|A U.S. government agency publicizes a plan light on specifics but heavy on rhetoric to eliminate PRC equipment, services, and apps from U.S. systems.|
The United States (U.S.) Department of State unveiled “[t]he Clean Network program…the Trump Administration’s comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party.” This new program is an expansion or even a repurposing of a Congressional mandate to remove suspect and unsafe equipment and systems from federal agency networks. Nonetheless, there was scant detail provided on how the Department of State will accomplish its goals to remove technology from the People’s Republic of China (PRC) from U.S. networks and systems. The Department of State’s announcement comes at about the same time the Trump Administration announced executive orders designed to ban TikTok and WeChat, two PRC apps, suggesting the announcement was timed to coincide with the White House’s news.
Clean Networks is an expansion of the Clean Path , a program to address the risks created by having PRC 5G equipment and services on the agency’s networks. In April 2020, Secretary of State Mike Pompeo “announced that the U.S. Department of State will begin requiring a Clean Path for all 5G network traffic entering and exiting U.S. diplomatic facilities.” The Department of State noted:
- The 5G Clean Path is an end-to-end communication path that does not use any transmission, control, computing, or storage equipment from untrusted IT vendors, such as Huawei and ZTE, which are required to comply with directives of the Chinese Communist Party.
- The 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendors’ ability to disrupt, manipulate or deny services to private citizens, financial institutions, or critical infrastructure.
In launching the Clean Path for 5G, the Department of State was responding to language in a recent National Defense Authorization Act aimed at removing equipment and systems from the PRC and other nations of concern. However, this language did not require the agency to take these additional steps and is likely acting under a more general grant of authority from Congress to regulate its acquisition and use of technology. However, this program sweeps wider than the Department of State and would normally be coordinated in the White House by an entity like the Office of Management and Budget (OMB). In fact, the Department of State is claiming to be spearheading this effort for the Trump Administration. The Department of State asserted
The Clean Network program is the Trump Administration’s comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party (CCP).
In a fact sheet, the Department of State explained the “Clean Network Lines of Effort:”
The Clean Network initiative is a comprehensive effort to address the long-term threat to data privacy, security, and human rights posed to the free world from authoritarian malign actors, such as the CCP. The Clean Network is rooted in internationally accepted digital trust standards and is a reflection of our commitment to an open, interoperable, and secure global internet based on shared democratic values and respect for human rights. This effort represents the execution of a multi-year, all-of-government enduring strategy, built on a coalition of trusted partners.
- 5G Clean Path: To protect the voice and data traversing 5G standalone networks entering and exiting U.S. diplomatic facilities at home and abroad. Announced by Secretary Pompeo on April 29, 2020, the 5G Clean Path is an end-to-end communication path that does not use any transmission, control, computing, or storage equipment from untrusted IT vendors, such as Huawei and ZTE, which are required by Chinese law to comply with directives of the CCP. The 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendors’ ability to disrupt, manipulate or deny services to private citizens, financial institutions, or critical infrastructure. All mobile data traffic entering American diplomatic systems will be subject to new, stringent requirements.
- Clean Carrier: To ensure untrusted People’s Republic of China (PRC) carriers are not connected with U.S. telecommunications networks. Such companies pose a danger to U.S. national security and should not provide international telecommunications services to and from the United States.
- Clean Store: To remove untrusted applications from U.S. mobile app stores. PRC apps threaten our privacy, proliferate viruses, censor content, and spread propaganda and disinformation. On August 6, 2020, President Trump signed two Executive Orders to address the threats posed by TikTok and WeChat. TikTok and WeChat capture vast swathes of data from their unsuspecting users and are compelled by Chinese law to turn over this private information to the CCP upon request. The American people’s most sensitive personal and business information must be protected on their mobile phones from exploitation and theft for the CCP’s benefit.
- Clean Apps: To prevent untrusted PRC smartphone manufacturers from pre-installing—or otherwise making available for download—trusted apps on their apps store. Huawei, an arm of the PRC surveillance state is trading on the innovations and reputations of leading U.S. and foreign companies. These companies should remove their apps from Huawei’s app store to ensure they are not partnering with a human rights abuser.
- Clean Cloud: To prevent U.S. citizens’ most sensitive personal information and our businesses’ most valuable intellectual property, including COVID-19 vaccine research, from being stored and processed on cloud-based systems built or operated by untrusted vendors, such as Alibaba, Baidu, China Mobile, China Telecom, and Tencent.
- Clean Cable: To ensure the undersea cables connecting our country to the global internet are not subverted for intelligence gathering by the PRC at hyper scale. We will also work with foreign partners to ensure that undersea cables around the world aren’t built or operated by untrusted vendors.
As noted, the Clean Path program had its genesis in a provision in a recently enacted bill. Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) was drafted to address the threats posed by the presence of Huawei and ZTE equipment and services throughout the systems and supply chains of the federal government and its contractors. The ultimate goal is the complete phaseout, if possible, of these and any other suspect systems that could possibly be compromised or exploited in the future. Consequently, Russian equipment and systems are also targeted. All federal agencies must inventory and then work to remove this equipment and products within the next few years.
As a result, a rulemaking changed the Federal Acquisition Regulations (FAR) to put into effect the Section 889 required ban on Huawei and ZTE products. Specifically the August 2019 interim rule bars federal agencies from buying Huawei, ZTE, and related Chinese “equipment, system[s], or service[s] that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” unless an exception allows the agency to disregard this general ban. This rule has already taken effect, and it is likely the DOD and other agencies will issue a final rule, which may change the interim rule on the margins but will likely maintain the substance of the prohibition. It bears note that this interim rule is applicable to all contracts going forward and some solicitations offered and contracts signed before August 13, 2019.
In July 2020, federal agencies released an interim rule to implement the second half of the Section 889 government-wide ban on buying or using Huawei, ZTE, and other equipment and systems considered risky or suspect by the U.S. government. This part of the ban extends the prohibition to entities that would contract with US agencies. Therefore, as a general matter, such contractors would need to certify their services, systems, and equipment are free and clear of “covered telecommunication equipment,” which is largely technology developed and manufactured in the People’s Republic of China (PRC) or the Russian Federation. This rule will take effect on 13 August but may possibly affect contracts entered into before that date. And yet, comments are being accepted on this rule until 14 September, which will likely affect the rule on the margins when a final version is issued but not its substance.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.