- Industry looks set to be given three years to firewall Huawei, with potential 35% cap on High Risk Vendors.
- Security officials position the decision as largely a clarification and formalisation of current restrictions, but potentially stringent caps will spark immediate change in industry security and procurement strategies.
- UK capex should be unlocked for NGN investment and risk-mitigation, with next-gen vendors boosted.
- Oversight of the industry to remain key, and Ofcom may see its extensive remit expanded even further, working with GCHQ’s cybersecurity arm.
In late‑January 2020, the UK government publicly confirmed that it was not minded to impose an outright ban on the use of equipment from Huawei Technologies.
Based on advice from the National Security Council (NSC), the country is to impose restrictions on the use of technology from any entity considered a “high risk vendor” (HRV), with the Chinese technology giant the clear principal subject of the policy.
The headline impact from the decision was the capping of the collective presence of any technology provided by vendors considered a high risk to infrastructure security at 35%. Implementation of the cap will inevitably prove more complicated and intricate, and while detailed (and often prescriptive) initial guidance has been issued to the industry on the expected outcomes and impacts of the decision (see below), fully codified rules are yet to be completed.
With its initial statement of intent, the government is targeting three specific objectives:
- Fundamental upgrade of security for all UK operators.
- Drastic shake up of the supply chain.
- Managing specific HRVs.
Publication of the planned restrictions and guidelines enabled all sides to claim victory, and prompted considerable speculation on the likely changes in the UK telecoms ecosystem. Beyond the hot-takes, however, there are likely to be serious implications for operators, vendors large and small, and the political and regulatory overseers of the sector that will flow from the final determinations of the security authorities and how this is implemented by the government.
At this stage, the government has officially decided there is a problem, and promised a solution. It has not yet finalised how it intends to fix it.
Pain and potential reverberates across the sector
With dumb equipment rapidly becoming scarcer in modern networks, operators heavily reliant on Huawei (notably EE and Openreach, as well as potentially TalkTalk, Three UK and Vodafone UK) look set for a very painful, multi-year crash diet. BT is already warning of a £500m financial hit over the coming five years (see separate report).
Ericsson and Nokia look natural beneficiaries as operators review double- and perhaps increasingly implement triple-vendor sourcing arrangements, but the industry ramifications could be far wider, with the UK very possibly also setting the tone for other countries as well.
Telefónica UK looks least affected by the Huawei rollback, having historically favoured Ericsson and Nokia, which is ironic because Spain, the domicile of its corporate parent, is a particularly close strategic partner of China.
Johnson keeps relationships open with British fudge
In making its decision, the government appears to have opted for a geopolitical fudge designed to navigate the fiercely opposing lobbying of its key strategic ally, the USA, and economically critical China, as well as accommodate consensually-minded Europeans (including the region’s politicians, operators, and vendors).
“We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High risk vendors never have been and never will be in our most sensitive networks… [This package] not only paves the way for secure and resilient networks, with our sovereignty over data protected, but it also builds on our strategy to develop a diversity of suppliers. ”
— Baroness Morgan, Secretary of State for Digital, Culture, Media and Sport (DCMS).
This is broadly in line with expectations that the British Prime Minister would soon conclude the Telecoms Supply Chain Review (SCR) at one of the NSC’s regular meetings, and limit the use of Huawei kit. Based on initial reactions from Washington and Huawei, the compromise is promising, with the US appearing to grudgingly accept the coda, the Chinese vendor publicly upbeat on the outcome, and Europeans in sync.
“Ministers today determined that UK operators should put in place additional safeguards and exclude high risk vendors from parts of the telecoms network that are critical to security… The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks. ”
— UK government statement.
Next steps and timings are not fully clear, but the government has said it will expedite legislation to ‘to limit and control the presence of high risk vendors in UK networks, and to be able to respond appropriately as technology changes’. The National Cyber Security Centre (NCSC) issued an accompanying outline of how it expects the safeguards to be met (see below).
These statements and guidelines may be immediately significant in terms of giving domestic operators clarity for investment, mitigation and purchasing commitments. They can also be seen as globally relevant in terms of laying down a marker for other nations to follow.
The European Union (EU) conveniently released its own guidelines the following day. It delegated final decisions to member states and avoided recommending an outright ban on specific suppliers, while advising ringfencing the network core against vendors deemed a security threat.
”[The EU will not] ban anyone because of their name and nationality [if they comply with security requirements]… and if they don’t, then they cannot operate. That’s it. It’s easy. ”
— Thierry Breton, EU Commissioner for Internal Market and Services.
BT lobbying to the last
As it became clearer that a government decision on Huawei’s position in the UK was imminent in the wake of the General Election, it seemed that BT was leaving nothing to chance. According to reports, Jansen and Nick Read, CEO of rival Vodafone Group, drafted a letter to the Prime Minister that asserted they had seen no evidence that warranted a ban on security grounds. It is not entirely clear if the joint letter was actually sent, but its contents certainly seem to have been well documented by the UK media.
An earlier letter from BT apparently reiterated that if Huawei were banned from being used in radio access networks, there would be significant ramifications for the roll out of 5G networks. BT had also previously highlighted the implications for a full‑fibre rollout from any decision that resulted in the operator having to focus on the removal of the vendor’s hardware from its estate.
NCSC: risk-manage Huawei as HRV
Drawing on the SCR, the government commissioned guidance from the NCSC relating to how it will define what are deemed HRVs, the restrictions it advises, and mitigation measures to take with them.
The NCSC is positioned as the UK’s technical authority on cybersecurity, serving the public and private sector. It is an outpost of the Government Communications Headquarters (GCHQ) intelligence and security agency. In a footnote in its advice to operators, the NCSC stated that UK government networks can operate over public networks because they ‘they are independently secured and do not trust public networks’.
The NCSC has now released non-binding technical ‘advice on the use of equipment from high risk vendors in UK telecoms networks’, and is in process of drawing up a Telecoms Security Requirements (TSR) framework for the industry that will be the likely basis of legislation. Another anticipated consequence of this framework is that communications regulator Ofcom looks set for a further uprating in its already far-reaching role, helping to oversee the new TSRs.
The NCSC’s technical and security analysis is described as both world-leading and UK-specific.
“The DCMS SCR has demonstrated the need to change the way we manage security in the UK’s telecommunications infrastructure. The TSRs will provide the framework for security in the next generation of the UK’s telecommunications networks. The SCR also showed that we need to manage the presence of HRVs in the UK’s telecommunications infrastructure more formally and actively. NCSC will continue to feed into any future legislative process and advise government on these matters. ”
“The Government is establishing one of the strongest regimes for telecoms security in the world. This will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime will be the National Cyber Security Centre’s Telecoms Security Requirements guidance. This will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. ”
— Baroness Morgan.
Security services maintain ‘we’ve got this’
Tying in with earlier reports that UK security services believe the risk from HRVs is manageable, the NCSC made clear that the its latest moves would just formalise and update (or upgrade) activity that has long been in place, saying, for example, that ‘Huawei has always been considered higher risk by the UK government, and a risk-mitigation strategy has been in place since they first began to supply into the UK’.
The NCSC has set out specific reasons for designating Huawei as an HRV (a view the UK government is said to agree with) including:
- Significant UK market scale.
- Risk of Chinese state influence (and belief that China is an active cyber-attacker against the UK and its interests).
- Poor quality cybersecurity and engineering.
- Significant presence on the prescribed US Entity List.
As a designated HRV under NCSC’s model, Huawei would be relegated to ‘non-core’ elements of the UK’s 5G and gigabit-capable next-generation networks, along with numerous other potentially significant restrictions.
The NCSC’s designation of an HRV is said to include consideration of a vendor’s strategic significance in ‘the UK network’ and other markets; engineering practices and cybersecurity controls; past behaviour; technical and supply chain resilience; ownership and domicile; and various elements of potential state-influence or control. HRVs should only be used with a specific risk mitigation strategy in place — ‘designed and overseen by NCSC’; currently, this is unique to Huawei.
It was notable that no vendor or national domicile was namechecked by the government in its formal statements, but the NCSC was explicit in its accompanying material, with Huawei and fellow-Chinese vendor ZTE both designated as HRVs. However, only Huawei gets a pass because its risk is considered mitigated by existence of the Huawei Cyber Security Evaluation Centre in Banbury, UK. While a fuller list of HRVs has not been released, the NCSC did point out that they need not be Chinese.
“GCHQ” has been dealing with Huawei in the UK telecoms sector since 2003, first through CESG [Communications-Electronic Security Group] and now through the NCSC. We’ve always treated them as a ‘high risk vendor’ and have worked to limit their use in the UK and put extra mitigations around their equipment and services. We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports) exist because we treat them differently to other vendors.
We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part. Even before HCSEC was set up in 2010, we were doing similar work but through a different mechanism. Technology has obviously evolved since that time and our security mitigation strategy, both generally and vendor specific, has had to evolve with it. The move to 5G is another evolution of the technology and our security mitigations need to evolve again.
The government’s decision today talks about high risk vendors (HRVs). The NCSC considers Huawei to be a high-risk vendor, but not the only one. ”
— Ian Levy.
Implementing 35% cap where it might get complicated
A material (and adjustable) cap of 35% would apply in aggregate to all HRVs covering eligible network equipment types as well as the proportion of traffic within a network.
The NCSC suggests that operators be given no more than three years to rebalance their current ‘Huawei estates’ where breaching its recommendations. It also advised never to have more than one HRV in a network, which could perpetually exclude ZTE.
Specific areas of exclusion for HRVs would include:
- Safety-related networks.
- Security-critical core network functions.
- Sensitive geographic locations, such as nuclear sites and military bases.
The Financial Times reported that Huawei’s current market share is a neutral 34%, but this could be overly simplistic. Openreach, for instance, may be notably exposed with Huawei pervasive throughout its access network, and some mobile networks and altnets could also be over-reliant. Further, the latest advice to operators from the NCSC on where HRVs should be excluded is farther-reaching than widely realised as well as open to revision, including:
- For all networks: operational support systems; virtualised infrastructure; network monitoring; interconnect; and gateway.
- 5G: many if not all core and user plane functions; slicing; policy control; session management; network data analytics; charging.
- 4G: home subscriber server; packet gateway; policy and charging.
- Legacy networks: ‘For 4G and legacy fixed access networks, NCSC’s advice to operators remains unchanged. Two vendors should always be used in the access network. While no specific volume cap has been recommended [here], NCSC has always expected approximately 50/50 split between vendors in a given network.’
- Other areas could be widely affected, too, ‘dependent on specific operator architecture and operation models’, including where they ‘aggregate significant amounts of personal data’. This could encompass business support systems; location-based services; online charging solutions; and managed services. Even voice systems are specifically referenced, along with logging and backup, and border network gateways.
“It” is worth noting that this is about managing risk. Nothing we do can entirely remove risk in any telecoms network with any vendor and so our intent is to get the risk down to an acceptable level in all the different networks using all the different vendors. Basically, with a set of controls and other measures, can we reduce the risk of using an HRV to broadly the same as a ‘lower-risk’ vendor? The restrictions and controls we detail in the high-risk vendors framework give us a way of minimising the risk of using a high-risk vendor like Huawei. ”
— Ian Levy.
Hot TIP on emerging players
The UK is reported to have also committed to working with its Five Eyes international security alliance partners (Australia, Canada, New Zealand, and the USA) to advance alternatives and ultimately substitutes to HRVs that represent “no high-risk”.
“The government is now developing an ambitious strategy to help diversify the supply chain. This will seek to attract established vendors who are not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry. ”
— UK government statement.
Although this could be interpreted as a further sop to Washington (with the government also keen to stress that its latest decision would in no way affect the UK’s ‘ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes’), the move could provide a further fillip to proponents of the emerging generation of open, disaggregated hardware and software network components that BT and other major telcos are already supporting (see separate report). The Telecom Infra Project, an umbrella body for initiatives of this nature with which BT is already actively engaged (see separate reports) was even namechecked by the NCSC.
The NCSC appears to believe that the UK’s telecoms supply chain is broken, including lacking supplier sustainability and diversity. Failure to incentivise good security has, ‘to date, driven some poor industry practices’. Amongst other things, it seeks for ‘operators to adopt network security architecture and operational practices that reduce the levels of successful network penetrations and allow intrusions to be identified and managed quickly’, particularly with development of new 5G and full-fibre networks. The TSR is intended to ‘provide a framework for security in modern telecommunications networks’. To help address this, the NCSC plans to facilitate action at industry-, UK government, and international-levels. This includes intention to establish a UK National Telecoms Lab with the DCMS, to ‘help de-risk new entrants to the market by providing a standard test bed, allow us to test and force better interoperability between vendors and ensure security is getting better’. It is also ‘looking at interesting hybrid models with established public cloud providers with good security records to see if they can provide some of the mobile edge compute infrastructure’.
“Already, we ask all mobile operators to use two vendors in their Radio Access Network (RAN) for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson and Huawei. That’s crazy, so we need to diversify the market significantly in the UK so that we have a more robust supply base to enable the long-term security of the UK networks and to ensure we do not end up nationally dependent on any vendor.
“Being nationally dependent on any vendor would be bad, but it would be particularly bad when that’s a high risk vendor. We’re not nationally dependent on anyone now and the measures the government has announced today ensure that won’t happen in the UK in the future, regardless of the commercial drivers. ”
— Ian Levy.
One of the biggest problems we have is one alluded to in the previous blog; telecoms security doesn’t pay. That’s true of the basic network security and business processes that support it. But it’s also true of the enhanced mitigations we ask operators to — voluntarily — do when using a high-risk vendor such as Huawei.
In the last couple of years, the operators’ commercial drivers have come into direct conflict with the NCSC’s security advice. Those operators who chose to follow our advice and requests were putting themselves at a commercial disadvantage. That’s unsustainable. So, the government decision to significantly uplift the baseline telecoms security and formalise the handling of high-risk vendors putting it all on a robust footing is very welcome. It provides clarity for operators and transparency about what we expect for the security of our national networks. Externalising the security costs of particular choices (including vendor) will help operators make better security risk management decisions. ”
— Ian Levy.
In a refreshing post fleshing out the security analysis behind the SCR, Ian Levy, the NCSC’s Technical Director, ridiculed what he considers nonsense circulating around 5G, in doing so positioning it very much as evolution not revolution. He made clear that 5G is still fundamentally hardware (‘a base station is a computer with an aerial’), not just software. He then stressed that the network core and edge have not been blended, even if they are shifting around — this is important to the NCSC, since the core needs to be physically- as well as cyber-secured. He went on to question the belief that mobile edge compute capability will literally reside at the physical edge, arguing that this seems unnecessary in the UK unless some ‘super-cool’ application really justifies it (and even then, it can be securely handled via virtualised capability isolated from an HRV). The latter points seemingly align with comments made previously by BT’s Chief Technology and Information Officer, Howard Watson, who indicated that, architecturally, edge computing should be considered part of the core, not the access network (BTwatch, #306).
Let me tackle the core and edge point first because I think there is a lot of misconception being talked about this at the moment. I think actually we need to start articulating the network as the core, which I think we all understand. The edge, which is the point at which the intelligence will push out, so our multiaccess edge compute. That is still separate from the benign radio access network, which takes radio waves and converts them to Ethernet. And so our policy, we believe, still stands. Think —- and we think of it as the edge being an extension of the core, rather than something which integrates with the radio access network. So I think it’s important to really appreciate that difference because, yes, there’s a lot of noise at the moment about core and edge blurring. And so that definition I’ve just described is true, but that is not the same as core blurring with radio access. We don’t see any need to ever do that. And certainly, we believe that Huawei continues to have innovation advantage in the ability to convert from one type of medium to another, whether that be from radio waves to Ethernet or from optical to Ethernet. And so over time, that’s where — that’s with the exception of the 4G core — that’s where we restrict their use today. ”
— Howard Watson, BT Technology Business Briefing, 25 June 2019 (edited).
“5G” is just another evolution of that set of technologies, although sometimes it’s been imbued with mystical qualities that seem, at least to me, to defy the laws of physics and common sense.
In previous networks, sensitive functions were grouped together in a couple of locations we called ‘core’. In 5G, they are spread out a bit more, but sensitive functions are still sensitive functions and you can put your arms round them — for example, we list them in the guidance published today. Remember, in 5G you need lots of smaller base stations as well as big ones, and the small ones will be on lampposts, bus shelters and other places that aren’t secure from physical interference by bad guys.
So, if your network design means that you need to run really sensitive functions processing really sensitive data (i.e. core functions) on an edge access device on top of a bus stop, your choice of vendor is the least of your worries and you probably shouldn’t be designing critical national infrastructure. The international standards that define what a 5G network actually is allow you to do all sorts of things, and some of those things could lead to security or operational risks that can’t be mitigated. That doesn’t mean you have to do them. ”
— Ian Levy.
- BT Group
- Department for Digital, Culture, Media & Sport (DCMS)
- Legal (compliance, regulatory)
- National Cyber Security Centre (NCSC)
- National Security Council (NSC)
- Network & Infrastructure
- Public Affairs
- Public Sector vertical
- Telefónica UK (O2 UK)
- United Kingdom (UK)