US FCC chair says China's Quectel, Fibocom may pose national security risks

FCC commissioners testify before U.S. Congress in Washington

By David Shepardson

WASHINGTON (Reuters) -Federal Communications Commission Chairwoman Jessica Rosenworcel asked U.S. government agencies to consider declaring that Chinese companies including Quectel and Fibocom Wireless pose unacceptable national security risks, according to letters seen by Reuters.

The Republican chair of the House of Representatives China Select Committee, Mike Gallagher, and the top Democrat on the panel Raja Krishnamoorthi, asked the FCC last month to consider adding to its so-called "Covered List" the two companies that produce cellular modules that enable internet of things (IoT) devices to connect to the internet.

Federal funds cannot be used to purchase equipment from companies on the list, and the FCC will not authorize new equipment from companies deemed national security threats.

Rosenworcel wrote the FBI, the Justice Department, the National Security Agency, the Defense Department and other agencies on Sept. 1, forwarding the request from the lawmakers.

She said in the previously unreported letters the FCC welcomes the opportunity to collaborate "in addressing this threat, including consideration of the inclusion of this equipment from Quectel and Fibocom on the Covered List."

A U.S. spokesperson for Quectel said once modules are delivered "Quectel customers own the data, and we have no access to any of the data collected."

Remote device management "is achievable solely through the (original equipment manufacturer) device management platform," the spokesperson added, noting the company had recently retained security firm Finite State to audit and test the security of its modules.

Fibocom did not immediately respond to a request for comment.

Rosenworcel told the lawmakers in a separate letter Tuesday "the issues you raise with respect to connectivity modules merit continued attention. To this end, the commission is examining additional steps it should take to protect U.S. networks."

She added the FCC can update the Covered List "only at the direction of national security authorities."

The FCC previously placed 10 Chinese and one Russian company on the Covered List including Huawei, ZTE, Hytera Communications Corp, Hangzhou Hikvision Digital Technology and Zhejiang Dahua Technology.

The lawmakers warned that U.S. medical equipment, vehicles and farm equipment using Chinese cellular modules could be accessed and controlled remotely from China.

Noting they are typically controlled remotely and are the necessary link between the device and the internet, the lawmakers said that if China "can control the module, it may be able to effectively exfiltrate data or shut down the IoT device."

The FCC has taken other steps to bar Chinese telecom companies from U.S. networks. Last year, the FCC voted to revoke China Unicom's U.S. unit, Pacific Networks and ComNet's authorization to operate in the United States, citing national security concerns.

Rosenworcel said the list "provides all companies making purchasing decisions clear signals about the security of products in the marketplace."

The Chinese embassy in Washington did not immediately comment on Wednesday, but last year it said the FCC "abused state power and maliciously attacked Chinese telecom operators again without factual basis."

(Reporting by David Shepardson; editing by Jonathan Oatis, David Gregorio and Jamie Freed)