The Federal Communications Commission pressed pause on its usual partisanship to agree unanimously on one thing late last month: Huawei and ZTE’s network equipment is not worthy of America’s trust and tax dollars.
In a 5-0 vote, the commission voted to shut those two Chinese vendors out of the FCC’s Universal Service Fund. The report and order approved Friday bans using any of that $8.5 billion annual subsidy “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.”
Huawei and ZTE are the only companies named—Huawei in particular has drawn the most ire in this debate—but the FCC’s action also sets up a process to name other firms as security threats. And it opens up the potential to require USF recipients to rip out components from those two Chinese companies, at a cost estimated as high as $2 billion.
But while the FCC report and accompanying statements from FCC chairman Ajit Pai, his Republican colleagues Michael O’Rielly and Brendan Carr, and Democratic appointees Jessica Rosenworcel and Geoffrey Starks clearly outline the case against trusting telecom gear with questionable software update practices and sold by firms with close ties to China’s government and military, they don’t address what wireless customers might want to do next.
(The FCC’s action doesn’t affect Huawei or ZTE phones, though Chinese hardware faces challenges on this front as well.)
Though the FCC action is bad news for Huawei and ZTE, its impact on the U.S.’s networks and those of us who use them may be small. None of the four big nationwide carriers have Huawei or ZTE gear in their networks, leaving the action as a problem confined to smaller, rural carriers that often thought they did the government a favor by spending USF money efficiently.
“Choosing ZTE was basically a no-brainer,” said John Nettles, president of the rural Alabama carrier Pine Belt Communications, at a June workshop led by Starks. He added that ZTE’s gear cost 25% less than the next cheapest option.
At this point, the bans on Huawei are more of a theoretical concern.”
If you do stand a chance of using your devices on a network that uses Huawei or ZTE gear, should you be concerned about your own security? You should start by asking yourself a basic question: Who might be out to get you?
“At this point, the bans on Huawei are more of a theoretical concern,” says Ryan Singel, a media and strategy fellow at Stanford Law School’s Center for Internet and Society. “The fear is either NSA-level network spying or very targeted corporate espionage.”
For most people worried about online snooping, Singel cited such possibilities as “a victim of domestic violence worried about an abusive and snooping partner” or “a tech employee working on a unionization drive”—the risk doesn’t involve networking infrastructure that originated on the other side of the Pacific. “For many of these folks, the threat of Huawei working for the Chinese government isn’t a real worry,” says Singel.
Another thing to do is to understand that not all of the communications channels on your phone are equally secure. And that requires focusing on a word that goes unmentioned in the FCC’s report: encryption. The absence of that in garden-variety phone calls and text messages leaves them vulnerable to eavesdropping and makes them the least secure options, Singel says.
Apple’s iMessage encrypts texts end to end, keeping them scrambled to any hardware in the middle but remains off-limits to Android users. RCS, the messaging upgrade Google has been pushing, will encrypt messages in transit but still allow a carrier to peek at them—and carriers continue to sandbag the standard anyway,
Email is considerably more secure, thanks to adoption of an encryption-in-transit standard called TLS that’s shot past 90% since Google began warning Gmail users about recipients using mail services that didn’t support TLS.
But too many mail services continue to omit encryption—even those used by attendees at security conferences like Black Hat.
Your web history is probably safe for the same reason, thanks to the widespread adoption of site encryption. But any interloper can still see the domain name of each site you visit, which can itself reveal medical, financial, and other personal concerns.
The most secure communications options are those that deploy end-to-end encryption, which in practice limits you to iMessage and such messaging-and-calling apps as Signal and Facebook’s WhatsApp. Though Singel notes that “even then it may be possible for someone in the network to know that you sent a message to someone or called them.”
Overall, using secure communications services is a dramatic upgrade compared to carrier-grade calling and texting—and something you can control for yourself, unlike the wireless infrastructure you might happen to roam onto. Jim Lewis, director of the Technology Policy Program at the Center for Strategic & International Studies, a Washington think tank, made that point succinctly at Stark’s workshop: “You don’t have to trust the network.”