‘Remove Huawei from network cores’, MPs tell UK government
Huawei’s equipment should be removed from the core of UK networks, says a committee of the UK Parliament.
But there are no technical grounds for excluding Huawei entirely, adds the Science and Technology Committee of the House of Commons.
In the committee’s contribution to the UK government’s review of the telecoms supply chain, Norman Lamb MP, chair of the committee, says: “We have found no evidence from our work to suggest that the complete exclusion of Huawei would, from a technical point of view, constitute a proportionate response to the potential security threat posed by foreign suppliers.”
Indeed, Lamb goes on – in his letter to Jeremy Wright, the UK government’s secretary of state in charge of telecoms issues – to suggest that the country’s National Cyber Security Centre (NCSC) should extend to other vendors the rigour with which Huawei equipment and software is scrutinised.
The committee met representatives from across the industry for its enquiry, including Huawei’s John Suffolk (pictured), its global cyber security and privacy officer. He told MPs, who had asked about compliance with the law: “The challenge always comes in instances where the law is silent on matters, doesn’t it? For example, most laws don’t say, ‘Do not build in backdoors.’”
He added: “We as a vendor have never been asked to do anything that weakens the security of our product for any of our customers in any country.”
Suffolk, who was chief information security officer for the UK government before joining Huawei in 2011, told MPs that the Chinese company does not make monitoring hardware. “In the UK, any request for lawful interception from law enforcement agencies would be made directly to the relevant telecoms operators, and not to Huawei. Huawei would have no role in an operator’s compliance with such a request.”
He said: “We have never had a request from [the] Chinese government to do anything to compromise our security position.”
The MPs also heard from technology experts on the topic of backdoors into networks. Oxford University’s Professor Andrew Martin said: “I think if you were designing a backdoor, your very first task would be to make it look like a mistake. … there would be no way to tell whether it was a mistake or deliberate. … You could, I suppose, design something that was easier to exploit, but that would be almost the proverbial smoking gun, so I do not think you would do that. You would make it look like a mistake.”
The committee was joined by Julian Lewis MP, who chairs the Defence Select Committee, who asked: “If we were in a conflict with an adversary, would there be any greater danger arising from our dealing with a firm like Huawei, for example, than from our dealing with a firm from another country with which we were in a less adversarial relationship?”
Martin talked about the complexity of supply chains: “We may be dealing with one vendor, but they may get their components from another place. Indeed, the vulnerabilities within any particular piece of equipment may not be under the control of the management of the vendor in question anyway; there may be some other party who wants to sell them to a third party.”
Alf Zugenmaier, professor at the Munich University of Applied Sciences, noted: “Your supply chain is not just linear … [so] if you really wanted to subvert some function, there are many places where you could do so. … If Governments are worried about the security of networks, it would make more sense for them to have requirements on the quality of security than on a label on a box that says ‘shipped from’.”
Later on, Vodafone CTO Scott Petty told the committee: “The software code itself may have been written by Huawei, but the compiler that they used to compile that code is a US product. If they were no longer able to use that compiler [because of the US embargo], they would no longer be able to update their software, and that vulnerability would take much longer to be fixed than would otherwise be the case.”