More Unwritten Rules: Developments in U.S. National Security Regulation of Undersea Cable Systems Kent Bressie 1
Overview In the past year, the U.S. Government has: Begun imposing security agreements on all new international undersea cable systems landing in the United States, and adopted new infrastructure protection-related requirements for the standard security agreement Requested from existing systems information re equipment deployment and contracting for maintenance and security, noting that requests may evolve into ongoing reporting requirements Imposed on all systems new reporting requirements re operational status and restoration 2
Overview 2 Yet the U.S. Government has not been transparent about most of these new requirements. Most requirements have not been promulgated in regulations or with public written guidance, or even reported by the media. In some cases, the requirements seem designed to avoid public or legal scrutiny. These requirements differ greatly from other U.S. Government national security programs (e.g., security clearances, export controls) all of which are governed by formal regulations and written guidance. These unwritten requirements complicate infrastructure planning, imposing costs on operators. 3
1. Security-Agreement Changes in 2008: More Agreements, More Requirements, More DHS Team Telecom now led by the Department of Homeland Security ( DHS ) in undersea cable matters requires agreements for more systems, and imposes new infrastructureprotection conditions in those agreements. 4
Security-Agreement Changes 2 Brief Overview of Team Telecom Department of Justice ( DoJ ), Department of Defense ( DoD ) and DHS (together, Team Telecom ) scrutinize national security and law enforcement aspects of applications for licenses and transaction consents filed with the Federal Communications Commission ( FCC ). Team Telecom seeks to protect critical infrastructure, protect government communications, preserve government wiretapping and surveillance capabilities, prevent terrorist acts, and deter money laundering and drug trafficking. Team Telecom does not act pursuant to any particular law, has adopted no formal regulations, and retains substantial power and discretion. 5
Security-Agreement Changes 3 Brief Recap of Security Agreements Team Telecom often negotiates a security agreement with an infrastructure owner or service provider holding an FCC license. A security agreement typically imposes restrictions re traffic routing, storage of data and records, foreign surveillance, while imposing other obligations re U.S. surveillance, security procedures, and auditing and reporting. Team Telecom petitions FCC to condition any license or transaction approval on compliance with a security agreement. Team Telecom retains right to ask FCC to revoke a license or transaction approval if the applicant fails to comply with a security agreement. 6
Security-Agreement Changes 4 In 2008, DHS took the lead in Team Telecom reviews of undersea cable matters In some cases (e.g., PPC 1 and American Samoa-Hawaii Cable), DHS was the only agency negotiating and signing the security agreement. By contrast, DoJ is still heavily involved in Team Telecom reviews involving mobile carriers and satellite operators. As the most cautious of Team Telecom s agencies, DHS is now in a position to adopt new requirements that other agencies might have thought unnecessary. 7
Security-Agreement Changes 5 Team Telecom now imposes security agreements on all international undersea cable systems landing in the United States Previously, Team Telecom required security agreements only for certain foreign-owned undersea cable systems. As of June 2008, however, Team Telecom began to require security agreements for all U.S.-owned systems, unless they connect only domestic points (e.g., within Hawaii, or Oregon-Alaska). American Samoa-Hawaii Cable was the first system subjected to this requirement, as it has a segment connecting American Samoa with the Independent State of Samoa. United States includes American Samoa, Guam, the Commonwealth of the Northern Mariana Islands, Puerto Rico, and the U.S. Virgin Islands. 8
Security-Agreement Changes 6 Team Telecom has expanded scope of national security reviews to include infrastructure security Prior focus only on information security, e.g., integrity of surveillance conducted by U.S. law enforcement agencies, notice of foreigngovernment attempts to conduct surveillance, and security of cable system records As of June 2008, expanded focus on infrastructure security, seeking up-to-date information re: Principal equipment to be installed, including manufacturer and model Contractors for maintenance and security of the system 9
Security-Agreement Changes 7 Standard security agreement now includes more intrusive conditions pertaining to infrastructure security Requires advance written notice to DHS prior to performing any maintenance, repair, or replacement that would result in any modification of the cable system s principal equipment Permits bona fide emergency maintenance, repair, or replacement without prior written notice, so long as activity is necessary to ensure continued operability of the cable system Requires advance written notice to DHS prior to making any modification to list of contracts for cable system maintenance and security. 10
Security-Agreement Changes 8 Why has Team Telecom expanded its focus? DHS has expressed concern that the industry supplying equipment for cable systems is evolving and globalizing a veiled reference to Chinese equipment manufacturers and service suppliers All agencies are concerned about terrorist attacks on, and unauthorized access to, installed infrastructure 11
Security-Agreement Changes 9 In spite of new requirements and DHS s lead role, it s difficult to say whether national security review process takes more or less time to complete Factors contributing to longer reviews Lack of applicant preparedness More complex ownership and landing arrangements for cable systems Team Telecom s expansion of scope to include infrastructure security DHS leadership of process, as DHS is the most cautious agency and most likely to seek additional or more stringent conditions in a security agreement 12
Security-Agreement Changes 10 Factors contributing to shorter reviews: Applicant preparedness Fewer agencies signing any particular agreement, meaning that DHS need not take additional time to negotiate compromises with other agencies Increased DHS responsiveness, as DHS is increasingly sensitive to suggestion that it is responsible for licensing delays Pressure from other agencies, particularly FCC 13
Security-Agreement Changes 11 FCC Cable Landing License Processing Times for Recent Pacific-Ocean Systems System Date FCC Application Filed Date Security Agreement Signed Date FCC License Granted Total Licensing Time Honotua Sept. 26, 2008 none none ongoing American Samoa Hawaii Aug. 13, 2008 Jan. 9, 2009 Jan. 15, 2009 155 days Unity May 16, 2008 none none ongoing PPC 1 Feb. 11, 2008 Sept. 4, 2008 Sept. 10, 2008 212 days AAG Aug. 23, 2007 June 10, 2008 July 2, 2008 304 days Telstra Sydney- Hawaii June 19, 2007 Apr. 16, 2008 May 6, 2008 322 days FLAG NGN Mar. 27, 2007 none none ongoing TPE Feb. 22, 2007 Dec. 20, 2007 Jan. 10, 2008 322 days GCI SEAFAST Oct. 23, 2007 not applicable Dec. 6, 2008 44 days ACS AKORN Oct. 23, 2007 not applicable Dec. 4, 2008 42 days 14
Security-Agreement Changes 12 Comments on Table 1 Caveat: Confidential nature of Team Telecom process makes it difficult to characterize trends in licensing and negotiation time. Generally, FCC has not been a significant source of delay, though Team Telecom reviews now takes long enough in most cases to permit the FCC to work through its issues without extending the processing time for a license application. Operators of domestic, U.S.-owned undersea cable systems (e.g., SEAFAST, AKORN) have obtained their cable landing licenses in much less time, as their systems were not subject to Team Telecom review during initial licensing. 15
Security-Agreement Changes 13 What can an applicant do to shorten Team Telecom s national security review? Expect Team Telecom to impose a security agreement if the system connects the United States with a point outside the United States Familiarize itself with the standard Team Telecom questionnaires, and even draft answers in parallel with drafting of FCC application Engage Team Telecom for initial project briefing at or before time of filing FCC application For consortia in particular, establish clear responsibilities for gathering information, reviewing filings, and providing signature pages As a last resort, ask FCC to use its persuasive powers and urge Team Telecom to act 16
2. DHS Collection of Information from Existing Undersea Cable Systems DHS has requested from existing systems information re equipment deployment and contracting for maintenance and security Requests could turn into ongoing reporting requirements, or portend security agreements for all systems (including domestic ones). 17
DHS Information Collection 2 In August 2008, DHS requested extensive operational information for existing undersea cable systems Requests covered much of the information currently sought for new cables during Team Telecom national security reviews Requests made of all systems Regardless of whether they are subject to security agreements Including international and domestic systems DHS claimed that compliance with the requests was voluntary but suggested that it could ask the FCC to amend cable landing licenses to require compliance 18
DHS Information Collection 3 DHS requested detailed information about: Security procedures and protocols Technical abilities of network operations center ( NOC ) Foreign persons with knowledge of NOC configuration Deployment of equipment manufactured outside the United States in the network management system Arrangements for employee access to cable system Principal equipment deployed, including manufacturer name and model Companies contracted for system maintenance and security Methods for installing firmware, software, and patches Foreign companies receiving restoration messages and system-status reports Cable governance 19
DHS Information Collection 4 What prompted DHS information collection? Same concerns prompting new securityagreement provisions: Concern that the industry supplying equipment for cable systems is evolving and globalizing Threat of terrorist attacks on, and unauthorized access to, installed infrastructure Realization that by relying on security agreements, DHS lacked key information for the majority of undersea cables landing in the United States 20
DHS Information Collection 5 Concerns with DHS Information Collection Possible precursor to security agreements for all undersea cable systems, regardless of ownership or landing points Possible precursor to DHS lists of approved and prohibited suppliers and contractors Failure to obtain prior approval of White House Office of Management and Budget under Paperwork Reduction Act, a process that: Guards against burdensome and duplicative regulation Ensures similarly-situated companies are treated fairly and equally Duplication of FCC-OSTP and National Security Telecommunications Advisory Committee ( NSTAC ) reporting and monitoring efforts Uncertain safeguards to preserve confidentiality of information submitted Lack of clarity regarding ongoing reporting obligations 21
3. New FCC-OSTP Reporting Requirements for All Undersea Cable Systems FCC and White House Office of Science and Technology Policy ( OSTP ) adopted new reporting requirements regarding operational status and restoration arrangements for all undersea cables landing in the United States, raising concerns about compliance costs and disclosure of commercially-sensitive information. 22
FCC-OSTP Reporting 2 In April 2008, OSTP asked FCC to request that all undersea cable operators voluntarily comply with new reporting requirements Agencies made requests of all systems landing in the United States. FCC and OSTP claimed that compliance with the requests was voluntary for existing systems, even though it expected 100-percent compliance. FCC stated that compliance was mandatory for new systems. FCC and OSTP presumed operators already possessed requested information. 23
FCC-OSTP Reporting 3 FCC and OSTP require contemporaneous reporting about: Indications of potential problems Potential traffic-impacting hazardous conditions or impairments Affected facilities and outage times Restoration activity Repair activity Periods of test activity 24
FCC-OSTP Reporting 4 FCC and OSTP also require submission of updated information about: As-laid terrestrial route paths between beach manholes and cable stations Route position lists Restoration capabilities 25
FCC-OSTP Reporting 5 What prompted FCC-OSTP reporting requirements? OSTP believe that reported information would increase U.S. Government s situational awareness of cable facilities, thereby permitting better protection of U.S. interests OSTP worried about then-recent cable cuts occurring: In January-February 2008 near Egypt, in the Persian Gulf, and near Malaysia In December 2006 following Hengchun earthquake off Taiwan s south coast OSTP wanted direct access to information; possible tension with DHS/NSTAC 26
FCC-OSTP Reporting 6 Concerns with FCC-OSTP reporting requirements Ill-defined requirements; unclear reporting thresholds Flawed assumptions about system similarities Danger that FCC and OSTP will receive too much irrelevant information and information that cannot be compared across systems Costs of (1) implementing or modifying existing monitoring systems and (2) ongoing reporting Tension between FCC and OSTP Circumvention of FCC rulemaking process, which would have ensured public scrutiny and fairness Duplication of DHS and NSTAC reporting and monitoring Possible misuse of reported information or disclosure to competitors 27
4. Possible Changes in U.S. National Security Regulation of Undersea Cables in 2009 Security agreements for all undersea cables landing in the United States? Approved/prohibited vendor and contractor lists? FCC opposition to lengthy Team Telecom reviews? Regulations governing Team Telecom reviews and security agreements? Less powerful DHS? 28
Kent Bressie HARRIS, WILTSHIRE & GRANNIS LLP 1200 18th Street, N.W., Suite 1200 Washington, D.C. 20036-2516 U.S.A. +1 202 730 1337 office +1 202 460 1337 mobile +1 202 730 1301 fax kbressie@harriswiltshire.com www.harriswiltshire.com 2009 Kent Bressie 29