UK gets on with life after Huawei

The UK government’s Department for Digital, Culture, Media & Sport (DCMS) issued a new report detailing its 5G Diversification Strategy, intended to address the perceived vulnerabilities in the UK telecoms supply chain that have been exacerbated by the decision to exclude high risk vendors (HRV), and particularly Huawei, from the domestic telecoms market.

The latest plan arrived in conjunction with introduction of the Telecommunications (Security) Bill, which has started its journey through parliament (see below). This is expected to enshrine new stringent security standards in law, filling out the commitments made by DCMS Secretary Oliver Dowden in July 2020 on tighter restrictions on the presence of HRVs (BTwatch, #314).

The accelerated move to end Huawei involvement in 5G infrastructure was prompted by heightened sanctions from the USA, and it was acknowledged at the time that it would create a different set of security risks for UK infrastructure, notably a greater reliance on just two incumbent strategic network equipment providers (NEPs), Ericsson and Nokia.

Frying pans and fires

The 5G Diversification Strategy recognises several challenges faced by a sector with longstanding vulnerabilities in its supply chain (BTwatch, #309), and outlines a broad plan to tackle them. Dowden said the government aims to confront “head-on” the risk of being overly reliant on a small number of suppliers.

The DCMS acknowledged that dependence on Ericsson and Nokia “represents an intolerable resilience risk and absent intervention it is unlikely that the market will diversify”. This is pushing the government to collaborate and court the two vendors, offering support and encouragement in the diversification of the Nordic companies’ components supply chain to spread the risk of disruption in the short-term.

However, the government has a longer-term objective of diluting the influence of Ericsson and Nokia in the UK, so at the same time is taking steps to encourage other established and emerging players to enter the UK market. It is also aiming to foster open networks and standards to facilitate disaggregated systems, and is hoping that Ericsson and Nokia will support steps that may reduce their share of UK market (although presumably the government will be working to convince them that it will be beneficial globally and long-term).

The report also highlights the difficulty in implementing change in what is a global market, where the UK represents around 2% of all spend, and admits the challenge in making the UK’s voice heard. The government expects to take a more proactive role in international standards bodies and other forums, while seeking to draw research and development projects into the country.

Other inter-governmental alliances will be leveraged, with the UK hoping to influence the FiveEyes security coalition (comprising Australia, Canada, New Zealand, UK, and USA), and the G7 group of governments. No reference was made to the prospect of working with the European Union, or associated regulatory institutions such as BEREC.

These plans were essentially outlined in January 2020 as part of the country’s Telecoms Supply Chain Review.

Diversification push, with a view to opening up the RAN

The strategy, which was essentially outlined in January 2020 as part of the country’s Telecoms Supply Chain Review (TSCR) of critical national infrastructure, has three core strands:

1. Supporting incumbent suppliers (namely Ericsson and Nokia).
2. Attracting new suppliers into the UK market (NEC and Samsung flagged, alongside emerging challengers Mavenir and Parallel Wireless).
3. Accelerating the development and deployment of open interface solutions.

Key practical elements of the strategy include:

• Funding a new open radio access network (RAN) trial with Japanese vendor NEC. The NECNeutrORAN project will be based in Wales and is aiming to introduce “live 5G openRAN within the UK in 2021”. This project is backed by government funding of £1.6m and forms part of the 5GTestbeds and Trials Programme.
• Establishing a National Telecoms Lab, described as a secure research facility for operators and suppliers to test networks and equipment, in collaboration with academic institutions and the government. It is expected to be operational in 2022. Few details are yet available, although it appears to build on a suggestion made by the National Cyber Security Centre (NCSC) as part of its January 2020 TSCR security analysis for the UK telecoms sector. Mike Witts, Group Head of Technology Communications, indicated that BT would be fully supportive of such a national lab and suggested that Adastral Park, the home of the telco’s innovation labs, would be a natural home for at least some elements, such as testing equipment on existing networks.
• Investment in a separate open RAN trial called the SmartRAN Open Network Innovation Centre (SONIC), in partnership with regulator Ofcom and UK government innovation agency Digital Catapult. SONIC is expected to be operational from May 2021, and will work with bodies such as the European Telecommunications Standards Institute, O-RAN Alliance, and Facebook-led Telecoms Infra Project (TIP) to facilitate openness and interoperability.

Delivery and implementation of the strategy will be guided by the recently established Telecoms Diversification Taskforce (TDT), which is headed up by former BT Group Chief Executive (CEO) Sir Ian Livingston. Other TDT members include:

• Scott Petty, Chief Technology Officer at Vodafone UK.
• Clive Selley, CEO, Openreach.
• Rosalind Singleton, Chair of UK5G’s Advisory Board.
• David Rogers, CEO of security consultancy Copper Horse.
• Professor Rahim Tafazolli, Head of the Institute of Communication Systems at the University of Surrey.
• Professor Dimitra Simeonidou, Professor of High Performance Networks at the University of Bristol.
• Scott Steedman, Director of Standards at the British Standards Institution.

Dr Ian Levy, Technical Director of the NCSC, and Professor Simon Saunders, Director of Emerging & Online Technology at Ofcom, will act as technical advisors to the TDT.

New security obligations go beyond HRVs

The introduction of the Telecommunications(Security)Bill in late-November 2020 is expected to put in place a legislative platform upon which the UK government will be able to monitor and enforce heightened security standards in the country.

Dowden said the bill will give the UK“one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks”. However, much of the detail remains to be seen, with the potential for onerous obligations to be placed on communications providers. Codes of Practice are to be established by government following the passing into law, and these will need to be empowered separately through secondary legislation.

The DCMS suggested that standards to be covered in the new codes will ensure:

• Heightened security requirements for design, build and maintenance of core networks.
• Steps to minimise the threat of vulnerabilities in hardware and software that at risk from cyberattacks.
• Controls on access to critical network equipment.
• Introduction of robust security audit and governance mechanisms.
• Protection of customer data.

When the new Codes of Practice emerge, Ofcom will be assigned the task of monitoring and assessing the compliance of telecoms providers — a considerable additional burden for a regulator already accused of overstretch that will require the acquisition of additional expertise. The prospect of support from the National Cyber Security Centre was again flagged during the parliamentary debate.

Not just a Huawei thing…

The removal of HRVs from infrastructure formed a high-profile element of the parliamentary discussion during the reading of the bill in the House of Commons, with the minister defending the decision not to reference Huawei specifically. Instead the bill proposes giving government power to impose requirements on the use or prohibition of equipment and services from designated vendors.

Beefed-up fines and penalties for failing to comply with new security standards and practices also drew attention, with a maximum penalty of 10% of annual revenue, and £100,000 for every day a breach persists, replacing existing limits of £2m and £20,000, respectively.

The fines are expected to reinforce best practice and address an environment where operators are said currently to have “little incentive to adopt the best security practices”, according to DCMS. There was no indication, however, that operators are currently flouting standards and accepting fines as a consequence.

… but pressure prompts clarification on Huawei ban

Ahead of the House of Commons debate, the DCMS issues an update on the plans for the removal of HRVs from the UK’s 5G infrastructure, and declared that operators would be prohibited from new installations of Huawei 5G equipment from September 2021.

This new deadline appears to have been introduced following concerns from MPs that operators would bulk-buy Huawei equipment before the end of 2020 and continue expanding 5G coverage using the technology.

Operators have indeed been stockpiling Huawei 5G gear, but this is said to have largely been to ensure that sufficient parts will be available to maintain existing Huawei footprints that could be in place until 2027.

Other key dates in the process of removing Huawei from the scene include:

• 31 March 2021: Huawei Managed Services will be banned from work on all networks, except in relation to maintenance of equipment already installed.
• 28 January 2023: all Huawei equipment must be removed from mobile core networks (BT is currently swapping out Huawei from the EE 4G core with a new converged core — BTwatch, #311). The 35% cap on HRV for operator-level elements of fixed and 5G mobile access networks also comes into effect, and Huawei kit will be banned from services linking “Sites Significant to National Security”.
• 31 December 2027: complete removal of Huawei from 5G networks.

BT already on the case…

BT is already taking steps to reduce its reliance on Huawei, and has estimated it will cost £500m to swap out Huawei kit over the period to 2027.

A Group spokesperson said in a statement that it welcomed the government’s “establishment of clear security standards for the UK telecoms industry”, and added that “we’ll continue to work closely with the NCSC and other government bodies to develop these standards further and provide a framework that sets a world-leading standard for the security of the UK’s networks”.

“As we outlined in July[2020], we’re working to the latest government guidelines around the exclusion of Huawei from 5G networks, and we’ve recently signed agreements with Nokia and Ericsson that will allow us to deliver on these commitments.”

BT spokesperson.

… as Huawei keeps up the pressure

Despite the hardening of the UK environment, Huawei has not entirely given up the fight, it seems. Huawei Vice-President Victor Zhang told Reuters that the decision to exclude it from 5G was “politically motivated and not based on a fair evaluation of the risks”. The economic contribution of the business to the UK was also referenced.

However, it appears there is little chance of a change in course without a significant revision of US foreign policy, and a watershed reversal in domestic politics — neither of which look remotely likely, in the short term — to permit the government to even contemplate a softening in policy.