The UK government has delayed making a decision around Huawei’s involvement in 5G and other new telecoms networks, while indicating that cyber-security concerns need to be front and centre of new build outs.
In an oral statement, Jeremy Wright, the secretary of state for digital, culture, media and sport, told MPs that a review into the UK telecoms supply chain highlighted that "existing arrangements may have achieved good commercial outcomes but have not incentivised cyber-security risk management".
"The government is not yet in a position to decide what involvement Huawei should have in the provision of the UK’s 5G network," he continued, blaming a lack of clarity over the "extent and implications" of recent US moves that saw Huawei added to the US’s ‘Entity List’.
This addition effectively banned companies from either selling components and technology to Huawei or importing Huawei tech from 15 May without a specific licence. Although a temporary licence has been granted covering some use cases, the move effectively freezes the Chinese tech giant out of the US market.
Malcolm Taylor, former senior intelligence officer and director of cyber-security at ITC Secure said: "This whole issue should be seen through the prism of risk management. Accepting that China is not a friendly nation, and that all Chinese private companies are in some way attached to, and obligated to, the state, the NCSC believes it has in place a risk management framework which allows it to manage the risks inherent with using Huawei equipment.
"Their mitigation includes the monitoring of Huawei via the Huawei cell (which arguably makes Huawei the most scrutinised company in the world right now), the exclusion from the network core, and on-going senior level UK government engagement. Those are significant steps, and show both the UK’s determination to manage this risk."
It also shows the crucial role played by Huawei in the daily-use networks and the fact that there are hardly any viable competitors, he added.
Wright also told Parmilment that the Telecoms Supply Chain Review had also uncovered a "lack of diversity across the telecoms supply chain" has created the "possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks".
Javvad Malik, security awareness advocate at KnowBe4, said that the issue was indeed supply chain related. "This is an interesting development and good to see the government is taking the matter of cyber-security for 5G seriously. There are two important issues that are notable. Firstly, the issue is not restricted to Huawei, rather, this is a supply chain security issue. Whenever third parties are involved in delivered critical functions, it is important that appropriate security measures are put in place.
"Secondly, as the government rightly pointed out, this issue is not one that can be fixed by technology alone. Rather, security controls need to be embedded into procedures and, by extension, across the culture so that staff are adequately aware of the risks and how to make the right decisions," he said.
As a result of the review, the UK Government is set to establish a new, robust security framework for the UK telecoms sector, one that will apparently "mark a significant shift from the current model, according to a government announcement. The new framework will also "ensure operators build and operate secure and resilient networks, and manage their supply chains accordingly", as well as fully assess risk.