This month, the Biden Administration revealed that Chinese state actors have infiltrated at least since last winter the communications networks of major America telecommunications carriers. Targets included Donald Trump and J.D. Vance. Perhaps worst of all, the infiltration has not ended. Surprisingly, our government seems flat-footed and unable to respond.
It is not surprising that Chinese state actors have infiltrated American telecommunications networks. The vulnerability of American computer and communications systems to Chinese state actors has long been known. In 2014, the Center for Strategic and International Studies issued a report describing 224 incidents of Chinese espionage in the United States in the prior 15 years. In 2015, Chinese hackers were discovered to have infiltrated the federal government’s Office of Personnel Management, including information on security clearances. The same year, a former director of the National Security Agency stated that China had hacked into the computer system of every major American corporation.
For many years, the NSA has issued warnings about the vulnerabilities of computers and networks, and recently the NSA issued guidance for visibility and hardening of communications infrastructure.
In the past 10 years, China has continued to infiltrate American computer systems and communications networks. In 2020, 2022, and 2024, the National Security Agency publicly documented the vulnerability of national security systems to Chinese attacks. In 2021, Chinese hackers allegedly breached U.S. defense firms. Americans hear a constant drum beat of concern about Chinese hacking.
There are two categories of possible responses to persistent hostile hacking: (1) provide better security to prevent hacking and (2) impose targeted and punishing sanctions on the offending Chinese state actors. Our government has focused on the former, but not the latter.
Concern about Chinese hacking led Congress in 2019 to pass the Secure and Trusted Communications Networks Act, which authorized the Federal Communications Commission to reimburse certain telecommunications carriers for the removal of Chinese telecommunications equipment from Huawei and ZTE Corp. The program, known as “rip and replace” has allocated nearly $1.9 billion, but applications have exceeded available funds. Congress is considering allocating an additional $3.08 billion to fund all applications, all of this to be paid for by the American taxpayer instead of the foreign bad actors that harmed those taxpayers.
But there is no evidence that Chinese espionage is dependent on Chinese-manufactured equipment. Recent hacking has included telecommunications networks without Huawei or ZTE equipment.
Chairwoman Jessica Rosenworcel of the Federal Communications Commission recently proposed that the FCC require telecommunications carriers certify that their networks are secure under the Communications Assistance for Law Enforcement Act. Such certification, no doubt costly for carriers, may be a useful idea, but it imposes costs on the victims of espionage without punishing the perpetrators. The FCC cannot punish the wrongdoers; other parts of government must act.
Recently, the Supreme Court agreed to review a combined case—Miriam Fuld v. PLO and United States v. PLO —which address questions of consent to the jurisdiction of the United States under antiterrorism statutes. Supreme Court review should help clarify the applicability of federal law against foreign actors not only for federal antiterrorism laws but also for other laws such as those concerning espionage and intellectual property theft.
For much of American history, foreign-supported terrorism, espionage, and intellectual property theft were conducted by clandestine agents operating in the United States. Such activity continues today, and federal law is well-adapted to address and to punish the harmful conduct of individual agents. Cases such as Fuld seek to find liability and damages for the conduct of foreign entities operating outside the United States. Congress in 2019 specifically addressed consent to the jurisdiction of the United States, and the Supreme Court will now determine whether that statutory language is sufficient.
Ultimately, Fuld and many similar cases address whether federal law is sufficient to find liability and to award damages against entities that harm—knowingly and maliciously—American citizens engaged in activities outside the United States. The hacking of American telecommunications networks involves harms to American citizens inside the United States. Law and economics—and common sense—find that punishing wrongdoers and awarding damages to victims reduces the likelihood of wrongdoing.
The worst strategy from an economic perspective is to punish the victims of wrongdoing by forcing them to incur substantial additional costs while imposing no costs on perpetrators. The predictable result of such a strategy is that the wrongdoer will continue to engage in wrongdoing, and the victims will be weakened and disillusioned.
This economic dystopia is happening in the realm of foreign surveillance of Americans through the infiltration of telecommunications networks.
All of this reinforces the importance of the Supreme Court’s decision to grant review in Fuld. If foreign bad actors cannot be held accountable under current federal law, the law should be amended to hold them accountable, which Congress thought it had done in 2019. Quite possibly, the acceptance of federal jurisdiction may be created by substantial trade with the United States. The infiltration of American communications networks is not what one expects from any trading partner, much less one of the largest trading partners in the world. Misconduct should be punished, not rewarded.
Read in The Federalist Society.
Enjoyed this article? Subscribe to Hudson’s newsletters to stay up to date with our latest content.