The UK’s National Security Council (NSC) has reportedly approved the use of Huawei’s networking equipment in non-core parts of future 5G mobile networks, risking the wrath of key allies around the world.
The decision was made yesterday at a meeting of the NSC, which is chaired by prime minister Theresa May, and came despite apparent objections from, among others, defence secretary Gavin Williamson, home secretary Sajid Javid, international development secretary Penny Mordaunt and international trade secretary Liam Fox.
The news leaked just hours before representatives of the Five Eyes security alliance (Australia, Canada, New Zealand, the UK and the US), including GCHQ head Jeremy Fleming, shared a joint public platform for the first time ever at the National Cyber Security Centre’s (NCSC’s) CyberUK conference, currently under way in Glasgow, and ahead of a planned visit by chancellor Philip Hammond to China later this week.
The decision comes in spite of March’s damning report from the NCSC’s Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, which said the HCSEC’s work “continued to identify concerning issues in Huawei’s approach to software development, bringing significantly increased risk to UK operators” and accused Huawei of making “no material” progress on addressing issues that it had raised in its previous report last year.
Foreign Affairs Committee chair Tom Tugendhat spoke out against the NSC’s decision. “Allowing Huawei into the UK’s 5G infrastructure would cause allies to doubt our ability to keep data secure and erode the trust essential to #FiveEyes cooperation. There’s a reason others have said no,” he tweeted.
In a subsequent appearance on the BBC’s Today programme, Tugendhat claimed that because of how 5G networks were being built, it was hard to distinguish between core and non-core parts of the network.
“5G does change from a faster internet system into an internet system that can genuinely connect everything, and therefore the distinction between non-core and core is much harder to make,” he said.
In response to the leak, a government spokesperson said: “National Security Council discussions are confidential. Decisions from those meetings are made and announced at the appropriate time through the established processes.
“The security and resilience of the UK’s telecoms networks is of paramount importance.
“As part of our plans to provide world-class digital connectivity, including 5G, we have conducted an evidence-based review of the supply chain to ensure a diverse and secure supply base, now and into the future. This is a thorough review into a complex area and will report with its conclusions in due course.”
The NSC’s decision risks enflaming the wrath of the US government, which has enacted an outright ban on Huawei equipment itself, and warned its allies that to allow the use of Huawei in critical national networks risked endangering future military and intelligence cooperation with the US.
US secretary of state Mike Pompeo has repeatedly attacked Huawei and issued thinly-veiled threats against European countries, such as Germany and the UK, that have signalled they may take a more pragmatic approach.
On 20 April 2019, The Times reported that the US had shared intelligence with its Five Eyes allies proving that Huawei had taken money from China’s People’s Liberation Army, its National Security Commission, and a third, undisclosed branch of the Chinese state intelligence network.
Speaking at last week’s Huawei Analyst Summit in Shenzhen, Huawei’s global cyber security and privacy officer, John Suffolk, said that in the face of US pressure over the UK’s use of Huawei, Westminster should collaborate with its European neighbours on network security standards, whether the UK remains part of the European Union (EU) or not.
“They should treat all suppliers the same, so that, in essence, it benefits from the best technology in a risk-managed way,” said Suffolk. “That’s what I’d advise the government. Get your policies right. Think what is in the best interest of UK citizens and enterprises overall, and maximise innovation.”
Diverse supply chain
Nevertheless, the NSC’s decision to approve limited use of Huawei equipment appears to reflect the views of both GCHQ’s Fleming and the NCSC CEO Ciaran Martin, both of whom have argued that it is safe to use the supplier’s hardware as part of a balanced and diverse supply chain.
In a speech in Singapore in February, Fleming said there were three pre-conditions for securing the UK’s 5G network infrastructure.
“First, we must have stronger cyber security practices across the telecommunications sector,” he said. “The market is configured in a way that does not incentivise good cyber security. That has to change.
“Second, telecoms networks must be more resilient. Vulnerabilities can and will be exploited, but networks should be designed in a way that cauterises the damage.
“Third, there must be sustainable diversity in the supplier market. A market consolidated to such an extent that there are only a tiny number of viable options will not make for good cyber security.”
Vodafone, which has worked alongside the NCSC to conduct risk assessments of how its existing and future mobile networks might be exposed to cyber security threats if Huawei was shown to be a bad actor, has taken a similar line.
The operator already excludes Huawei from its core 4G infrastructure and uses its hardware sparingly in non-core areas of the network. Its UK CTO, Scott Petty, has gone on record as saying this would also be the case when it came to 5G.
“Our belief is that by having a healthy supplier ecosystem with the right levels of interoperability and security between them – and our risk assessment based on the guidance from the NCSC – we can create an infrastructure where we can leverage Huawei so it can sense and protect the important parts of our network,” said Petty at a media roundtable event earlier in 2019, which was attended by Computer Weekly.