contractual service agreements with the Chinese state-owned carriers contain standard provisions indicating that the parties agree to deliver traffic to the intended recipient.[1] All three U.S. carriers, however, noted that they maintain company-wide cybersecurity defenses that apply to all external traffic, regardless of whether service or interconnection agreements exist.[2]
CTA is untrustworthy. Team Telecom highlighted CTA's delayed response to its document and information requests following the April 2018 site visit, which called into question CTA's willingness to comply with the security agreement.[3] When CTA finally produced the requested documents and information, Team Telecom identified what it viewed as prior inaccurate statements about where CTA stored its U.S. records.[4]Team Telecom also found that CTA's lack of trustworthiness negated the effectiveness of the security agreement and any further mitigation efforts.[5] Team Telecom added that CTA had breached the security agreement by failing to implement a formal written information security policy prior to December 1, 2018, and failing to notify Team Telecom of two 2010 FCC applications related to signaling point code.[6]
CTA is ultimately owned by the Chinese government. Team Telecom highlighted CTA's ownership structure and that CTA is ultimately owned and controlled, through CTCL and China Telecom, by SASAC:
- ↑ See Briefing with Verizon (Sept. 4, 2019); Briefing with CenturyLink (Sept. 10, 2019); Briefing with AT&T (Sept. 17, 2019). Verizon representatives told the Subcommittee that Verizon's interconnection agreements with Chinese state-owned carriers are substantially identical to the agreements in place with other external carriers. Teleconference with Verizon (June 2, 2020).
- ↑ Briefing with Verizon (Sept. 4, 2019); Briefing with CenturyLink (Sept. 10, 2019); Briefing with AT&T (Sept. 17, 2019); Teleconference with Verizon (June 2, 2020); Email from CenturyLink to the Subcommittee (June 2, 2020) (on file with the Subcommittee); Email from Gibson, Dunn & Crutcher LLP, counsel to AT&T, to the Subcommittee (June 2, 2020) (on file with the Subcommittee).
- ↑ Executive Branch Recommendation re CTA, supra note 56, at 17.
- ↑ Executive Branch Recommendation re CTA, supra note 56, at 18-26. Team Telecom also believes CTA made inaccurate statements to U.S. customers about its cybersecurity practices. Executive Branch Recommendation re CTA, supra note 56, at 26-32.
- ↑ Executive Branch Recommendation re CTA, supra note 56, at 53-56.
- ↑ Executive Branch Recommendation re CTA, supra note 56, at 53-55. See also TT-DOJ-277–80. Signal point codes are unique addresses that identify individual network elements for a Signaling Point used in Message Transfer Part to identify the destination of a message signal unit. They operate similar to IP addresses. See SS7 Point Code Administration, ICONECTIV, https://iconectiv.com/ss7. In documents made available to the Subcommittee, CTA refuted the allegations, arguing that (1) the lack of a comprehensive information security policy was not indicative of a breach of obligations, and (2) the security agreement's obligations require CTA to alert Team Telecom only of actions that would result in a material change to the company's ownership structure, service offerings, or its ability to ensure the availability of its U.S. records in the United States. CTA argued that signal point codes do not fall into any of those categories. TT-DOJ-283-90.
71
