The Biden administration is currently investigating China Mobile, China Telecom, and China Unicom due to concerns that they may access U.S. data through their cloud computing and internet services in the United States and provide it to the Chinese Communist Party, potentially posing security risks to the U.S.
This investigation marks Washington’s latest effort to prevent Beijing from using Chinese companies to access U.S. data, which could harm businesses, Americans, or national security. It shows that the Biden administration is attempting to close all remaining avenues for Chinese companies targeted by Washington to access U.S. data.
According to three anonymous sources cited by Reuters, the U.S. Commerce Department has subpoenaed these three companies and completed a “risk analysis” on China Mobile and China Telecom, while the investigation on China Unicom is still ongoing.
Despite U.S. telecom regulators prohibiting these three companies from providing phone and internet services, they still have a small presence in the U.S. and can access data of Americans through services like cloud computing and contracting U.S. internet traffic routes.
The sources indicated that regulators have yet to determine how to address the potential threats but have the authority to prevent companies from “foreign adversaries” engaging in data center and internet transmission services.
The prevention of these critical transactions would diminish the ability of Chinese companies to offer competitive cloud and network services targeted at the U.S. market, further weakening their remaining business in the U.S.
Doug Madory, a network expert at internet analysis company Kentik, told Reuters, “They (the CCP) are our main competitors globally, and they are very cunning… I think if they (U.S. regulators) aren’t trying to mitigate these risks, they don’t think they’re doing their job.”
The Commerce Department is also investigating these companies’ cloud services in the U.S., which was a focal point of a 2020 U.S. Justice Department investigation into China Mobile, China Telecom, and Alibaba. The scope of the investigation later expanded to Point of Presence (PoP) and China Unicom.
Regulators are concerned that these companies might access personal information and intellectual property stored in their clouds and provide it to the CCP or undermine Americans’ access to this information. Commerce Department officials are particularly worried about a data center owned by China Mobile in Silicon Valley, California.
Bert Hubert, a cloud computing expert and former member of the Dutch intelligence and security regulatory committee, believes that owning a data center means that Chinese companies have a “unique Chinese foothold of their own within the U.S.”
He pointed out that having a data center would provide more opportunities for abusing customer data, such as gaining remote access through backdoors or bypassing encryption to intrude into customers’ servers at night.
China Mobile, China Unicom, and China Telecom are large state-owned enterprises controlled by the Chinese government. Their U.S. subsidiaries have long been targets of Washington. The Federal Communications Commission (FCC) rejected China Mobile’s application to provide phone services in 2019 and revoked China Telecom and China Unicom’s phone service licenses in 2021 and 2022, respectively.
On April 25, the FCC ordered the U.S. subsidiaries of these three companies to cease their fixed or mobile broadband internet services in the U.S.
The FCC’s decision was primarily based on a bipartisan report released by the U.S. Senate Permanent Subcommittee on Investigations in 2020. The report stated that the U.S. government had “virtually taken no action to oversee the operations of China’s state-owned operators in the U.S.” The report cited at least nine cases of China Telecom incorrectly routing internet traffic and recommended revoking China Telecom’s telecom service license.
Earlier this month, FCC Chairman Jessica Rosenworcel stated that U.S. agencies had publicly disclosed that China Telecom had exploited Border Gateway Protocol (BGP) vulnerabilities to “incorrectly route U.S. internet traffic at least six times,” these “BGP hijacks” could expose personal information and lead to theft, extortion, and state-level spy activities. BGP is a routing protocol used to determine the best network routes for data transmission over the internet.
China Telecom’s tendrils have deeply penetrated U.S. network infrastructure. According to its official website, China Telecom operates 8 Points of Presence (PoP) in the U.S., located at internet exchange points allowing large networks to interconnect and share routing information.
The FCC stated that when PoPs are operated by companies posing national security risks, it brings “severe national security and law enforcement risks.” In April, the FCC stated that if China Telecom’s PoPs are located at network exchange points, the company “could potentially access or manipulate data on or transiting through customers’ preferred paths in the U.S.”