FCC Deal With Foreign-Owned Company Raises Security, Transparency Concerns

FCC HQ

The Federal Communications Commission gave final approval for Telcordia, a subsidiary of the Swedish company Ericsson, to be the next Local Number Portability Administrator (LNPA), despite protests from the current LNPA that the FCC ignored national security implications and withheld information when choosing a new company.

The North American Numbering Management (NANM) industry consortium was in charge of conducting the contract with Telcordia. The process was overseen by the FCC.

Neustar, a Virginia-based company that has been in charge of routing calls and texts for 650 million U.S. and Canadian phone numbers for more than 2,000 carriers since 1997 when the job began, believes that the FCC and Telcordia haven’t been transparent in the bidding and transition process for the new LNPA.

“The FCC’s decision is just another data point in a bizarre and opaque process that continues to give short shrift to important issues involving critical U.S. telecommunications infrastructure,” according to a Neustar spokeswoman who spoke on condition of anonymity. “Neustar will continue to fulfill our transition obligations, deliver high-quality NPAC services, and pursue a lawful outcome through our litigation.”

The LNPA was established so that consumers could keep their phone number when changing carriers.

The Number Portability Administration Center (NPAC) requires the company that oversees it to keep phone data secure because the Federal Bureau of Investigation and other law enforcement agencies look into the database 4 million times a year to gain information for criminal and intelligence investigations. The concern is that other countries could hack into the database to find out who the U.S. government is wiretapping. Another concern is that a hacker could get into the database and severely slow down the routing of calls, which could have serious consequences in the event of a national emergency.

In 2013, the FCC put the LNPA up for bid. Neustar and Telcordia were the only two bidders. One concern was that the FCC didn’t include national security requirements in the initial bid process.

“The process was supported by Neustar, Telcordia, and others, and included evaluation of technical and managerial competence, security and reliability, public safety and law enforcement considerations, cost-effectiveness and neutrality,” according to the FCC. “The process required bidders to respond to questions about service quality and system security and reliability.”

Neustar said that it would and had been performing the work for $496 million a year, whereas Telcordia said it would cost $143 million a year.

On March 26, 2014, the North American Numbering Council (NANC), which is an industry consortium, held a meeting where it recommended Telcordia be awarded the contract. Neustar asked for the transcript of this meeting to be published, but was told that notes from the meeting weren’t kept.

However, on March 4, 2015, the day before the Wireline Competition Bureau officially recommended Telcordia, the transcripts from that meeting were released. Neustar filed a complaint with the FCC, arguing that NANC failed to follow the Federal Advisory Committee Act by not fully disclosing the selection process deliberations. Neustar believes that the information was “withheld deliberately” to prevent public comment on the decision process. Despite this, the FCC decided to award Telcordia the contract.

“The March 2014 NANC meeting was closed to the public because it involved the discussion of confidential procurement information, which constituted trade secrets and privileged or confidential commercial or financial information, obtained by members in connection with the Local Number Portability Administrator selection process,” a spokesman for the FCC said. “Only those members of the NANC or its subgroups that executed non-disclosure agreements had access to this confidential procurement. The transcript of the meeting was placed into the record, subject to a protective order, at an appropriate time.”

On April 6, 2015, Neustar filed a lawsuit, requesting that the U.S. Court of Appeals for the District of Columbia review the FCC’s decision. In the request, Neustar claimed that since Ericsson is a manufacturer of telecommunications equipment, Telcordia would be biased in acting as the LNPA. Neustar also claimed that security issues were raised in accordance with the change in LNPAs.

Telcordia submitted a Code of Conduct and Voting Trust Agreement ensuring that the company will be an impartial LNPA, according to the FCC.

The FBI, the Department of Justice, and the Department of Homeland Security, along with other law enforcement agencies, submitted comments during the decision process that they “take no position,” on the selection of Telcordia. The FCC never involved its chief information officer or IT experts and did not request an internal technical opinion on the matter.

However, “it is appropriate for the Commission to consider the ability of the LNPA vendor to satisfy the important law enforcement, public safety, and national security equities of the Federal, State, Local, and Tribal law enforcement agencies who rely on the important and highly sensitive services the LNPA provides to assist virtually all significant criminal and national security investigations,” agency officials said in a statement.

The agencies said that the LNPA must maintain accurate phone number data or else innocent individuals could be submitted to law enforcement agencies by the LNPA based on false records. The agencies requested that the new LNPA provide the same information and services, such as real-time phone call data, to law enforcement agencies while maintaining the confidentiality that Neustar had preserved. The LNPA must also have high security standards to protect phone data, according to the agencies.

“In its March 2015 order conditionally approving the choice by the North American Numbering Council of Telcordia, the FCC required that any final contract negotiated between NAPM and Telcordia ensure security and reliability,” according to the FCC. “The Commission found that Telcordia is technically acceptable and has the requisite experience to serve as the LNPA with respect to security and reliability.”

In April 2016, a Telcordia whistleblower lawsuit stated that non-U.S. citizens were involved in writing the code for the new NPAC. Most concerning was a Chinese citizen who was in the United States legally on a work permit. Neustar believes this violated Telcordia’s contract that said “the U.S. NPAC will be built in America from the ground up” and that it won’t use “foreign code or non-U.S. developed code.”

The selection order, used to regulate Telcordia’s actions when creating a new system, stated, “Telcordia employees working on the NPAC/SMS systems will be U.S. citizens who will be closely screened, vetted, trained, and supervised.”

“These facts raise substantial questions about Ericsson’s candor,” Neustar’s lawyers wrote in a letter to Marlene Dortch, secretary of the FCC.

Once the FCC found out that Telcordia used non-U.S. citizens, Telcordia began to rewrite the entire code from the beginning.

On July 25, the FCC denied Neustar’s request to see the Master Services Agreement between Telcordia and the NAPM, and Telcordia was given final approval to become the new LPNA.

Telcordia expects to be finished with setting up the new system and be ready to begin operating as the new LNPA in fall 2017.

“Since becoming FCC Chairman, my mantra has been clear and consistent: Competition, Competition, Competition,” Tom Wheeler, FCC chairman, said in a statement. “And I’ve consistently identified consumer protection, public safety, and national security as components of the network compact.”

Wheeler believes that since Neustar was allowed to be the LNPA since 1997 with “no-bid” extensions to its contract, the company has prohibited competition to occur.

“We conducted a lengthy, thorough, and transparent process, which was supported by the incumbent and other contenders for the contract,” Wheeler said. “We requested and received comment from stakeholders at various points throughout the process, including early on as we established the process and again most recently when we sought comment on the recommendation from NANC.”

Telcordia believes it meets all the requirements of the LNPA because it has been in the communications industry for more than 30 years and serves more than 1,000 customers globally.

Telcordia is increasing security to its networks following requests from the FCC.

“Best-in-class security is being built into the NPAC application following the best practices outlined in the NIST Cyber Security Framework,” said Sharon Oddy, a spokeswoman for Telcordia. “In addition, the contract itself lays out strict conditions set by the FCC to ensure reliability, security, and competitive neutrality and the new NPAC will meet all of the relevant security parameters in the contract as well.”

No Comments

    Leave a Reply


    Popular

    Recent