Huawei You GO! UK Green Lights Firm for non-Core Telecoms Kit
After a protracted period of uncertainty the UK Government has today confirmed that kit from Chinese technology giant Huawei and other “high risk vendors” will be banned from the “sensitive” core of future UK 5G and “gigabit-capable” fixed broadband ISP networks, although non-core 5G kit (antennas, street cabinets etc.) will be exempt.
The decision appears to uphold an unofficial ruling made by the former Prime Minister, Theresa May, last year (here). Some had been wondering whether the new PM, Boris Johnson, would take a tougher line, particularly given his close alignment to Donald Trump (President of the USA), although in the end he appears to have upheld May’s decision.
Part of the reason for today’s decision is likely to be because completely banning Huawei could make the rollout of new “gigabit-capable” 5G, and possibly also fixed broadband ISP networks, both much slower and more expensive to achieve. This in turn would have impacted Boris’s recent £5bn pledge to ensure that every UK home can access gigabit (1Gbps) speed broadband networks by the end of 2025.
On the other hand 5G networks do seem set to increasingly blur the lines between core and non-core components, especially with the rising adoption of cloud-based and software defined networking (SDN) methods. Policing the new non-core rule could thus prove to be quite a challenge as networks evolve.
The Prime Minister chaired a meeting of the National Security Council (NSC) today, where it was agreed that the National Cyber Security Centre (NCSC) should issue guidance to UK Telecoms operators on high risk vendors following the conclusions of the Telecoms Supply Chain Review.
The advice is that high risk vendors should be:
* Excluded from all safety related and safety critical networks in Critical National Infrastructure.
* Excluded from security critical ‘core’ functions, the sensitive part of the network.
* Excluded from sensitive geographic locations, such as nuclear sites and military bases.
* Limited to a minority presence of no more than 35% in the periphery of the network, known as the access network, which connect devices and equipment to mobile phone masts (this will be kept under review to determine whether it should be further reduced as the market diversifies).
The government will now seek to legislate “at the earliest opportunity” to put in place the powers necessary to implement this tough new telecoms security framework. However at first glance that 35% rule might force some mobile operators to diversify their supply chains more, which may be harder to do in the mobile than fixed line environment (Openreach already seem to be doing this – here).
Baroness Morgan, UK Digital Secretary, said:
“We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High risk vendors never have been and never will be in our most sensitive networks.
The government has reviewed the supply chain for telecoms networks and concluded today it is necessary to have tight restrictions on the presence of high risk vendors.
This is a UK-specific solution for UK-specific reasons and the decision deals with the challenges we face right now.
It not only paves the way for secure and resilient networks, with our sovereignty over data protected, but it also builds on our strategy to develop a diversity of suppliers.
We can now move forward and seize the huge opportunities of 21st century technology.”
The government said they were “certain” that these measures, taken together, will allow them to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks. “Today’s decision marks a major change in the UK’s approach that will substantially improve the security and resilience of our critical telecoms networks,” said the announcement.
The move follows an earlier report from the oversight board of the Huawei Cyber Security Evaluation Centre (HCSEC), which warned that “further significant technical issues” had been identified in Huawei’s engineering processes, leading to “new risks in the UK telecommunications networks” (full summary). At the same time it also said that “no material progress has been made by Huawei in the remediation of the issues.”
The board said it could “only provide limited assurance” that all risks to national security from Huawei’s involvement in the UK’s critical networks could be sufficiently mitigated long-term. Naturally Huawei has always denied accusations that they are a security threat and in a public letter said, “Huawei has never and will never use UK-based hardware, software, or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country.”
However, critics of the company often point toward China’s new National Intelligence Law, which was passed in 2017 and demands that organisations “support, co-operate with and collaborate in national intelligence work.” The absence of true democracy in China might thus, they argue, make it very difficult for any company to refuse such a request.
Meanwhile Donald Trump has taken a much stricter line and effectively banned companies around the world from working with Huawei, with some exceptions. The move has stunted the firm’s Smartphone and other consumer products, such as by removing access to Google’s popular Apps, although that aspect is less relevant to their mobile and broadband infrastructure business.
The difficulty for telecoms operators is that Huawei makes generally good and affordable kit. A lot of operators and broadband ISPs are already working closely with the Chinese firm in order to deploy new networks (e.g. 5G and fibre broadband) and any aggressively imposed restrictions would thus impact those plans. The alternatives from Ericsson, Nokia and Samsung are not as attractive to many operators (ZTE is another but they’ve already been effectively banned).
Meanwhile BT (EE) has already confirmed that they’ve removed related kit from their core mobile network (here) and Vodafone have “paused” similar deployments, albeit reluctantly, into their core (here). So far none of the operators have applied such measures to the less sensitive non-core part of their networks. For its part O2 has decided to skip the debate and go with 5G kit from Ericsson and Nokia.
Closing Thoughts
Operators have long warned that they can’t do 4G without 5G and any impact on the supply chain would thus have far reaching consequences. As such it looks like Boris, who was told by operators that his plans for “gigabit-capable broadband” might be in jeopardy if he didn’t show some flexibility, has blinked in the face of such a stark reality. Meanwhile many will be watching to see how the USA reacts.
At this point we haven’t really touched on the substances of the key security fears that surround Huawei and which are the trigger for all of this. One reason for that is because such issues are a matter for national security and intelligence agencies (i.e. they’re secret), which is virtually impossible for ordinary folk to judge. We wouldn’t be so bold as to assume we know better than they.
Furthermore it seems unlikely that so many countries would be creating such a fuss if there wasn’t a serious concern. At this point it’s worth remembering that such concerns have been around since long before Donald Trump came to power, although he has seemingly now linked much of it to the USA’s trading relationship with China, which adds a political dimension to what was once more of a debate about security.
UPDATE 2:12pm
Openreach has declined to comment but O2 (Telefonica UK) has responded.
An O2 Spokesperson said:
“Huawei kit makes up less than 1% of our owned network infrastructure. We will continue to develop our 5G network with minimum disruption with our primary vendors Nokia and Ericsson. Whilst we agree with the government that diversity of supply is the best way to serve customers, careful consideration must be given to the distinction between ‘core’ and ‘non-core’ as 5G networks develop and evolve. We’ll now take time to review the full report.”
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Ofcom Drop Probe of BT Excess Construction Charges for Biz Lines
FACTCO Bring 10Gbps Broadband to 180 Baltic Creative Firms »
Latest UK ISP News
- FTTP (5579)
- BT (3528)
- Politics (2552)
- Openreach (2309)
- Business (2282)
- Building Digital UK (2252)
- FTTC (2050)
- Mobile Broadband (1990)
- Statistics (1797)
- 4G (1680)
- Virgin Media (1639)
- Ofcom Regulation (1472)
- Fibre Optic (1406)
- Wireless Internet (1399)
- FTTH (1382)
Biggest mistake ever by Tory Government. Shouldn’t go ahead afterall.
Shush please, Phil. It’s fine.
Bigger than cancelling a country-wide fibre roll-out at the last minute in the 90s?
From a sec perspective its a dumb move but from a rollout persp its a obvious choice. Hard to square that circle.
I have sympathy for both sides of the debate, it’s an extremely difficult and complex issue to resolve.
Frankly the only people who can have a hope are those with the security analysis. (I tend to the view that if you wanted to hack a company or gov dept doing so via their own network will be far more effective than what you can achieve via 5g exploits.
I wonder if they intend to try to reduce that % or if that is just fig leaf. Cant see providers will want to remove kit other than at natural upgrade points.
The issue isn’t the data itself but data that surrounds it.
If for instance you can see where data is coming from you then have other attack surfaces.
Look at Enigma – the real thing was the traffic analysis – in some cases it wasn’t necessary to decrypt to know what the message said – timing, location and length were enough.
Event A happens in the public sphere. Civil Servant Z (who you know is the responsible party) then calls consultant R, consultant R calls consultant F. Then you understand a decisional mindset and how to influence it by inviting F to be visiting professor of ABC.
Arguably the scenario you mention could/does happen conventionally.
Not saying there is 0 risk just is that risk sufficiently serious -v- the economic case.
Of course if other providers were not so far behind this argument would not have to happen.
I personally think the main push from the US is trade driven and not security related. I would think that handsets and other customer devices are a much more likely security target. I believe that data theft is particularly difficult once in operator’s network as almost all traffic of any value is encrypted before it enters the operators network. A more tangible threat is DoS where the network could potentially be brought down. I don’t believe it was ever wise to put a single point of failure in a critical system – so with this in mind I believe that diversity of suppliers in critical network infrastructure is important. As a closing thought, I am not sure I fully trust the Americans with my data either or the UK’s infrastructure or indeed the UK government. Personally I think having Huawei as part of a mix of suppliers isn’t a bad decision in itself. In the short term 5G isn’t very critical from a DoS perspective and in the mid term making an effort to diversify in all areas of the network makes sense to me.
Apparently the US asked Huawei for back doors in 2014 and they were rebuffed, hence why they are now being targeted.
Whether it is Huawei, Nortel, Ericsson or others, access to the control software and routes to firmware need to be protected. The UK providers appear to have demonstrated they have a handle on this and hence the compromise. Inevitably providers will move to white box strategies and involvement of vendors such as Huawei will decline. Short term we may now see more 5G product announcements as Huawei peripheral kit flows again. There may now be a imputis on a 5G+ and 6G as the US took its eye of the ball regarding research/patents for 5G.
However it is not just networks it is relevant to all major platforms such as Azure, Google, AWS and any company that runs a significant IoT service. SONOS were recently criticised regarding a proposal to turn off support for their older products and more seriously their discounted upgrade process resulting in the old traded-in product being bricked remotely. If a company can do that intentionally what would be the impact of malicious intent?
Huawei have been accused of being too close to the Chinese government but the big US companies should not be assumed to be immune from hacking (internally or externally) or from their Government’s intervention.
Its not they are immune its they are not under the control. The scale of C hacking (economic) is vast and wholly diff to the NSA/GCHQ which is security based.
So I take it that everyone is just going to ignore the fact that NSA have been known to backdoor CISCO, Juniper and many other top brands of Network equipment just so they can sniff and spy.
I mean the real issue with Huawei is that the Chinese Gov. are doing exactly what the NSA and GCHQ are doing!
OH Silly me western Gov’s are faaaaar more trust worthy than Eastern Gov’s …StuxNet, EMERALDTHREAD, EDUCATEDSCHOLAR, ECLIPSEDWING, ESKIMOROLL, ETERNALBLUE, ETERNALSYNERGY, ETERNALROMANCE, ETERNALCHAMPION.
lmfao
Apparently the issue is the economic espionage aspect, not so much the security.
Although personally I think they are targeting Huawei for other reasons (they refused to put backdoors in for the US in 2014).
I’m just speculating here but could this be the reason why Three is lagging behind with their roll out as they probably were installing huawei equipment and were waiting for a decision putting everything on hold until then ?
No, because Three are always late to the party, with too little, too late.
I think it’s funny GCHQ were bitching about the effect of snooping and what a security risk it could pose – more like they wanted to be the only ones
I would agree with that.
https://www.ncsc.gov.uk/blog-post/the-future-of-telecoms-in-the-uk
Well worth reading
That O2 response is rather misleading isn’t it?
“Huawei kit makes up less than 1% of our owned network infrastructure”
Yeah, but what about the large chunks of the network that you share with Vodafone, who do use Huawei RAN equipment.
Still, at least they can be warm and fuzzy about their Ericsson packet core – the bit that spectacularly failed a couple of years ago (as did a few other operators’ networks, worldwide)
It’s not misleading they said “Huawei kit makes up less than 1% of our owned network infrastructure. ” which is probably correct they do also use Vodafone infrastructure but that’s owned by Vodafone they are ate talking about infrastructure they own.