The FCC is asking Congress for $2 billion to finance the removal of all Huawei equipment from some rural US wireless networks.
But that's the easy part.
The much, much harder question – one that has not yet been answered by the commission – is how to replace Huawei's equipment with equipment from "trusted" suppliers. What is a "trusted" supplier, after all? And who gets to decide that?
Those are the issues that are under debate at the FCC right now.
"A key component of the effort to secure America's telecommunications networks will be the commission's creation of a well-vetted list of suggested replacement communications equipment and services," wrote vendor COMSovereign to the FCC. (The company has flatly stated its intent to become America's Huawei.) "Prior to issuance of such a list, the commission should clearly define a set of qualification criteria for both vendors and specific equipment to be added to the list, and establish a method for demonstrating compliance with those criteria."
Creating a list
And how exactly should the FCC go about assembling that list of trusted suppliers? Blue Danube Systems – another equipment vendor – has some ideas.
"The commission should seek to use the membership lists of industry consortiums such as the ORAN Alliance, The Open RAN Policy Coalition, the National Spectrum Consortium, and 3GPP (3G Partnership Project) to develop a list of replacement equipment providers initially," the company wrote in its own FCC filing. "We also suggest using organizations such as the IWPC (International Wireless Industry Consortium) that is a US based Wireless Industry Group and has an extensive global database of providers to the wireless industry. The IWPC includes all equipment and services providers and operators. We believe that the IWPC could help screen the list of companies and add any additional missing companies from other sources."
But wait, worries Metaswitch Networks (which is being acquired by Microsoft), won't all this vetting create extra costs for vendors? After all, the company argued, a detailed list of trusted vendors and equipment "introduces an overhead with no clear benefit."
And Metaswitch also suggests that the FCC avoid creating a detailed list of approved pieces of trusted equipment because "any delay introduced by, for example, additional vetting from the commission, will directly impact the timeline to replace the equipment."
Yup, you read that right: Some of the companies in this debate are suggesting that the FCC avoid a lengthy vetting process for a program designed to remove equipment deemed a threat to national security. Because apparently it's more important to quickly replace Huawei's equipment – and for vendors like Metaswitch to get at that $2 billion – rather than to thoroughly check the replacement equipment for threats.
Lists are too hard
As a result of concerns like this, some are urging the FCC to avoid actually creating a list of trusted vendors and instead just create categories of equipment that ought to be trusted. After all, if a vendor isn't banned outright – like Huawei and (sometimes) ZTE – then it must be OK, right?
"The Secure Networks Act [which authorizes the Huawei rip and replace program] provides the commission the option of developing a list of 'categories of replacements,' and the commission should take this approach rather than naming specific 'suggested' suppliers," wrote Ericsson. "All companies that are not designated as 'covered communications equipment or services' on the list ... should be presumed under the law to be eligible to provide replacement equipment and services."
Others agree with this argument. "The commission should take the most administratively simple approach and decide that any equipment that is not derived from a manufacturer designated as a national security threat should be 'allowed,'" concurred USTelecom, a trade association.
However, USTelecom also argues that the FCC should use its "rip and replace" program to push open RAN technology. "To the extent the commission provides more detail around categories or types of equipment, it should include and emphasize open RAN equipment."
Because open RAN technology ensures security. For reasons.
Are you secure? Check yes or no
But the Rural Wireless Association – the association that represents the operators at the center of this debate, the operators that currently use Huawei equipment – disagrees with all this. What the RWA wants is clarity.
"RWA believes that identifying the vendor is also critical and it would not be a heavy lift to do so," the group wrote to the FCC. "Under RWA's approach there would be simplicity for vendors and needed specificity for carriers. The commission could serve as a clearinghouse to collect this information and provide it through a FCC-run portal, allowing vendors to simply indicate (by checking a box) the categories of equipment and services they offer since they are in the best position to do so. The information could be compiled into a list that is publicly released, accessible to carriers and updated periodically as new vendors and vendors' new categories of equipment and services become available."
And how can the FCC ensure the vendors on its list are "trusted?"
"Vendors could certify under penalty of perjury that their equipment complies with the law with respect to network security," argues RWA.
So, basically, the FCC should rely on a pinky swear, cross-your-heart-and-hope-to-die promise from vendors that their equipment is secure. If only Huawei had thought of that.
US vs China
The bottom line here is that the Secure Networks Act basically creates a no-win situation. It essentially designates equipment from Huawei and ZTE as a threat to national security without saying exactly why. This leaves the FCC to implement a replacement program that also does not have a mechanism to judge whether vendors are trusted or untrusted.
Let's be honest: What's really at issue here is whether the vendor is from China. But so far, no one wants to suggest the obvious solution to this line of reasoning: a checkbox that asks, "Are you a Chinese company? Yes or no?"
That's because this kind of question can't work – at least not yet – given the interconnected nature of our shared global economy. After all, most electronics are made in China. If Huawei's equipment is not secure, then are Apple's iPhones?
How this all gets resolved is anyone's guess. But I'm betting it's going to get worse before it gets better.