BT carries burden as Huawei compromise reached

In late‑January 2020, the UK government publicly confirmed that it was not minded to impose an outright ban on the use of equipment from Huawei Technologies.

Based on advice from the National Security Council (NSC), the country is to impose restrictions on the use of technology from any entity considered a “high risk vendor” (HRV), with the Chinese technology giant the clear principal subject of the policy.

The headline impact from the decision was the capping of the collective presence of any technology provided by vendors considered a high risk to infrastructure security at 35%. Implementation of the cap will inevitably prove more complicated and intricate, and while detailed (and often prescriptive) initial guidance has been issued to the industry on the expected outcomes and impacts of the decision (see below), fully codified rules are yet to be completed.

With its initial statement of intent, the government is targeting three specific objectives:

1. Fundamental upgrade of security for all UK operators.
2. Drastic shake up of the supply chain.
3. Managing specific HRVs.

Publication of the planned restrictions and guidelines enabled all sides to claim victory, and prompted considerable speculation on the likely changes in the UK telecoms ecosystem. Beyond the hot-takes, however, there are likely to be serious implications for operators, vendors large and small, and the political and regulatory overseers of the sector that will flow from the final determinations of the security authorities and how this is implemented by the government.

At this stage, the government has officially decided there is a problem, and promised a solution. It has not yet finalised how it intends to fix it.

Johnson keeps relationships open with British fudge

In making its decision, the government appears to have opted for a geopolitical fudge designed to navigate the fiercely opposing lobbying of its key strategic ally, the USA, and economically critical China, as well as accommodate consensually-minded Europeans (including the region’s politicians, operators, and vendors).

“We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High risk vendors never have been and never will be in our most sensitive networks… [This package] not only paves the way for secure and resilient networks, with our sovereignty over data protected, but it also builds on our strategy to develop a diversity of suppliers. ”

— Baroness Morgan, Secretary of State for Digital, Culture, Media and Sport (DCMS).

This is broadly in line with expectations that the British Prime Minister would soon conclude the Telecoms Supply Chain Review (SCR) at one of the NSC’s regular meetings, and limit the use of Huawei kit. Based on initial reactions from Washington and Huawei, the compromise is promising, with the US appearing to grudgingly accept the coda, the Chinese vendor publicly upbeat on the outcome, and Europeans in sync.

“Ministers today determined that UK operators should put in place additional safeguards and exclude high risk vendors from parts of the telecoms network that are critical to security… The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks. ”

— UK government statement.

Next steps and timings are not fully clear, but the government has said it will expedite legislation to ‘to limit and control the presence of high risk vendors in UK networks, and to be able to respond appropriately as technology changes’. The National Cyber Security Centre (NCSC) issued an accompanying outline of how it expects the safeguards to be met (see below).

These statements and guidelines may be immediately significant in terms of giving domestic operators clarity for investment, mitigation and purchasing commitments. They can also be seen as globally relevant in terms of laying down a marker for other nations to follow.

The European Union (EU) conveniently released its own guidelines the following day. It delegated final decisions to member states and avoided recommending an outright ban on specific suppliers, while advising ringfencing the network core against vendors deemed a security threat.

”[The EU will not] ban anyone because of their name and nationality [if they comply with security requirements]… and if they don’t, then they cannot operate. That’s it. It’s easy. ”

— Thierry Breton, EU Commissioner for Internal Market and Services.

NCSC: risk-manage Huawei as HRV

Drawing on the SCR, the government commissioned guidance from the NCSC relating to how it will define what are deemed HRVs, the restrictions it advises, and mitigation measures to take with them.

The NCSC has now released non-binding technical ‘advice on the use of equipment from high risk vendors in UK telecoms networks’, and is in process of drawing up a Telecoms Security Requirements (TSR) framework for the industry that will be the likely basis of legislation. Another anticipated consequence of this framework is that communications regulator Ofcom looks set for a further uprating in its already far-reaching role, helping to oversee the new TSRs.

The NCSC’s technical and security analysis is described as both world-leading and UK-specific.

“The DCMS SCR has demonstrated the need to change the way we manage security in the UK’s telecommunications infrastructure. The TSRs will provide the framework for security in the next generation of the UK’s telecommunications networks. The SCR also showed that we need to manage the presence of HRVs in the UK’s telecommunications infrastructure more formally and actively. NCSC will continue to feed into any future legislative process and advise government on these matters. ”

— NCSC.

“The Government is establishing one of the strongest regimes for telecoms security in the world. This will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime will be the National Cyber Security Centre’s Telecoms Security Requirements guidance. This will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. ”

— Baroness Morgan.

Security services maintain ‘we’ve got this’

Tying in with earlier reports that UK security services believe the risk from HRVs is manageable, the NCSC made clear that the its latest moves would just formalise and update (or upgrade) activity that has long been in place, saying, for example, that ‘Huawei has always been considered higher risk by the UK government, and a risk-mitigation strategy has been in place since they first began to supply into the UK’.

The NCSC has set out specific reasons for designating Huawei as an HRV (a view the UK government is said to agree with) including:

• Significant UK market scale.
• Risk of Chinese state influence (and belief that China is an active cyber-attacker against the UK and its interests).
• Poor quality cybersecurity and engineering.
• Significant presence on the prescribed US Entity List.

As a designated HRV under NCSC’s model, Huawei would be relegated to ‘non-core’ elements of the UK’s 5G and gigabit-capable next-generation networks, along with numerous other potentially significant restrictions.

The NCSC’s designation of an HRV is said to include consideration of a vendor’s strategic significance in ‘the UK network’ and other markets; engineering practices and cybersecurity controls; past behaviour; technical and supply chain resilience; ownership and domicile; and various elements of potential state-influence or control. HRVs should only be used with a specific risk mitigation strategy in place — ‘designed and overseen by NCSC’; currently, this is unique to Huawei.

It was notable that no vendor or national domicile was namechecked by the government in its formal statements, but the NCSC was explicit in its accompanying material, with Huawei and fellow-Chinese vendor ZTE both designated as HRVs. However, only Huawei gets a pass because its risk is considered mitigated by existence of the Huawei Cyber Security Evaluation Centre in Banbury, UK. While a fuller list of HRVs has not been released, the NCSC did point out that they need not be Chinese.

“GCHQ” has been dealing with Huawei in the UK telecoms sector since 2003, first through CESG [Communications-Electronic Security Group] and now through the NCSC. We’ve always treated them as a ‘high risk vendor’ and have worked to limit their use in the UK and put extra mitigations around their equipment and services. We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports) exist because we treat them differently to other vendors.

We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part. Even before HCSEC was set up in 2010, we were doing similar work but through a different mechanism. Technology has obviously evolved since that time and our security mitigation strategy, both generally and vendor specific, has had to evolve with it. The move to 5G is another evolution of the technology and our security mitigations need to evolve again.

The government’s decision today talks about high risk vendors (HRVs). The NCSC considers Huawei to be a high-risk vendor, but not the only one. ”

— Ian Levy.

Implementing 35% cap where it might get complicated

A material (and adjustable) cap of 35% would apply in aggregate to all HRVs covering eligible network equipment types as well as the proportion of traffic within a network.

The NCSC suggests that operators be given no more than three years to rebalance their current ‘Huawei estates’ where breaching its recommendations. It also advised never to have more than one HRV in a network, which could perpetually exclude ZTE.

Specific areas of exclusion for HRVs would include:

• Safety-related networks.
• Security-critical core network functions.
• Sensitive geographic locations, such as nuclear sites and military bases.

The Financial Times reported that Huawei’s current market share is a neutral 34%, but this could be overly simplistic. Openreach, for instance, may be notably exposed with Huawei pervasive throughout its access network, and some mobile networks and altnets could also be over-reliant. Further, the latest advice to operators from the NCSC on where HRVs should be excluded is farther-reaching than widely realised as well as open to revision, including:

• For all networks: operational support systems; virtualised infrastructure; network monitoring; interconnect; and gateway.
• 5G: many if not all core and user plane functions; slicing; policy control; session management; network data analytics; charging.
• 4G: home subscriber server; packet gateway; policy and charging.
• Legacy networks: ‘For 4G and legacy fixed access networks, NCSC’s advice to operators remains unchanged. Two vendors should always be used in the access network. While no specific volume cap has been recommended [here], NCSC has always expected approximately 50/50 split between vendors in a given network.’
• Other areas could be widely affected, too, ‘dependent on specific operator architecture and operation models’, including where they ‘aggregate significant amounts of personal data’. This could encompass business support systems; location-based services; online charging solutions; and managed services. Even voice systems are specifically referenced, along with logging and backup, and border network gateways.

“It” is worth noting that this is about managing risk. Nothing we do can entirely remove risk in any telecoms network with any vendor and so our intent is to get the risk down to an acceptable level in all the different networks using all the different vendors. Basically, with a set of controls and other measures, can we reduce the risk of using an HRV to broadly the same as a ‘lower-risk’ vendor? The restrictions and controls we detail in the high-risk vendors framework give us a way of minimising the risk of using a high-risk vendor like Huawei. ”

— Ian Levy.

Hot TIP on emerging players

The UK is reported to have also committed to working with its Five Eyes international security alliance partners (Australia, Canada, New Zealand, and the USA) to advance alternatives and ultimately substitutes to HRVs that represent “no high-risk”.

“The government is now developing an ambitious strategy to help diversify the supply chain. This will seek to attract established vendors who are not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry. ”

— UK government statement.

Although this could be interpreted as a further sop to Washington (with the government also keen to stress that its latest decision would in no way affect the UK’s ‘ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes’), the move could provide a further fillip to proponents of the emerging generation of open, disaggregated hardware and software network components that BT and other major telcos are already supporting (see separate report). The Telecom Infra Project, an umbrella body for initiatives of this nature with which BT is already actively engaged (see separate reports) was even namechecked by the NCSC.

“Already, we ask all mobile operators to use two vendors in their Radio Access Network (RAN) for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson and Huawei. That’s crazy, so we need to diversify the market significantly in the UK so that we have a more robust supply base to enable the long-term security of the UK networks and to ensure we do not end up nationally dependent on any vendor.

“Being nationally dependent on any vendor would be bad, but it would be particularly bad when that’s a high risk vendor. We’re not nationally dependent on anyone now and the measures the government has announced today ensure that won’t happen in the UK in the future, regardless of the commercial drivers. ”

— Ian Levy.

One of the biggest problems we have is one alluded to in the previous blog; telecoms security doesn’t pay. That’s true of the basic network security and business processes that support it. But it’s also true of the enhanced mitigations we ask operators to — voluntarily — do when using a high-risk vendor such as Huawei.

In the last couple of years, the operators’ commercial drivers have come into direct conflict with the NCSC’s security advice. Those operators who chose to follow our advice and requests were putting themselves at a commercial disadvantage. That’s unsustainable. So, the government decision to significantly uplift the baseline telecoms security and formalise the handling of high-risk vendors putting it all on a robust footing is very welcome. It provides clarity for operators and transparency about what we expect for the security of our national networks. Externalising the security costs of particular choices (including vendor) will help operators make better security risk management decisions. ”

— Ian Levy.

Let me tackle the core and edge point first because I think there is a lot of misconception being talked about this at the moment. I think actually we need to start articulating the network as the core, which I think we all understand. The edge, which is the point at which the intelligence will push out, so our multiaccess edge compute. That is still separate from the benign radio access network, which takes radio waves and converts them to Ethernet. And so our policy, we believe, still stands. Think —- and we think of it as the edge being an extension of the core, rather than something which integrates with the radio access network. So I think it’s important to really appreciate that difference because, yes, there’s a lot of noise at the moment about core and edge blurring. And so that definition I’ve just described is true, but that is not the same as core blurring with radio access. We don’t see any need to ever do that. And certainly, we believe that Huawei continues to have innovation advantage in the ability to convert from one type of medium to another, whether that be from radio waves to Ethernet or from optical to Ethernet. And so over time, that’s where — that’s with the exception of the 4G core — that’s where we restrict their use today. ”

— Howard Watson, BT Technology Business Briefing, 25 June 2019 (edited).

“5G” is just another evolution of that set of technologies, although sometimes it’s been imbued with mystical qualities that seem, at least to me, to defy the laws of physics and common sense. 
…
In previous networks, sensitive functions were grouped together in a couple of locations we called ‘core’. In 5G, they are spread out a bit more, but sensitive functions are still sensitive functions and you can put your arms round them — for example, we list them in the guidance published today. Remember, in 5G you need lots of smaller base stations as well as big ones, and the small ones will be on lampposts, bus shelters and other places that aren’t secure from physical interference by bad guys.

So, if your network design means that you need to run really sensitive functions processing really sensitive data (i.e. core functions) on an edge access device on top of a bus stop, your choice of vendor is the least of your worries and you probably shouldn’t be designing critical national infrastructure. The international standards that define what a 5G network actually is allow you to do all sorts of things, and some of those things could lead to security or operational risks that can’t be mitigated. That doesn’t mean you have to do them. ”

— Ian Levy.