h
London Office
Quick Contact

collaborate@phalanxlaw.com

Image Alt

resources

Innovator’s Insight

 

 

Huawei 2.0

Cellular IoT module manufacturers Quectel and Fibocom could be the next Huawei-like target in the US-China technology war.

Expect legal and regulatory complexity to cascade through telecommunications, government contracting, IoT, and telematics.

 

Background

When the FCC placed Huawei on the Covered List, legal complexity followed. Established by the Secure and Trusted Communications Act of 2019, the Covered List prohibits the use of federal funds to obtain equipment or services from a company deemed to pose an unacceptable risk to US national security. When deployed as part of a broader US demonstration of bipartisan animus towards Huawei, the effects were broadly disruptive. Legal and compliance complexity increased across industries, particularly those in the telecommunications ecosystem.

Recently, the US House Select Committee on the Chinese Communist Party wrote a letter to Federal Communications Commissioner Chairwoman, Jessica Rosenworcel, identifying security concerns over cellular IoT modules manufactured by Chinese companies Quectel and Fibocom. The letter urged the FCC to put the companies on the Covered List, which requires the specific direction of US national security authorities.

The House letter amplified cellular IoT module risks by describing how a Russian theft of agricultural equipment was thwarted when the manufacturer was able to employ a module to render the equipment unusable.

Recent events demonstrate the power of these small modules. Last year, Russia stole $5 million worth of farm equipment from a John Deere dealership in Ukraine and attempted to bring it back to Russia. Luckily, that equipment was embedded with Western-made connectivity modules. Because the modules can be controlled remotely and the vehicles require internet connectivity to operate, remotely shutting down the module allows the module provider to shut the vehicle down. When Russia moved the stolen John Deere vehicles across the border into Russia, the modules were disabled—shutting down the equipment and effectively turning the vehicles into bricks.

Cellular IoT modules combine radio transceiver, antennae, satellite positioning, baseband, applications processor and PMU, all integrated onto a printed circuit board.[1] They are prominent in US critical infrastructure.[2]

Chairwoman Rosenworcel responded that she had “sent letters to each of the authorities enumerated in the Secure and Trusted Communications Networks Act […] inquiring about the status of these companies.” She agreed with the Select Committee that the national security risks posed by the companies “merit continued attention.”

Who will be affected?

If the US national security community directs the FCC to place Quectel and Fibocom on the FCC Covered List, the resulting legal complexity will affect telecommunications, government contracting, IoT, and telematics sectors.

Early requirements will affect “advanced communications service providers” (high speed, switched, broadband communications that perform at speeds of at least 200 kbps) and their broader ecosystem.

Agency rulemaking will also affect government contractors, particularly those supplying or supporting sensitive US government systems. It’s likely that the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulations (DFAR) will be amended to reflect enhanced requirements.

The impact to commercial markets will be more gradual, as public perception adapts to US claims of security vulnerabilities. Disruptions in commercial IoT and telematics markets, for example, may turn on whether restrictions are included within the FCC’s Cybersecurity Labeling Program for Smart Devices, which seems likely. And purchasing trends should reflect US sensitivities. As Chairwoman Rosenworcel noted, “Our rules expressly prohibit the use of federal funds to purchase equipment on […] the Covered List. But the list does more than that—it provides all companies making purchasing decisions clear signals about the security of products in the marketplace.”

Action Items

Boards and key stakeholders, such as General Counsel, should collaborate to right-size your response.

Canvass customers, partners, and vendors for supply chain sensitivity. These requirements will affect sensitive systems first. Review value and supply chains to identify dependencies relating to Chinese manufacturers Quectel and Fibocom.

Assess company processes relating to cybersecurity awareness, incident response strategies, and risk mitigation practices. If your present processes are found lacking, consider upgrading to a solution based on a model framework, such as NIST SP 800-161. Most critical infrastructure sectors, and many states, use the model framework inside the United States.

Review your Office of Foreign Assets Controls (OFAC) Sanctions Control Program (SCP) and confirm its comportment with the Framework for OFAC Compliance Commitments. Consider revising your SCP to reflect the increased risk posed by emerging geopolitical complexities in technology.

 

Questions? Phalanx can help.

At phalanx, we design and deploy critical business processes that reflect your culture and improve your team’s existing capabilities. We simplify compliance complexity so you can innovate and grow your global business.

 

[1] Charles Parton, Cellular IoT Modules—Supply Chain Security (undated)(available at http).

[2] See generally, Id.