Huawei is given permission to build noncritical parts of the network, despite U.S. security concerns:
As widely expected, the UK government today decided to allow Huawei’s network equipment to play a limited role in its national 5G networks. After a security review, the UK’s National Security Council (NSC) made the decision today following a meeting chaired by Prime Minister Boris Johnson.
British officials from senior government departments held a meeting last Wednesday and made the recommendation to allow the world’s #1 network equipment vendor to play a “limited role” in national 5G networks. Today, that recommendation was made final.
Huawei is the leading 5G global network equipment vendor, with relatively few alternative providers — such as the European firms Ericsson and Nokia — none of whom are considered to offer a like-for-like option at this stage.
UK Digital Secretary Baroness Morgan said:
“We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High-risk vendors never have been and never will be in our most sensitive networks.
“The government has reviewed the supply chain for telecoms networks and concluded today it is necessary to have tight restrictions on the presence of high-risk vendors.”
Huawei has been under scrutiny over alleged ties to the Chinese government, an allegation the company has repeatedly denied. The U.S. has urged the UK to ban equipment from the Chinese vendor over national security concerns and American officials issued their British counterparts with a dossier highlighting perceived risks earlier this month.
The UK has always maintained that any decision on Huawei would be evidence-led and based on its own reviews, but the result will nonetheless anger the U.S. which has been pushing for Huawei to be totally banned from 5G networks of allies.
Huawei, and other “high-risk” vendors, will face the following restrictions:
- Excluded from all safety-related and safety-critical networks in critical national infrastructure.
- Excluded from security-critical ‘core’ functions, the sensitive part of the network.
- Excluded from sensitive geographic locations, such as nuclear sites and military bases.
- Limited to a minority presence of no more than 35 percent in the periphery of the network, known as the access network, which connects devices and equipment to mobile phone masts.
Governing that Huawei has no more than 35 percent presence in the periphery of the overall 5G network is particularly interesting. This restriction ensures that if Huawei’s equipment was later compromised, or deemed too risky, around two-thirds of the UK’s 5G network would remain unaffected.
The UK is………………………………………………………………………………………………………
John Strand of Strand Consult wrote today in a note to subscribers:
- The decision relates to the use of Huawei equipment in the United Kingdom. In practice, this means that the May 2018 total ban on ZTE equipment by the UK’s National Cyber Security Centre will continue.
- Huawei are now classified as a high risk vendor following the conclusions of the Telecoms Supply Chain Review.
- The use of Huawei equipment will be prohibited in core networks. This means that the backbone of UK mobile networks must not contain Huawei equipment. This policy demonstrates that UK authorities recognize the risk of equipment made by entities affiliated with the Chinese government. If Chinese-made equipment was safe, Huawei equipment would not be prohibited from the network core.
- The use of Huawei in the radio access network (RAN) will be limited to 35 percent of the active equipment. This limits the amount that Huawei can sell in the UK. It also means that UK operators will have to prioritize network upgrades in the Western part of the country where Huawei equipment is largely deployed. In practical terms, it will not be possible for an operator to use Huawei for more than 35 percent of the equipment and then use another Chinese or Huawei-white labeled product for the rest of the network, or a portion thereof. The goal of the policy is to limit equipment from Chinese owned and/or affiliated entities, even if it is not explicitly written.
- The use of Huawei equipment will be expressly prohibited in sensitive geographical areas in the UK, areas selected for national security reasons. Indeed, this is already practiced in France where Huawei equipment in restricted in Toulouse, home of Airbus and the European aerospace industry. A similar policy exists for Brest where French nuclear submarines are located. Read more about the French decision.
Overall, the UK policy will send a strong signal to the rest of Europe and the world that the use of Chinese equipment poses a security risk and should be limited. The UK and French decisions were developed to protect industries, institutions, and assets of national importance in specific geographical areas.
The U.S. model restricts its military from using Huawei and ZTE, regardless of location. Moreover, the Federal Communications Commission prohibits the use of its subsidies for the purchase of Huawei and ZTE equipment and is considering the requirement of removal of Huawei equipment for future subsidies.
Additional US policy restricts American firms from transacting business with Huawei for sensitive technologies. US telecom operators, noting the risk, have largely opted not for Huawei or ZTE, outside of a few exceptions. This is explained in Strand Consult’s research note The pressure to restrict Huawei from telecom networks is not driven by governments, but the many companies that have experienced hacking, IP theft, or espionage.
The UK new policy is a step in the right direction, and it underscores the need for greater scrutiny of technology from firms owned and/or affiliated with the Chinese government. The security risks are real and networks are key vulnerability. Indeed, scrutiny should extend beyond the network equipment to other vulnerable products and services; systems can be compromised by devices attached to networks as well as from software running over it. See Strand Consult’s research note “The debate about network security is more complex than Huawei. Look at Lenovo laptops and servers and the many other devices connected to the internet.”
Strand Consult expects that the security standards required for public safety networks will be strengthened and translated to commercial telecom networks. It is likely that some UK operators will claim that the new policy will be unduly expensive. Strand Consult examines such claims in the report ”The real cost to rip and replace Chinese equipment from telecom networks.”
Notably 2G / 3G / 4G equipment must be replaced anyway in the move toward 5G. Huawei is not the only vendor, and alternatives are price competitive. Moreover, when it comes to 5G, network rollout policy is far more consequential than the choice of equipment vendor. The view that Huawei is necessary for 5G is a myth; indeed, the US has taken a leadership position on 5G without using Huawei equipment.
Looking at the historical facts, it is not difficult to find operators which have swapped their networks with a new supplier. This need not come as a premium for shareholders. Strand Consult reviews the financial data and case studies from the major network swap it observed in 2010 – 2016.
The UK government, with Boris Johnson at the forefront, can improve the prospects for 5G in a meaningful way. In the UK, as in many other countries, it is both difficult and expensive to build mobile infrastructure. Strand Consult’s analysis show that the terms and costs associated with obtaining permits and leasing land for mobile masts and towers is artificially expensive. In the UK, operators have for many years and with limited success tried to change the terms.
In Denmark, on the other hand, Strand Consult has helped to create transparency so that authorities get the information they need to create the needed rollout policies. As a result, the total rental costs for mobile operators have fallen by over 20 percent, and it has become significantly cheaper and easier to upgrade and build existing and new mobile infrastructure. Learn more about the project here ”How to deploy 5G: Best practices for infrastructure, regulation and business models.”
Huawei will likely claim that the UK decision doesn’t hurt its prospects. This is probably to save face. The fact is that Huawei will be subject to increased restriction and will not be able to enlarge its market share. Moreover, there is no change on the ZTE ban. The UK makes clear that Chinese equipment is not allowed in the core network. Moreover, when it comes to RAN, there are also strict limitations.
In September 2018, a Canadian official argued that allowing Huawei to operate improves security. If a specific vendor’s equipment is compromised, having others in operation means less of the overall network is affected.
While Huawei will be breathing a sigh of relief at the UK’s decision – so will the country’s providers. In a statement, BT wrote:
“This decision is an important clarification for the industry. The security of our networks is an absolute priority for BT, and we already have a long-standing principle not to use Huawei in our core networks. While we have prepared for a range of scenarios, we need to further analyse the details and implications of this decision before taking a view of potential costs and impacts.”
All four of the UK’s major operators had already begun deploying 5G equipment from Huawei. Stripping Huawei’s gear and buying and installing replacements would have been costly and time-consuming.
Andrew Stark, cybersecurity director at Red Mosquito, said:
“With Huawei kit already integral to the UK 3G and 4G networks, shifting to 5G with them offers the path of least resistance and increases chances of telecom companies meeting tight roll-out targets. There are currently only two other tech players capable of providing hardware for 5G, namely Nokia and Ericsson.”
The UK says its decision was made after the NCSC “carried out a technical and security analysis that offers the most detailed assessment in the world of what is needed to protect the UK’s digital infrastructure.”
However, not all of the UK government will be so welcoming of today’s news. Conservative MP Bob Seely recently said “to all intents and purposes [Huawei] is part of the Chinese state” and involving the company would be “to allow China and its agencies access to our network.”
While UK intelligence officials clearly decided the benefits outweigh the risks, several concerns have been raised about Huawei’s equipment in recent years.
The dedicated Huawei Cyber Security Evaluation Centre (HCSEC) reported in 2018 that it could no longer offer assurance that the risks posed by the use of Huawei’s equipment could be mitigated following the “identification of shortcomings in Huawei’s engineering processes”. Concerns were raised about technical issues limiting security researchers’ ability to check internal product code and the sourcing of components from outside suppliers which are used in Huawei’s products.
A follow-up report from HCSEC in March 2019 slammed Huawei as being slow to address concerns and claimed that “no material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance.”
Just a month earlier, the Royal United Services Institute (RUSI) – the world’s oldest independent think tank on international defence and security – warned about the use of Huawei equipment: “It is far easier to place a hidden backdoor inside a system than it is to find one,
“In the likely, but unacknowledged, battle between Chinese cyber attackers and the UK’s Huawei Cyber Security Evaluation Centre, the advantage and overwhelming resources lie with the former.”
The UK’s approach to Huawei has been decided, but it doesn’t feel like the end of the debate.