• Trump admin tactics force hand of NCSC on restricting Huawei in networks.
  • Ability of UK security to assess and monitor Huawei deployments undermined when simultaneously trying to secure a threadbare alt supply chain.
  • At least that’s the mainstream story.

US sanctions overwhelm UK network resilience plans

US sanctions overwhelm UK network resilience plans

Source: Kārlis Dambrāns / Flickr CC BY 2.0

As widely expected, the UK government revised its approach to the presence of Huawei Technologies in domestic network infrastructure, which will now see the Chinese vendor banned from the 5G procurement process after 2020, and stripped out of existing 5G infrastructure by 2027.

The rapid revision follows sustained and intensified pressure from the USA and an awkward squad of the government’s own Members of Parliament to exclude Huawei from next-generation networks (NGN) as well as existing deployments.

The revised advice from the country’s National Cyber Security Centre (NCSC) that prompted the headline‑grabbing changes also underlined wider infrastructure resilience and security challenges facing the UK. The impact of US sanctions is exacerbated by a lack of diversity in the supply chain, putting pressure on infrastructure requirements that cannot easily be alleviated with a political fix.

Following the statement on the changes made to the House of Commons by Digital, Culture, Media and Sport Secretary Oliver Dowden, the NCSC release a raft of documents including updates to its high risk vendor recommendations, a summary of the impact of May 2020 US sanctions that are said to have prompted the change, and an explainer blog post from the unit’s Technical Director Ian Levy.

BTwatch has repeatedly opined that very few people remotely understood the NCSC’s previous January 2020 advice. This appeared to be a promising fudge that was finely nuanced to balance the conflicting interests of the UK (domestic audience and interests), the US (best friend forever), China (economic superpower to keep sweet), and Europe (regional, fractured kin). The latest update does not really look materially different beyond more explicitly tapering out Huawei as a strategic network equipment provider (NEP) in the UK, particularly for 5G. BTwatch viewed the first iteration as a subtle but nonetheless brutal squeeze on Huawei that already effectively excluded it from all critical elements of future networks (thus intended to satisfy the US and domestic hardliners), while also in a very British way embedding plenty of wiggle room to subsequently relax restraints should US pressures ease (and so offering succour to operators, China, and more liberal Europe). It could be (and has been elsewhere) argued that nothing has materially changed since January other than government finding itself on the ropes.

Sanctions work, but mitigation efforts fractured

TelcoTitans considers the thrust of the NCSC situation analysis to be that changes to US Foreign-Produced Direct Product Rule (FDPR) sanctions make it virtually impossible in the short term for Huawei to manufacture network equipment that can be tested sufficiently robustly to provide the necessary assurances for deployment.

The body noted that there does not appear to be a way to work around the sanctions that would not entail one or more of the following:

  • Supplier or partner breaking the law.
  • Reliance on generic microprocessors in place of customised designs for crucial network components.
  • Development from scratch of brand-new approaches to semiconductor tooling and manufacture that replicate the outcome of current processes but without employing US intellectual property.

As Levy stated in his blog “good luck doing that quickly”

On this basis, the FDPR rules essentially holed the NCSC’s previous mitigation strategy as proposed in January 2020. This was designed to manage (and in BTwatch’s interpretation, ultimately manage out) the presence of Huawei as a strategic NEP within UK infrastructure.

Even if Huawei does adopt a new approach to production that circumvents US restriction, the work needed for the NCSC and the Huawei Cyber Security Evaluation Centre (HCSEC) to be able to understand and evaluate the accompanying new technical information would make it impossible to maintain the depth of scrutiny currently given to the vendor’s equipment.

GCHQ on the US naughty list?

One of the key reasons the NCSC cannot be confident of its ability to oversee Huawei in the current environment is because HCSEC, the semi‑independent Huawei entity that delivers the information upon which UK security advisors act, is covered by the US entity listing for Huawei UK. Because of this listing the vendor will be unable to transfer equipment and designs to HCSEC, which has an oversight board led by GCHQ and Whitehall mandarins, because it is considered a national security concern by the USA.

NCSC can’t permit use of kit it can’t test…

In light of the restrictions, the NCSC has stated the following:

  • Operators should stop deploying and procuring Huawei 5G access, transport, and other associated equipment, by the end of 2020.
  • Existing Huawei equipment in fixed and mobile networks can remain, subject to January 2020’s HRV rules, and if it continued to meet the requirements of the NCSC’s mitigation strategy.
  • Operators must take steps to procure sufficient spares to maintain existing kit for the remainder of its lifetime.
  • Operators need to make moves to end procuring and deploying fibre‑to‑the‑premises (FTTP) equipment from Huawei. This is not expected to happen overnight, with the government and industry set to consult on a viable timeframe. The challenge of finding an alternative supplier is at the heart of the delay.

Meanwhile, the NCSC will continue to monitor the existing installed 5G and FTTP equipment in line with its mitigation strategy, supported by the HCSEC.

Huawei Managed Services was also namechecked in the latest NCSC advice, with operators advised to cease involvement with the unit, and calling on the government to “pursue legislation which excludes the use of Huawei Managed Services”.

… but lack of alternatives keeps Huawei in the mix

While the US sanctions are expected to affect the NCSC’s ability to vouch for FTTP equipment that Huawei might have been expected to provide to support Openreach’s fuller fibre rollout, the security body has accepted an extended Huawei presence because the alternative is no more appealing.

Although it appears keen to remove Huawei from FTTP provision, the NCSC is mindful that, if it did so immediately, there would be equal if not greater security and resilience risks due to becoming overly reliant on a single vendor in the UK’s main fixed access network — namely Openreach’s other partner of choice, Nokia.

The NCSC has, therefore, found itself in a position where it feels obliged to tolerate the presence of HRV network equipment that will be challenging to oversee because the alternative is effectively a single point of failure for the UK infrastructure.

This underlines the wider challenge presented by the UK being backed into a corner on more rapid exclusion of Huawei without having ready alternatives lined up. Levy summed up the difficulty as being a symptom of a wider international supply chain problem that will require a more sophisticated solution than hardline bans of vendors to ease political pressures.

“Providing resilient and secure national scale telecoms systems is a complex task, and soundbites hardly ever apply. The decision today is necessary for the long-term security and resilience of the UK networks, but comes with significant risks and costs. The long-term health and diversity of supply in the telecoms sector is a critical issue for all, and it will take concerted, sustained, international effort to fix it.”

— Levy.