering data on its DSL Internet service from the report,” the Journal wrote.

“In the end, the DSL data was left out of the report released late last year, to the chagrin of some agency officials,” the Journal wrote. “AT&T’s remaining speed tiers notched high marks.”

Pai’s FCC gives less attention to speed tests

The Obama-era FCC began the Measuring Broadband America program in 2011 to compare the actual speeds customers receive to the advertised speeds customers are promised. The FCC released reports annually through 2016, but the testing program has gotten less attention since Ajit Pai became chairman in January 2017.

As we wrote in November 2018, the FCC hadn’t yet released any new Measuring Broadband America reports since Pai became chair. Pai’s FCC in December 2018 finally released both the 2017 and 2018 reports, tucking them into the final appendices of a larger “Communications Marketplace Report.” You can see all the Measuring Broadband America results from over the years at this page.

The 2017 report includes two categories for AT&T, one for its oldest DSL technology and another for its DSL-based IP broadband with speeds of up to 45Mbps. While AT&T’s oldest DSL service only provided 82 percent of advertised download speeds, AT&T IP broadband was over 100 percent. The 2018 report only includes AT&T’s IP broadband category, leaving out the company’s worst results.

Satellite Internet provider ViaSat also “left the FCC’s program” last year, the Journal wrote. ViaSat results were included in the 2018 report, which covers tests from September 2017.

We asked the FCC yesterday if it will include any AT&T and ViaSat test results in future reports, since SamKnows testing equipment could still be in AT&T and ViaSat customer homes, and we asked when the next Measuring Broadband America report will come out. We’ll update this article if we get any answers.

AT&T says its own speed test is better

AT&T defended its decision to drop out of FCC testing when contacted by Ars. “AT&T developed a best-in-class tool to measure its consumer broadband services,” the company said in a statement provided to Ars. “This tool measures performance on all AT&T IP broadband technologies and is more accurate, versatile, and transparent. For these and other reasons, our tool provides better and more useful information to our customers.”

But consumers have less reason to trust a speed-test tool created by AT&T than one created by the FCC. Even with the FCC’s speed tests, AT&T was able to exclude unflattering results. It would be even easier to dump slow speed-test results when AT&T is the one determining which numbers to show the public.

AT&T and the mobile industry’s top lobby group have also argued that carriers shouldn’t have to submit detailed 5G maps to the FCC. Separately, the FCC said this month that Verizon, T-Mobile, and US Cellular exaggerated their 4G coverage in official government filings.

Back in 2011, AT&T touted the FCC’s in-home speed tests as being far more accurate than previous testing methodologies. But the company’s opinion then seems to have been influenced by early test results that AT&T said showed “consumers are getting high-quality broadband services from their ISPs.”

988 will be the new 911 for suicide prevention—by sometime in 2021

A lonely person sitting on a bench at night.

The Federal Communications Commission plans to designate 988 as the short dialing code for the United States’ suicide-prevention hotline. Much like 911 for general emergencies, 988 could be dialed by anyone undergoing a mental health crisis and/or considering suicide.

The National Suicide Prevention Lifeline can already be reached at 1-800-273-8255 (or 1-800-273-TALK), but the FCC today gave preliminary approval to a plan that would make 988 redirect to that hotline. The commission’s unanimous vote approved a Notice of Proposed Rulemaking (NPRM) that seeks public comment on the plan.

Once the NPRM is published in the Federal Register, there will be a 60-day period for taking public comments, and the FCC would finalize the plan after considering the public input. It could take another 18 months after that to implement 988 nationwide, depending on what requirements the FCC imposes on phone providers.

The 1-800-273-8255 hotline “provides free and confidential emotional support to people in suicidal crisis or emotional distress 24 hours a day, 7 days a week,” its website says. Callers are connected to one of “163 crisis centers funded by the Department of Health and Human Services’ Substance Abuse and Mental Health Services Administration,” the FCC said. “In 2018, trained Lifeline counselors answered over 2.2 million calls and over 100,000 online chats.”

The 988 proposal was spurred by Congress, which last year passed a law directing the FCC to examine the technical feasibility of designating “a simple, easy-to-remember, 3-digit dialing code” for the hotline.

Before today’s vote, FCC Chairman Ajit Pai said that “988 has an echo of the 911 number we all know as an emergency number, and we believe that this 3-digit number, dedicated for this purpose, will help ease access to crisis services. It’ll reduce the stigma surrounding suicide and mental health conditions. And it’ll ultimately save lives.”

18-month deadline up for debate

The proposal would require all telecommunications carriers and interconnected VoIP providers to support 988 on their networks within 18 months, the FCC said. But the FCC noted that it is “seek[ing] comment on all aspects of implementation, including whether a longer or shorter timeframe would be needed to make 988 a reality.” Based on the comment-period length and proposed implementation time frame, 988 would be implemented nationwide sometime in late 2021.

The FCC’s NPRM explained:

We believe this time frame would provide sufficient time for providers to make any necessary changes to equipment and software and to institute new dialing requirements, if necessary. To begin with, we understand that modern IP switches can already accommodate 988 today or do so with minor software updates. In this regard, we observe that most providers are already actively upgrading their equipment to IP technology given the technological advances in the marketplace and the advanced services that consumers are demanding. Moreover, we believe that 18 months is sufficient time to upgrade the approximately 12 percent of legacy switches that will need such upgrades and we anticipate that the majority of technical upgrades necessary to switches and systems can be done in parallel with other work to implement 988.

FCC Commissioner Jessica Rosenworcel said the public comment period will help the FCC fine-tune details of the plan. “How we implement this matters. So we ask for input on the details to get this done, including just how calls will be routed and how to implement the three-digit code in areas where it is already used at the start of a seven-digit telephone number,” she said.

Huawei sues FCC to stop ban on Huawei gear in US-funded networks

Huawei's logo seen at a technology conference.

Enlarge / Huawei’s logo at the Smart City Expo World Congress in Barcelona in November 2019.
Getty Images | SOPA Images

Huawei has sued the Federal Communications Commission over the agency’s order that bans Huawei equipment in certain government-funded telecom projects.

“Huawei asks the court to hold the FCC’s order unlawful on the grounds that it fails to offer Huawei required due process protections in labelling Huawei as a national security threat,” the Chinese company said in a press release announcing the lawsuit. “Huawei believes that the FCC also fails to substantiate its arbitrary findings with evidence or sound reasoning or analysis, in violation of the US Constitution, the Administrative Procedure Act, and other laws.”

Huawei said it filed the complaint in the US Court of Appeals for the Fifth Circuit. We haven’t been able to get a copy of the lawsuit yet.

The FCC voted unanimously on November 22 to ban Huawei and ZTE equipment in projects paid for by the commission’s Universal Service Fund (USF). The order will affect many small telecom providers that rely on the companies’ network gear.

FCC Chairman Ajit Pai said at the time that Huawei and ZTE were chosen as ban targets because they “have close ties to China’s Communist government and military apparatus. Both companies are subject to Chinese laws broadly obligating them to cooperate with any request from the country’s intelligence services and to keep those requests secret. Both companies have engaged in conduct like intellectual property theft, bribery, and corruption.”

Huawei contended that “Pai and other FCC commissioners failed to present any evidence to prove their claim that Huawei constitutes a security threat and ignored the facts and objections raised by Huawei and rural carriers after the FCC first made the proposal in March 2018.”

Huawei accuses FCC of spreading fear

“These politicians ignore an important fact: Huawei has been working with rural US carriers for many years, and our customers trust our equipment,” Huawei Chief Legal Officer Song Liuping said, according to a transcript posted by Huawei. “They are experts in the security of their own networks, and they like working with us.”

Pai has “tried to spread fear about Huawei” by “us[ing] words like ‘backdoors’ to scare people. But they offer no proof,” Song said.

Song argued that carriers affected by the ban will end up using equipment from Nokia and Ericcson, which aren’t Chinese companies but do “manufacture in China.”

“The US government has never presented real evidence to show that Huawei is a national security threat,” Song said. “That’s because this evidence does not exist. When pushed for facts, they respond that ‘disclosing evidence might also undermine US national security.’ This is complete nonsense.”

Glen Nager, Huawei’s outside counsel, argued that the Huawei/ZTE ban “exceeds the FCC’s statutory authority” because “nothing in the Universal Service provisions of the Communications Act authorizes the Commission to make national security judgments or to restrict use of USF funds based on such judgments.”

The FCC ban will take effect upon being published in the Federal Register and will initially affect future projects paid for by the USF and the use of federal funding to maintain existing equipment. The FCC is also taking public comment on another plan to require removal of Huawei and ZTE equipment from networks that have already been built, and the commission is “seek[ing] comment on how to pay for such removal and replacement.”

Ban will cost small ISPs, Huawei says

Huawei spokesperson Karl Song said that requiring the removal of equipment “would cost hundreds of millions of dollars” for small providers.

“We’ve built networks in places where other vendors would not go. They were too remote, or the terrain was difficult, or there just wasn’t a big enough population,” he said. “In the US, we sell equipment to 40 small wireless and wireline operators. They connect schools, hospitals, farms, homes, community colleges, and emergency services.”

Hoftstra University law professor Julian Ku said that “even a small [Huawei] victory in the case, one that makes the FCC go and start the process over again, would be a huge victory for them,” according to The New York Times. But it may be a difficult case for Huawei to win because US courts usually give federal agencies “a tremendous amount of deference,” Ku said.