The government today confirmed that it will allow Chinese manufacturer Huawei to help build the country’s 5G network - in defiance of US objections, but it remains to be seen if the move will impact the Five Eyes intelligence sharing arrangement between the US, UK, Canada, Australia and New Zealand. The government says such information sharing will not be impacted.
The expectation is that a tweet will come from Trump today, which will give an indicator as to whether the US response is one of anger and the threat of retaliation, or spin that its own lobbying warning of the dangers of Chinese manufacturers has resulted in the UK placing restrictions on Huawei’s market access.
It's not that the UK has accepted the line that Huawei is a private vendor and nothing to do with the Chinese government, its simply that outright banning of Huawei could have delayed 5G rollout by two to three years, increase end-user costs, and negatively impacting economic growth.
As a result Huawei has been classified as a high risk vendor, which will be excluded from sensitive ‘core’ parts of 5G and gigabit-capable networks. In addition, a DCMS statement today noted that there is a 35 percent cap on high risk vendor access to non-sensitive parts of the network. In addition the NCSC has issued guidance to operators on implementation.
This decision today concludes the Telecoms Supply Chain Review, first published in July 2019, and in its conclusion Ministers decided to allow Chinese access, so long as UK operators put in place additional safeguards and exclude such high risk vendors from parts of the telecoms network deemed critical to security.
The Prime Minister chaired a meeting of the National Security Council (NSC), where it was agreed that the National Cyber Security Centre (NCSC) should issue guidance to UK Telecoms operators on high risk vendors following the conclusions of the Telecoms Supply Chain Review.
This advice is that high risk vendors should be:
Excluded from all safety related and safety critical networks in Critical National Infrastructure
Excluded from security critical ‘core’ functions, the sensitive part of the network
Excluded from sensitive geographic locations, such as nuclear sites and military bases
Limited to a minority presence of no more than 35 percent in the periphery of the network, known as the access network, which connect devices and equipment to mobile phone masts
The NCSC carried out a technical and security analysis that the government claims offers the most detailed assessment in the world of what is needed to protect the UK’s digital infrastructure, and now legislation is awaited.
A government statement says it is certain that “these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks.”
To improve diversity in the supply of equipment to telecoms networks, the government is seeking to attract established vendors not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry.
Digital secretary Baroness Morgan said: “We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High risk vendors never have been and never will be in our most sensitive networks.
"We would never take decisions that threaten our national security or the security of our Five Eyes partners.
"As a result, the technical and security analysis undertaken by GCHQ’s National Cyber Security Centre is central to the conclusions of the Review. Thanks to their analysis we have the most detailed study of what is needed to protect 5G, anywhere in the world.
"It is also because of the work of the Huawei Cyber Security Evaluation Centre Oversight Board, established by NCSC, that we know more about Huawei, and the risks it poses, than any other country.
"The government has reviewed the supply chain for telecoms networks and concluded today it is necessary to have tight restrictions on the presence of high risk vendors."
Ciaran Martin, the chief executive of the National Cyber Security Centre, adds: “This package will ensure that the UK has a very strong, practical and technically sound framework for digital security in the years ahead. The National Cyber Security Centre has issued advice to telecoms network operators to help with the industry rollout of 5G and full fibre networks in line with the government’s objectives.
“High risk vendors have never been – and never will be – in our most sensitive networks. Taken together these measures add up to a very strong framework for digital security.”
The final conclusions of the Telecoms Supply Chain Review in relation to high risk vendors were explained by foreign secretary Dominic Raab in the House of Commons, saying:
"In order to assess a vendor as high risk, the Review recommends a set of objective factors are taken into account. These include:
* the strategic position or scale of the vendor in the UK network,
* the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market,
* the quality and transparency of the vendor’s engineering practices and cyber-security controls,
* the vendor’s resilience both in technical terms and in relation to the continuity of supply to UK operators,
* the vendor’s domestic security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with UK law,
* the relationship between the vendor and the vendor’s domestic state apparatus,
"And finally, the availability of offensive cyber-capability by that domestic state apparatus, or associated actors, that might be used to target UK interests.
"To ensure the security of 5G and full fibre networks, it is both necessary and proportionate to place tight restrictions on the presence of any companies identified as high risk.
"The debate is not just about ‘the core’ and ‘the edge’ of networks. Nor is it just about trusted and untrusted vendors.
"The threats to our networks are many and varied, whether from cyber-criminals or state sponsored malicious cyber-activity.
"The most serious recent attack on UK telecoms has come from Russia, and there is no Russian equipment in our networks.
"The reality is that these are highly complicated networks relying on global supply chains, where some limited measure of vulnerability is almost inevitable.
"The critical security question is: how to mitigate such vulnerabilities and stop them damaging the British people and our economy?"
The NCSC has published its guidance on its website as well as a summary of the security analysis conducted for the Telecoms Supply Chain Review.
Victor Zhang, Huawei’s vice-president, was reported in the press as saying: “Huawei is reassured by the UK government’s confirmation that we can continue working with our customers to keep the 5G rollout on track.
“This evidence-based decision will result in a more advanced, more secure and more cost-effective telecoms infrastructure that is fit for the future. It gives the UK access to world-leading technology and ensures a competitive market.
“We have supplied cutting-edge technology to telecoms operators in the UK for more than 15 years. We will build on this strong track record, supporting our customers as they invest in their 5G networks, boosting economic growth and helping the UK continue to compete globally.
“We agree a diverse vendor market and fair competition are essential for network reliability and innovation, as well as ensuring consumers have access to the best possible technology.”
The US banned companies from using Huawei networking equipment in 2012 and added the company to the US Department of Commerce's Bureau of Industry and Security Entity List in May 2019, following an executive order from President Donald Trump effectively banning Huawei from US communications networks.
Commenting on the move, Jimmy Jones, Telecoms Cyber Security Expert at Positive Technologies told SC Medis UK in an email: “In spite of the persistent pressure from the US, it is not surprising that the UK has finally taken the decision to maintain Huawei technology as part of the nation's 5G infrastructure - with certain restrictions.
"Whilst the US has taken a more hard-line stance, the reality is that a lot of the major UK operators (Vodafone, EE and Three) have already purchased Huawei’s 5G infrastructure which means a ban would have more impact in the UK than the US. If Huawei was taken away as an option, this whole process - including testing - would have to be started all over again. Ultimately any country that does that is facing a more expensive network and a delay that could result in its national infrastructure being inferior compared to other countries.
"Although it’s hard to ignore the geopolitical debates which continue to make headlines, it's also important to recognise the commercial implications of shunning Huawei, which when compared to other suppliers, is way ahead. Huawei has been pioneering 5G dating back to 2009 and because of this development time, along with the sheer engineering resources that Huawei has put behind it, it makes it the best-placed supplier to deliver it. Overall, the UK has taken the decision not to give its economy a technological and financial handicap against fast-developing nations who have already chosen to use Huawei."
Andy Barratt, UK managing director at cyber-security consultancy Coalfire adds: “A Huawei ban would have been a classic case of shutting the stable door after the horse has bolted. Huawei’s products are already engrained into the western tech ecosystem and the huge amount of white labelling that takes place in the industry means that Chinese components are inevitably found in all manner of devices.
“Up to now, no other international vendor has ever been put under as much scrutiny as Huawei and I’m glad to see that the government has decided to take a more measured approach than an outright ban. The company’s already established presence in the UK means that its involvement in our 5G infrastructure is, in some respects, beside the point. We need to accept that doing business in a globally connected environment comes with an element of cyber risk and move to guard against these risks effectively, not adopt protectionist policies that could be limiting to our technological advancement.”