A month on from the revelations about the Chinese vendor’s potential involvement in the UK’s 5G network, PublicTechnology examines the key issues
Credit: Andre M. Chang/Zuma Press/PA Images
A month ago, reports emerged that, against the advice of numerous members of the cabinet, prime minister Theresa May had approved plans to allow Chinese telecoms vendor Huawei to take part in the construction of the UK’s 5G network.
The decision – which, it should be said, is yet to be officially confirmed – comes following the commencement of a Telecoms Supply Chain Review in November last year. Secretary of state for digital, culture, media and sport Jeremy Wright is expected to present the results of this review to parliament in the coming weeks.
In the meantime, many others have conducted their own assessments of the situation and been more than happy to share their findings. Politicians, journalists, technologists, security professionals, and a range of other commentators have weighed in to a debate that shows no sign of losing heat or intensity.
It is a debate that is yet to find answers for a wealth of important questions. Here are five of the biggest:
What does ‘non-core’ mean?
It has been widely reported that Huawei will only be permitted to build so-called non-core parts of the network, such as antennas. The core of the network is understood to remain off limits to the Chinese vendor.
Speaking at the annual CyberUK event in Glasgow shortly after the Huawei news broke, chief executive of the National Cyber Security Centre Ciaran Martin said that the UK already keeps Huawei away from any parts of network infrastructure that might be considered sensitive.
“In terms of things… that underpin the intelligence-sharing capabilities of the Five Eyes alliance, that is not dependent on that type of equipment,” he said. “I can’t specify what the details of any pending announcement are going to be. But what I can say is that there is no way in which sensitive networks, such as those underpinning national security networks, would be impacted by any sort of involvement of this kind.”
But Martin added that splitting the constituent parts of a network into two categories is overly simplistic. More attention should be paid to the how the network is secured, and the functions it enables, he said.
“Do not think of 5G networks – or indeed any telco networks – as some sort of amorphous blob where there is a bit called ‘sensitive’ and a bit called ‘non-sensitive’,” Martin said. “There are functions… there’s stuff that decides on how a network behaves, there’s stuff that makes requests to the centre of network – and indeed to other parts of the network – and there’s parts that transport [data].”
“Do not think of 5G networks – or indeed any telco networks – as some sort of amorphous blob where there is a bit called ‘sensitive’ and a bit called ‘non-sensitive’.”
Ciaran Martin, NCSC
He added: “When you ask: ‘how do we protect national security information?’ To some extent, the way network architecture is constructed and configured matters, but in other ways it is about the encryption you put on it – [as well as] the monitoring, the people. This is a very, very complex network. It is not a question – as I understand it – of a big block called ‘sensitive networks’ and a big block called ‘non-sensitive networks’. You’ve assets and equities that you care about – you build those in such a way that your look after them properly. But you do not just build them and leave them.”
How are the risks being managed?
The idea that Huawei’s involvement in the UK tech scene and telecoms infrastructure poses a threat is nothing new. The Huawei Cyber Security Evaluation Centre (HCSEC) has existed since 2010.
The organisation exists “under a set of arrangements between Huawei and Her Majesty’s Government to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK critical national infrastructure”, according to the organisation’s most recent annual report.
“Through HCSEC, the UK government is provided with insight into Huawei’s UK strategies and product ranges,” the report added. “The UK’s National Cyber Security… leads for the government in dealing with HCSEC and with Huawei more generally on technical security matters.”
HCSEC’s board is chaired by NCSC chief Martin, with a senior Huawei executive serving as deputy chair.
But the 2018/19 report makes it clear that the existence of HCSEC has not been enough to eliminate risk – indeed, the concerns about the potential security implications of the use of Huawei equipment seems to be growing.
HCSEC found that, not only had “no material progress… been made on the issues raised” in its previous report, but that, over the course of the year, it “continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators”.
“The board will require sustained evidence of better software engineering and cybersecurity quality verified by HCSEC and NCSC,” the report said. “Overall, the oversight board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.”
Giving evidence to the DCMS select committee earlier this month, culture secretary Wright pointed out that the HCSEC oversight board’s concerns are “not that Huawei equipment is being co-opted by the Chinese state for espionage purposes, but that there are engineering deficiencies in that equipment that mean we should all be worried about it”.
For its part, Huawei has said that it “has never and will never” allow its technology to be used to spy on the government of the UK or any other country.
In a letter sent in February to the Commons Science and Technology Committee, president of the vendor’s carrier business group Ryan Ding said that there is no means by which the company could be compelled to “install backdoors” in its technology to enable spying.
“We would like to reiterate that Huawei has never received any such requests, and in the event that we did receive this type of request, we would categorically refuse to comply with it,” he added.
But Ding did acknowledge that “Huawei’s software engineering has room for improvement”.
“The company will initially invest $2bn (£1.55bn) over the next five years to comprehensively improve our software engineering capabilities,” he said. “This will help ensure that our products are better prepared for a more complex security environment both now and in the future.”
Will this affect our relationships with allies?
During Wright’s evidence session in front of his fellow MPs, DCMS committee member Clive Efford pointed out that the UK’s decision to allow Huawei to contribute to building the country’s 5G network stands in contrast to a number of other countries.
“There were a lot of concerns expressed, going back over a decade, about Huawei’s involvement in networks across the world, including countries with whom we are very friendly and co-operate with on security issues, which makes it all the more surprising that we have taken the decision that we have,” he said.
Among those nations to have, effectively, banned Huawei across the board is Australia.
Wright told the committee: “Australia has come to a particular conclusion, which is that they wish to exclude from the 5G network all equipment that may be biddable by another state. That is essentially the definition they have given it. That is not yet a conclusion that anyone else has come to. We will have to see what everyone else decides. Our primary responsibility, of course, is to decide what we think is best for the UK.”
Within a week of these words, the US took an even tougher stance with Huawei, placing the IT vendor on its so-called ‘entity list’ of firms that cannot do business with US companies. This embargo – which could deprive Huawei of key components needed to make its handsets and, in the longer term, prevent it from developing phones from continuing to develop phones for the Android operating system – has effectively been suspended for three months, after Huawei was granted a temporary general licence to continue US trade.
At the CyberUK event, Martin took part in a public panel discussion (pictured left, with Martin second from right) alongside cyber-specialist representatives from each of the other member nations of the Five Eyes intelligence alliance: the US; Australia; Canada; and New Zealand.
Canada has yet to rule on whether to allow Huawei kit to form part of its 5G network. New Zealand has not banned Huawei, but blocked an attempt by one of the country’s major telecoms carriers, Spark, to include Huawei kit in its 5G rollout.
The US has reportedly encouraged its Five Eyes allies to shut the Chinese firm out but, speaking immediately after his appearance on-stage with his four counterparts, Martin played down the suggestion that US and UK authorities could find themselves at odds over Huawei.
“I don’t think there’s a sliver of difference, in terms of our analysis, [between the UK and] the US on our analysis on the operational and cybersecurity threat from China,” he said. “It is something that weighs heavily on all our minds, and it was only December 2018 when we joined with the US to attribute – for the first time – a major Chinese state-sponsored attack on global IT service providers.”
Martin added: “China, as a cyberthreat, is very much on our minds for all the reasons that myself and people in the US system have set out. But then… how to design telecommunications systems properly for the long-term and is a bigger, and in some ways different issue, from the Chinese [threat]”.
What about handsets?
Until last week, the examination of the potential security threat posed by Huawei had focused solely on the company’s possible contribution to network infrastructure. The firm’s line of smartphones were “by and large outside the scope” of the discussion, Martin said last month.
The US decision to place Huawei on its entity list has significantly broadened the issue. The issuing of a temporary general licence (TGL) means that Huawei can continue to provide support and software updates for Android phones – at least until 19 August 2019.
If no further such licence is granted beyond that, owners of Huawei handsets could find themselves unable to update their devices.
NCSC guidance for Huawei users published this week said: “In the short term, the main cybersecurity impact on Huawei’s existing handset customers would be on the availability of software updates for Android. There are different types of updates for Android which would be affected in different ways.”
It added: “The NCSC understands that the TGL allows companies to provide support and services to handsets that were available to the public before 16 May 2019. Each company will make its own choice about whether to do so. Customers should continue to update their devices as normal, in line with existing NCSC advice. Our advice will be updated if we become aware of any security concerns. The NCSC continues to assess the situation and will provide actionable advice for Huawei customers.”
Meanwhile, in recent days a number of major tech firms – and key Huawei suppliers – have effectively severed ties with Chinese firm.
“We are in a leading position for 5G. We participated in the UK government’s 5G trials and are ready to support our customers’ commercial 5G launches in the UK.”
Liang Hua, Huawei chairman
Chipmakers Intel, Qualcomm and ARM are all reported to have suspended their partnerships with Huawei, while the company’s US trade ban – which was instigated by a presidential executive order from Donald Trump – would mean that Google has no choice but to shut the telecoms firm out of Android software.
Even non-US firms are distancing themselves, with Japanese-headquartered Panasonic announcing today that it would no longer be supplying Huawei with components.
The company’s ability to continue competing in the smartphone business will hinge on its ability to restore these relationships, or replace them with new partnerships.
How does this affect the 5G rollout?
The attention paid to Huawei has somewhat directed focus away from what the company has been either allowed or prohibited from doing – helping to build national 5G networks.
In his select committee evidence session, DCMS secretary Wright stressed that “there is a real reason why we need 5G, and why we need to be, and should want to be, globally competitive in 5G”.
All four of the major mobile network operators – O2, EE, Vodafone, and Three – are due to launch 5G services in the UK this year. Big cities such as London, Belfast, Edinburgh, Cardiff, Birmingham, and Manchester will largely be the first to benefit. Widespread coverage throughout the UK is not expected for several years.
DCMS committee member Giles Watling asked Wright whether he believed that security concerns could cause “a serious hold-up in the rollout of 5G… which might, indeed, cost the economy billions of pounds”.
“There is certainly the possibility of a delay in the process of the rollout of 5G,” the culture secretary responded. “If you want to do 5G fastest, you would do that without any consideration for security. But we are not prepared to do that, so I do not exclude the possibility that there will be some delay.”
He added: “Of course, the way in which we approach this, based on security considerations, will determine how long the delay might be. The more you want to restrict this kind of material from the network, the longer the delay is going to be. That is the reality of it. However, as I have said, the primary intention of this process is to get the security of the network right. I will not sacrifice either the speed of delivery of the network or the cost of the delivery of the network for the security imperative.”
Huawei, meanwhile, is continuing – publicly at least – to invest in and expand its UK operations. This includes the recent announcement of plans for a training centre in Birmingham which will provide training on 5G products and services to 500 engineers each year.
Speaking at the company’s annual UK Partner Summit in London this month, chairman of the Huawei board Liang Hua told attendees that “there is a lot Huawei can contribute” to the UK’s 5G ambitions.
“We are in a leading position for 5G,” he said. “We participated in the UK government’s 5G trials and are ready to support our customers’ commercial 5G launches in the UK.”
This article is part of the Government Cybersecurity Index – two weeks of content on PublicTechnology focused on the state of data protection and security across the public sector. Look out in the coming days for more exclusive research, insight, comment, and analysis, and click here to read our exclusive research revealing which government department suffers far more data breaches than any other.