Congress Told ISPs To Remove All Huawei Network Gear, Failed To Fund The Effort, Then Just Forgot About It
from the performative-outrage dept
Long before TikTok histrionics took root, you might recall that numerous members of Congress spent numerous years freaking about another Chinese company: Chinese telecom equipment maker Huawei.
The argument, made without much in the way of public evidence, was that Huawei was systematically using its network gear to spy on Americans at a massive scale. Congress then proposed a solution: it would require that U.S. telecom operators (large and small) rip out all Huawei equipment from their networks at great expense, then replace it with usually more expensive alternatives.
So in early 2020 Congress passed the Secure And Trusted Communications Act effectively banning Huawei from U.S. telecom networks. Congress doled out $1.9 billion to rip out and replace Huawei gear, but it’s estimated to cost around $5 billion to actually complete the effort. But instead of finishing the job, the FCC last week politely pointed out that Congress did nothing.
The costs were significant, but especially for smaller telecoms which may now be forced to withdraw from the program, or shut their networks down entirely without additional funding, the FCC wrote:
“Several recipients have recently informed the Commission that they foresee significant consequences that could result from the lack of full funding, including having to shut down their networks or withdraw from the program. Because Reimbursement Program recipients serve many rural and remote areas of the country where they may be the only mobile broadband service provider, a shutdown of all or part of their networks could eliminate the only provider in some regions.”
So basically Congress freaked out about Huawei (without much public evidence), proposed a very expensive solution to address the problem, didn’t fully fund the program, then basically fell asleep. Their apathy and dysfunction now risks putting some smaller ISPs out of business; ISPs that may be the only broadband provider available in some rural markets. Impressive work all around.
This is all fairly ironic given the hysteria Republicans like the FCC’s Brendan Carr have had about TikTok. Carr has made quite a career showing up on cable news to gnash his teeth over a social media network his agency doesn’t have the authority to regulate. Yet he’s not been anywhere near as active in pushing for a solution for a huge problem impacting a sector he actually regulates.
In part because the work of actually doing a coherent job doesn’t much interest an ad-engagement chasing press. The actually daily nitty gritty details of coherent governance isn’t sexy, and (usually) doesn’t get you on cable TV.
It all aptly demonstrates the often-performative nature of Congress’ hysteria over China. They’ll thrash and flail over some perceived Chinese threat to grab headlines and make U.S. competitors (like Facebook or Cisco) happy, throw out some barely workable solution (like say the TikTok ban), then consider their job done. Once the cable networks are no longer interested they’ll just forget about the problem entirely.
Filed Under: broadband, china, congress, corruption, fcc, network security, rip and replace
Companies: huawei
Comments on “Congress Told ISPs To Remove All Huawei Network Gear, Failed To Fund The Effort, Then Just Forgot About It”
They didn't "forget", this was always the plan ...
No points for guessing which lobby group helpfully “facilitated” this little bout of “forgetfulness”.
I wonder if someone is tracking which companies might benefit from this “oversight” and how many members of Congress have cozy relationships with those “organisations” … I mean, the robber barons were “organisations” too …right?
Re:
Hanlon’s Razor.
Re: Re:
Also, our government rams through half-baked shinies with no follow-through all the fucking time. They had their moral panic and generated their clicks. Now their attention has shifted to TikTok. No bribery required.
There are two lobbying groups behind this nonsense: the big telcos, who want all of these little telcos to go out of business, and the large equipment providers (Ericsson and Nokia).
Re:
Ericsson is a Swedish company and Nokia is a Finnish company (see Wikipedia). It seems more likely that Cisco (American) would lobby for a Huawei ban.
But, but, but… TIK TOK!!!!
Re:
but, but, but…
That’s a nasty Tick you got there. 🙂
Re: Re:
And when is a tick not nasty? Lyme disease springs to mind…
Proposal for a new FCC rule: Smaller ISPs can postpone replacing Huawei equipment until they have received the funding for it.
FCC: It’s gonna be hardly useful.
Congress: Okay!
FCC: It’s gonna be pretty lengthy.
Congress: Fine!
FCC: It’s gonna be very though.
Congress: Good!
FCC: It’s gonna be incredibly expensive.
Congress: Great!
FCC: And nobody will even care about it.
Congress: Well, so never mind.
This is all fairly ironic to be mentioning red team, but not one mention of blue team.
Who has been running the show for the last 4 years, red or blue?
Unconstitutional to ban tik tok
Re:
It’s almost as if the ban wasn’t the subject of this article and there are OTHER posts on the site that cover it in great detail.
Amazing!
Re:
another thumper idiot
Re: Re:
trumper
Re: Re: Re:
Too late. You outed yourself as an idiot
Brunchlords
Not related to this specific thread unless one of them was involved, but Karl Bode’s famous word led someone to generate AI art of brunchlords.
Except that we’re not sure there is a problem, and if there is, this doesn’t really address it. The idea that “trusted communications providers and suppliers” would lead to secure networks is fundamentally flawed. A “trusted system” (or provider/supplier) is, by definition, one whose compromise would lead to insecurity.
It’s considered good practice in computer security to design a networked system under the assumption that the network is insecure and possibly already compromised. For example, online banking’s security does not rely on the user’s ISP being secure; if the user has the HTTPS link bookmarked and doesn’t bypass any warnings, it could be done safely on a coffee shop’s wi-fi (assuming the password would not be seen by cameras or other patrons).
There’s no reason such things couldn’t be done with the phone network. If the Huawei equipment only ever routed encrypted traffic, it would be quite difficult for that to do anything too concerning; almost impossible if the routing were done in a way that resisted traffic analysis (e.g. “onion” routing). It’s also quite feasible to design a system that would prevent location-tracking by mobile network operators.
Re:
You’re correct: robust network/system/service design practices alleviate many of the risks that are posed by (possibly) insecure transport.
But there’s a problem, actually two problems.
The first is that “many” is not “all”. For example, to borrow from your banking/HTTPS example: an adversary in control of a network midpoint between the user and the bank may not be able to decrypt the traffic, but they can note its origin, destination, time, duration, and volume. This allows a form of intelligence-gathering called “traffic analysis” and it can be surprisingly revealing to people who aren’t familiar with it. There are other examples similar to this one.
The second is that “robust” is a high bar. Some operations don’t clear it; some don’t attempt it. Sometimes that’s because they don’t have the money, sometimes it’s because they have the money but don’t want to spend it, and sometimes they don’t know how or just don’t care. It is VERY difficult to convince operations like this to step up because they know they’ll face (almost) no consequences if something goes wrong, even if it’s serious and/or massive.
Now to this specific case: I’ve invested a lot of effort in investigating Huawei gear. I’m convinced that it’s unsuitable for use BUT I can’t rigorously defend that conclusion because I can’t point to a “smoking gun” that constitutes proof. Maybe that’s because there isn’t any (proof); maybe that’s because there is, but it’s been very, VERY artfully concealed. (We have to presume highly competent adversaries…because they are.) It would be convenient to resolve this issue definitively one way or the other, but that seems unlikely. So all I can do is rely on my experience and make the best judgment call that I can, and mine is to remove Huawei gear.
Re: Re:
That sounds a lot like what the people in the government are saying. I understand proof is hard to get, but neither you nor they have even hinted at a reason. Is your suspicion that they’re doing traffic analysis? That they’re slower than other vendors to patch vulnerabilities? That the Chinese government could force them to send harmful code in a “security update”?
We know all this stuff has backdoors, because our governments require them to (eg. CALEA). But Juniper had an “extra” backdoor; that’s been proven, and somehow they’re not getting the reaction Huawei is. And very few people are even trying to make things resistant to traffic analysis, location-tracking, and other network attacks.
Re: Re: Re:
You’re right again: and arguably, we should be more suspicious of Juniper than Huawei, given what we actually know (rather than what we suspect). And on top of that, the entire router/switch/etc. ecosystem is loaded with vulnerabilities, some of which vendors refuse to fix. See for example this depressing catalog of such things:
Router Bugs Flaws Hacks and Vulnerabilities
https://routersecurity.org/bugs.php
My agita with Huawei stems from observation of how the Chinese usually proceed when entering established product markets. They (1) exhaustively study what already exists (2) figure out how to repeat its successes (3) figure out how to avoid its failures (4) figure out how to scale it (5) figure out how to do all this profitably. (Look at what they’re doing with electric cars, for example.) What bothers me is that in the case of Huawei they’re not doing (3) very effectively…and they should be.
That seems wrong. I can’t prove to you (or even to myself) that it’s deliberate, but it strikes me as very odd; incongruous, if you will. My expectation is that their network device software should be demonstrably better than their competition, because they certainly have the technical capability to make it so. The fact that it’s not really bothers me.
Not that I’m letting everyone else off the hook: I have issues with them, too. cough Netgear cough Cisco cough ASUS etc. Some days I wish we could just hire Morty from Kansas City to shovel packets. 😉 But I just can’t shake the feeling that Huawei’s known bugs are bugs that should never have existed, and I’d really like to know why they do/did.
Re: Re: Re:2
“Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.” — Andrew S. Tanenbaum
These days it’d be hard drives, and Amazon’s actually done it. The latency’s somewhat higher than most people would prefer.
I’m not sure I entirely agree with you on step 3. I mean, as an explanation for a gut feeling, it’s fine, but it seems like a step that’s frequently skipped. People speak of poor-quality imported product(-clone)s all the time—they just have to be cheaper and “good enough”, right?
Re: Re: Re:3
Having actually driven 9-track magnetic tapes to another location (although not in a station wagon), I feel this quote. But the attribution I’ve seen assigns it to Dr. Warren Jackson, director of UTCS, and it seems that Wikipedia (at least) agrees with me on its origin:
https://en.wikiquote.org/wiki/Andrew_S._Tanenbaum
Back to Huawei: you make an excellent point by noting that “good enough” is a frequent strategy, and it often works because the marketplace is saturated with miserably bad products…thus something that’s only tolerably bad has a chance to succeed.
So admittedly I’m relying on long experience (long bitter experience) and intuition here: what Huawei’s done just smells wrong to me. I’d really like to have something more concrete than that – even if it demonstrate that I’m wrong – because the clarity would be refreshing.
And you know…I’ll bet that someone actually has that clarity. Given the fuss about Huawei (and the others), I have no doubt that someone in the NSA has a stack of these and has torn them down to their component molecules, exhaustively testing/analyzing in order to find out exactly what’s going on. But of course they’re not going to publish that. Pity. It would at least let us engage in informed discussion rather than one full of speculation (and I’ll admit that’s exactly what I’m doing).
Re: Addressing a problem
Except that we’re not sure there is a problem, and if there is, this doesn’t really address it.No see they meant “address” in the sense of “to greet”
'They're a massive threat to National Security! ... someone else deal with it.'
How to tell that all the recent fearmongering about China is nothing but empty PR stunts and not based upon any observable threats or response to them: When it comes to the government paying the bill suddenly they lose all interest in following through, even though it’s not their money they’re spending and they were claiming seconds before that the issue was an existential threat to the security of the country.
Do I believe that China is run by terrible people with little to no respect for the rights and lives of anyone but themselves? Without question.
Do I find it entirely possible that they might try to screw the US over in a way that benefits them? Quite possible.
But…
Do I think that this ‘rip and replace’ and the TikTok ban have anything whatsoever with protecting the US citizenry or National Security? Not in the slightest.
remove Huawei gear
Do you have the pockets to pay for this? If so, go ahead. I’m tired of gov’t funding business, bailouts, etc.
We need secure gear. Do you want to take the chance Huawei is secure? I don’t.