House Communications Members Ring Alarm on Rip-and-Replace Funding, Eye Trust Mark
House Communications Subcommittee members again raised concerns about the impact the FCC Secure and Trusted Communications Networks Reimbursement Program’s $3.08 billion funding shortfall is having on removing suspect gear from U.S. networks, as expected (see 2401100072). Their concerns came during a hearing Thursday. In addition, subpanel members offered generally positive reviews of the FCC's voluntary Cyber Trust Mark cybersecurity labeling program for smart devices (see 2308100032), but some GOP leaders were skeptical that it would remain voluntary as advertised.
“It is vital that Congress provides the $3 billion needed to fully fund this effort and I'll continue to work with my colleagues to find a path forward,” said House Commerce Committee Chair Cathy McMorris Rodgers, R-Wash. Added ranking member Frank Pallone, D-N.J., “We came together” to pass the Secure and Trusted Communications Networks Act that mandated the rip-and-replace program and need to do so again now “to fully rid our networks of Huawei and ZTE equipment.” The panel-approved Spectrum Auction Reauthorization Act (HR-3565) proposes lending additional rip-and-replace money to the FCC and using future spectrum auction revenue to pay it back. Lawmakers are also eyeing directly appropriating the funding amid stalled airwaves legislative talks (see 2311070050).
The legislators are “still working on ways to fully fund the rip-and-replace program and that needs to be done soon,” said House Communications Chairman Bob Latta, R-Ohio. He probed what “the continued presence” of suspect equipment would have on U.S. networks. The FCC told Congress last week only five program participants had filed a certification indicating they completed or were in the process of finishing rip-and-replace work, with many others citing funding issues as a reason for delays (see 2401080075). Non-completion of rip-and-replace work constitutes an “ever-present threat” to U.S. national security and economic security, said Clete Johnson, a Center for Strategic and International Studies senior fellow. “China could coerce the U.S. through the operation of its telecom networks,” which will remain a “very severe threat so long as that equipment is in our networks.”
House Communications ranking member Doris Matsui, D-Calif., considered how lawmakers can frame the rip-and-replace shortfall “in a way that would get people more engaged” and emphasize the importance of reaching a solution. Noted Johnson, the “challenge in cybersecurity … is that for a lot of constituents and consumers, it’s an abstraction.” He added, “They know there’s a danger, but they don’t know exactly what it is.” Lawmakers should mention what “autocratic regimes” like China are “doing in the real world” and highlight how “that is what they aim to do in cyberspace as well,” Johnson said: “Those autocratic regimes want to control the way their citizens and we operate in cyberspace.”
Rep. Diana Harshbarger, R-Tenn., later raised concerns that “we could find ourselves in a scenario where we need to rip and replace consumer devices to protect our informational security” given questions about the supply chain for components in IoT devices. “I think we need to make sure we don’t get to” that point, Johnson said. “It’s one thing to pull out Huawei gear from a handful of known operators throughout” the U.S. and “another thing to replace millions and millions of consumer devices,” which might not be feasible.
Latta and some Republicans noted misgivings about the FCC’s commitment to keep the Cyber Trust Mark program voluntary, given the 3-2 Democratic majority, which began in September. “While I have a few questions regarding the voluntary nature of this program, particularly in light of the FCC's recent net neutrality and digital discrimination orders, I am pleased that the commission is taking proactive steps to protect Americans from cyberattacks,” Latta said. He later asked whether it’s “more difficult to create a labeling program for IoT cybersecurity than for energy efficiency” given comparisons between the Cyber Trust Mark program and the joint Energy Department-Environmental Protection Agency Energy Star program.
Rep. Kat Cammack, R-Fla., closed out the hearing by noting “a concern among industry people that the program might not be voluntary” in the future, even if it is now. Connectivity Standards Alliance CEO Tobin Richardson said it’s more likely that companies will adopt the Cyber Trust Mark program if it remains voluntary. “In some areas, a government mandate might help,” but “there are other ways of ensuring accountability that are in some cases more powerful” and faster than that if a program remains voluntary, Johnson said. “When the first Cyber Trust Mark is earned,” it’s “going to revolutionize the market.”
Matsui praised the Cyber Trust Mark program and the FCC’s proposed schools and libraries cybersecurity E-rate pilot program (see 2312280050). “This new mark will serve as a signal to consumers that the devices they are buying are safe” and will raise the bar for IoT cybersecurity, she said. Meanwhile, the E-rate cybersecurity pilot is important because of “the rise in attacks targeting America's” schools, many of which “simply do not have the resources to adequately combat this sophisticated threat.”
Rep. Annie Kuster, D-N.H., called the Cyber Trust Mark “another important tool in the fight” against attacks and wondered how the FCC can “drive national adoption and ensure the program has flexibility to respond to evolving threats.” Johnson urged the FCC and other federal agencies to “push it and do a massive awareness campaign” for consumers and retailers highlighting its benefits, including that it “will create legal protections that won’t exist for those who don’t earn the mark.”