According to the UK government, in May 2020, the US changed a “subtle and detailed export control rule” called the ‘Foreign-Produced Direct Product Rule’ (FDPR). The amended rule made an explicit statement that no company, regardless of where it might operate, could be part of the Huawei supply chain, if US technology was used in the design tools or manufacture processes.
This was an amendment to a decision taken by the US in May 2019, where the United States government added Huawei to its ‘Entity List’, which is a trade sanction that seeks to control and protect the movement of US technology.
In a report issued by the National Cyber Security Centre (NCSC) on the 14th July, it was made clear that this amendment to US policy was designed to cause maximum disruption to Huawei’s supply chain, specifically the custom chips included in Huawei’s products.
“The focus of the US in implementing the rule appears to be to target Huawei’s semiconductor production, as the press statement accompanying the announcement of the rule make clear,” said the NCSC.
This doesn’t just mean that Huawei can’t use design tools that contain US technology, but it also applies to companies working with Huawei. For example, foreign manufacturers of semiconductors who use American software and technology in their operations - such as Taiwan Semiconductor Manufacturing Co., which develops products for Huawei’s HiSilicon unit - can no longer ship their products to Huawei, unless they get a license from the US. Which, of course, would not be issued under existing guidelines.
“It also means that no-one else can take a Huawei design and turn it into chip manufacture instructions - usually something called a GDSII - using tools that contain US technology,” explained NCSC Technical Director Dr Ian Levy in a blog post outlining the changes. “Even if you’ve already got the GDSII for a Huawei chip, you can’t actually turn it into a chip if your foundry process uses US technology (and for modern process nodes, US technology is pretty pervasive) or if the GDS2 was produced using US technology.”
Why does a US sanction change the UK’s policy?
So why has this change to US trade restrictions had such a huge impact on the UK’s networking infrastructure, significantly affecting our 4G, 5G, and FTTP delivery?
“Huawei has always been considered higher risk by the UK government for the reasons set out in our high-risk vendor (HRV) advice, and as such a risk mitigation strategy has been in place since Huawei first began to supply UK operators,” explained an analysis report from the NCSC. “Since 2010, a set of arrangements have existed between Huawei and Her Majesty’s Government (HMG) to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. A fundamental component of these arrangements is the existence and effective operation of the Huawei Cyber Security Evaluation Centre (HCSEC).”
The Huawei Cyber Security Evaluation Centre (HCSEC) is a facility in Banbury, Oxfordshire, belonging to Huawei UK, but directed by NCSC, which is ultimately overseen by an Oversight Board, set up to ensure its independence. HCSEC provides security evaluation for a range of Huawei products used in the UK’s telecoms market. And it’s the complicated management structure within HCSEC which has, according to the NCSC, which has forced the UK’s hand.
“As HCSEC is also caught by the [US government’s] Entity Listing as part of Huawei UK, a consequence of the sanction is that it may directly inhibit the transfer of both Huawei products and essential product information (such as designs, binaries, etc.) into HCSEC for analysis,” said the NCSC. “Hence, as it stands today, the sanction prevents the functioning of the UK’s security mitigation strategy with Huawei.”
Put simply, US sanctions mean that HCSEC can no longer test Huawei products to a level where it can confidently assess any potential security implications for the UK’s networking infrastructure.
And rather than come up with a fully independent way of establishing the security of products manufactured for use in the UK, something that many groups believe is impossible anyway, the UK has opted for a blanket ban.
“This obviously affects what the UK’s National Cyber Security Centre (NCSC) can say about their products going forward,” said NCSC Technical Director Dr Ian Levy. “We think that Huawei products that are adapted to cope with the FDPR change are likely to suffer more security and reliability problems because of the massive engineering challenge ahead of them, and it will be harder for us to be confident in their use within our mitigation strategy.”
Is this really about security?
Unsurprisingly, the decision is also being viewed by many experts through the prism of Brexit, with the UK’s ongoing relationship with the US, both as a trade and security partner, being the primary factor in the decision to remove Huawei technology from the UK, as the country seeks to improve relations in Washington.
But for mobile network operators (MNOs) in the UK, this will cause significant upheaval, will delay the roll out of the country’s 5G infrastructure, and will have a massive cost implication, as operators struggle to maintain existing Huawei products, vital for 4G connectivity across the country, whilst finding new vendors for 5G.
To try and help operators, the UK government has outlined a number of guidelines, which are as follows:
- Existing Huawei equipment in the UK can continue to be used, subject to the high-risk vendors (HRV) policy and our mitigation strategy;
- operators need to procure enough spares to maintain the equipment for the expected lifetime;
- operators should seek to cease procuring and deploying Huawei 5G access equipment, all transport equipment, and other miscellany to manage the long-term risks of the newly designed products (practically, procurements are likely to cease by the end of 2020);
- operators should seek to cease procuring and deploying Huawei FTTP (Fibre to the Premises) access equipment. It may take a bit longer for rollouts to cease in this case, so DCMS are going to work with industry to establish a manageable timeframe.
“Although the government isn’t stripping Huawei’s equipment straight away, the phased approach will have a marked effect on the telecoms industry, potentially costing billions because a lot of the major UK operators such as BT and Vodafone are already using its equipment,” explained Michael Downs, Director of Telecom Security at Positive Technologies. “There is also the additional cost of delaying deployments, as companies have already gone through the process of testing 5G equipment from Huawei. This whole process - including testing - will have to be started all over again.”
This decision will have long-lasting effects on both the quality, cost, and availability of 5G in the UK. Operators will have to raise prices, as they pass on the considerable cost of removing Huawei kit to consumers; we will undoubtedly see a significant delay in the roll out of 5G in the UK as a result; and there are likely to be thousands of job losses, as Huawei must now be considering its position in the UK (in 2018 an Oxford Economics report claimed that Huawei paid almost £500m in taxes to the UK exchequer). Also, of particular concern in the wake of the Covid-19 pandemic, there is a potential knock on effect to the UK’s emergency services, which will soon rely on 4G mobile data to communicate, as they migrate to the controversial Emergency Services Network (ESN).
Over the next 24 hours we will be collecting industry reactions to this news, and will be providing regular updates as responses come in.