UK calls Huawei a ‘high-risk vendor’ but accepts it for 5G

UK calls Huawei a ‘high-risk vendor’ but accepts it for limited 5G role

28 January 2020 | Alan Burkitt-Gray

Cover

UK mobile operators will be able to use Huawei equipment in their new 5G networks, but only in limited parts of their infrastructure, and only to a limited percentage, because it is a “high-risk vendor”.

Nicky Morgan (pictured), the Secretary of State for Digital, Culture, Media and Sport, listed the areas from which “high-risk vendors” should be excluded, though she did not mention Huawei by name.

However, briefings made it clear that the government means Huawei by this expression.

The company is banned from all safety related and safety critical networks in critical national infrastructure and security critical network functions.

She said Huawei, again not named, but implied, will be “limited to a minority presence in other network functions to a cap of up to 35%”. It will be “subjected to tight restrictions, including exclusions from sensitive geographic locations”.

Dominic Raab, the UK’s Secretary for Foreign Affairs, which looks after intelligence matters, was due to follow up with a formal announcement in Parliament this afternoon, when he will repeat that Huawei equipment must not be used in the core of the operators’ networks.

The four operators concerned – BT’s EE, Telefónica’s O2, CK Hutchison’s Three, and Vodafone – have not so far commented on the decision, but Huawei was fast to respond.

Huawei vice president Victor Zhang, who runs the Chinese company’s UK office, said: “Huawei is reassured by the UK government’s confirmation that we can continue working with our customers to keep the 5G roll-out on track. This evidence-based decision will result in a more advanced, more secure and more cost-effective telecoms infrastructure that is fit for the future. It gives the UK access to world-leading technology and ensures a competitive market.”

However, earlier statements made by sources close to the government were clear about the risks. One source told the Guardian newspaper: “We are clear-eyed about the challenge posed by Huawei, which we today confirm is a high-risk vendor.”

But the UK government is insisting that its security services and cyber security experts “know more about Huawei than any country in the world”, in the Guardian source’s words, and are confident they can manage the risk.

All Huawei systems are studied in detail by a specialist team of security experts, paid for by Huawei but employed by the UK’s intelligence services, in a high-security unit.

In its report last year this unit, the Huawei Cyber Security Evaluation Centre (HCSEC), said that it had discovered “several hundred vulnerabilities and issues” that it has reported to operators in the past year. “Some vulnerabilities identified in previous versions of products continue to exist.”

It judged these to be engineering failures rather than attempts by Huawei to plant back doors through which information could be extracted.

Today’s decision was taken by the National Security Council (NSC), a committee that is chaired by the Prime Minister, Boris Johnson. Last year the NSC proposed that Huawei should be allowed “limited access to help build parts of the network such as antennas and other ‘non-core’ infrastructure”. Today's decision has formalised that statement. 

Huawei’s Zhang said today: “We have supplied cutting-edge technology to telecoms operators in the UK for more than 15 years. We will build on this strong track record, supporting our customers as they invest in their 5G networks, boosting economic growth and helping the UK continue to compete globally.”

He added: “We agree a diverse vendor market and fair competition are essential for network reliability and innovation, as well as ensuring consumers have access to the best possible technology.”

Joe Barrett, president, of the Global Mobile Suppliers Association (GSA), of which Huawei and other vendors are members, said: “The mobile telecommunications industry has always been mindful of the importance of delivering secure services to users and has pioneered network security over many decades. However, all experts acknowledge that the threat landscape is continuously evolving, and that systems must respond to changes by renewing approaches to security.”

He added: “Operators and equipment vendors are working together to develop cybersecurity testing approaches that reflect the way 5G networks will be used. GSA believes that this collaborative approach is critical in delivering end-to-end security of 5G communications and services.”

Paul Beastall, head of strategy at research and design company Cambridge Consultants, welcomed the decision: “The government has struck an artful and sensible compromise. Now it’s time to turn our attention to the many transformative applications for 5G technology.”

Beastall, who also chairs of the UK5G test beds and trials working group, said 5G “means much more than faster speeds to and from our smartphones. The advantages in reliability and latency mean we can now look forward to a new mobile revolution. The new applications that particularly excite me include autonomous vehicles, much wider access to virtual reality and augmented reality, and smart agriculture, where we can digitise farming, bringing huge benefits in precision and efficiency.”

In her statement, Morgan said there will be legislation for “a new comprehensive telecoms security regime”, to be overseen by the regulator and the government.

“The Government is developing an ambitious strategy to help diversify the supply chain,” she said, calling for more vendors to come into the UK market. Morgan wants to adopt “open, interoperable standards that will reduce barriers to entry”, and supported “the emergence of new, disruptive entrants to the supply chain”.

Huawei’s Chinese rival, ZTE, is already excluded from certain telecoms functions. In 2018 Ian Levy, technical director of the National Cyber Security Centre (NCSC), which is part of one of the UK’s intelligence agency, wrote to “a limited number of telecommunications organisations” about risks he said came from ZTE equipment and services.

ZTE is state-owned, though some of its shares are quoted in the Shenzhen and Hong Kong stock exchanges. In contrast, Huawei is owned by those of its employees who are shareholders and has always insisted there is no state ownership.

Levy said in 2018 that the NCSC believes “that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated”.