• Industry looks set to be given three years to firewall Huawei, with potential 35% cap on High Risk Vendors.
  • O2’s longstanding links with Ericsson and Nokia mean operating business avoids costly replacement programmes that major rivals must implement.
  • Security officials position the decision as largely a clarification and formalisation of current restrictions, but potentially stringent caps will spark immediate change in industry security and procurement strategies.
  • UK capex should be unlocked for NGN investment and risk-mitigation, with next-gen vendors boosted.
  • Oversight of the industry to remain key, and Ofcom may see its extensive remit expanded even further, working with GCHQ’s cybersecurity arm.

O2 dodges bullet as Huawei capped

O2 dodges bullet as Huawei capped

Source: Huawei

In late‑January 2020, the UK government publicly confirmed that it was not minded to impose an outright ban on the use of equipment from Huawei Technologies.

Based on advice from the National Security Council (NSC), the country is to impose restrictions on the use of technology from any entity considered a “high risk vendor” (HRV), with the Chinese technology giant the clear principal subject of the policy.

The headline impact is suggested to be the capping of the collective presence of any technology provided by vendors considered a high risk to infrastructure security at 35%. Implementation of the cap will inevitably prove more complicated and intricate, and while detailed (and often prescriptive) initial guidance has been issued to the industry on the expected outcomes and impacts of the decision (see below), fully codified rules are yet to be completed.

With its initial statement of intent, the government is targeting three specific objectives:

  1. Fundamental upgrade of security for all UK operators.
  2. Drastic shake up of the supply chain.
  3. Managing specific HRVs.

Publication of the planned restrictions and guidelines enabled all sides to claim victory, and prompted considerable speculation on the likely changes in the UK telecoms ecosystem. Beyond the hot-takes, however, there are likely to be serious implications for operators, vendors large and small, and the political and regulatory overseers of the sector that will flow from the final determinations of the security authorities and how this is implemented by the government.

At this stage, the government has officially decided there is a problem, and promised a solution. It has not yet formalised how it intends to fix it.

Pain and potential reverberates across the sector

With dumb equipment rapidly becoming scarcer in modern networks, major operators heavily reliant on Huawei (notably BT’s EE and Openreach, as well as potentially TalkTalk, Three UK and Vodafone UK) look set for a very painful, multi-year crash diet. UK incumbent BT Group is already warning of a £500m (€602m) financial hit over the coming five years (BTwatch, #309) while Vodafone Group has indicated that it is removing Huawei equipment from core networks across Europe, at an anticipated cost of €200m.

However, Telefónica UK (O2 UK) looks to be least obviously affected by the Huawei rollback, having historically favoured Ericsson and Nokia, which is ironic considering Spain’s close strategic links with China as a nation, and the strong relationship between Telefónica Group and the vendor.

In the wake of the government decision, an O2 UK spokesperson claimed that Huawei equipment comprises under 1% of its owned network infrastructure (although this does not paint the full picture, due to the use of Huawei equipment by Vodafone for infrastructure that features within the CTIL joint‑venture between the two operators). It is also notable that Telefónica used its response to the ruling to emphasise the different functions that exist across mobile infrastructure, with a statement that could perhaps be taken as a hint that the operating business remains open to finding a role for Huawei.

“Whilst we agree with the government that diversity of supply is the best way to serve customers, careful consideration must be given to the distinction between ‘core’ and ‘non-core’ as 5G networks develop and evolve.

— O2 statement.

A role for Huawei is envisaged in Telefónica España’s 5G core network, while Telefónica Deutschland is also keeping Huawei in the running for its 5G rollout. Senior management has, though, made comments that suggest in the medium‑term the influence of Huawei will wane as a multi‑vendor environment is prioritised, with CTIO Enrique Blanco anticipating the end of any significant reliance on Huawei by 2024 (Telefónicawatch, #139, and see separate report).

Ericsson and Nokia look natural beneficiaries as operators review double- and perhaps increasingly implement triple-vendor sourcing arrangements, but the industry ramifications could be far wider, with the UK very possibly also setting the tone for other countries as well.

Johnson keeps relationships open with British fudge

In making its decision, the government appears to have opted for a geopolitical fudge designed to navigate the fiercely opposing lobbying of its key strategic ally, the USA, and economically-critical China, as well as accommodate consensually-minded Europeans (including the region’s politicians, operators, and vendors).

This is broadly in line with expectations that the British Prime Minister would soon conclude the Telecoms Supply Chain Review (SCR) at one of the NSC’s regular meetings, and limit the use of Huawei kit. Based on initial reactions from Washington and Huawei, the compromise is promising, with the US appearing to grudgingly accept the coda, the Chinese vendor publicly upbeat on the outcome, and Europeans in sync.

“Ministers today determined that UK operators should put in place additional safeguards and exclude high risk vendors from parts of the telecoms network that are critical to security… The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks.” 

— UK government statement.

Next steps and timings are not fully clear, but the government has said it will expedite legislation ‘to limit and control the presence of high risk vendors in UK networks, and to be able to respond appropriately as technology changes’. The National Cyber Security Centre (NCSC) issued an accompanying outline of how it expects the safeguards to be met (see below).

These statements and guidelines may be immediately significant in terms of giving domestic operators clarity for investment, mitigation and purchasing commitments. They can also be seen as globally relevant in terms of laying down a marker for other nations to follow.

The European Union (EU) conveniently released its own guidelines the following day. It delegated final decisions to member states and avoided recommending an outright ban on specific suppliers, while advising ringfencing the network core against vendors deemed a security threat.

“[The EU will not] ban anyone because of their name and nationality [if they comply with security requirements]… and if they don’t, then they cannot operate. That’s it. It’s easy.

— Thierry Breton, EU Commissioner for Internal Market and Services.

NCSC: risk-manage Huawei as HRV

Drawing on the SCR, the government commissioned guidance from the NCSC relating to how it will define what are deemed HRVs, the restrictions it advises, and mitigation measures to take with them.

The NCSC is positioned as the UK’s technical authority on cybersecurity, serving the public and private sector. It is an outpost of the Government Communications Headquarters (GCHQ) intelligence and security agency. In a footnote in its advice to operators, the NCSC stated that UK government networks can operate over public networks because ‘they are independently secured and do not trust public networks’.

The NCSC has now released non-binding technical ‘advice on the use of equipment from high risk vendors in UK telecoms networks’, and is in process of drawing up a Telecoms Security Requirements (TSR) framework for the industry that will be the likely basis of legislation. Another anticipated consequence of this framework is that communications regulator Ofcom looks set for a further uprating in its already far-reaching role, helping to oversee the new TSRs.

The NCSC’s technical and security analysis is described as both world-leading and UK-specific.

“The DCMS SCR has demonstrated the need to change the way we manage security in the UK’s telecommunications infrastructure. The TSRs will provide the framework for security in the next generation of the UK’s telecommunications networks. The SCR also showed that we need to manage the presence of HRVs in the UK’s telecommunications infrastructure more formally and actively. NCSC will continue to feed into any future legislative process and advise government on these matters.

— NCSC.

“The Government is establishing one of the strongest regimes for telecoms security in the world. This will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime will be the National Cyber Security Centre’s Telecoms Security Requirements guidance. This will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks.

— Baroness Morgan, former Secretary of State for Digital, Culture, Media and Sport.

Security services maintain ‘we’ve got this’

Tying in with earlier reports that UK security services believe the risk from HRVs is manageable, the NCSC made clear that its latest moves would just formalise and update (or upgrade) activity that has long been in place, saying, for example, that ‘Huawei has always been considered higher risk by the UK government, and a risk-mitigation strategy has been in place since they first began to supply into theUK’.

The NCSC has set out specific reasons for designating Huawei as an HRV (a view the UK government is said to agree with), including:

  • Significant UK market scale.
  • Risk of Chinese state influence (and belief that China is an active cyber-attacker against the UK and its interests).
  • Poor quality cybersecurity and engineering.
  • Significant presence on the prescribed US Entity List.

As a designated HRV under the NCSC’s model, Huawei would be relegated to ‘non-core’ elements of the UK’s 5G and gigabit-capable next-generation networks, along with numerous other potentially significant restrictions.

The NCSC’s designation of an HRV is said to include consideration of a vendor’s strategic significance in ‘the UK network’ and other markets; engineering practices and cybersecurity controls; past behaviour; technical and supply chain resilience; ownership and domicile; and various elements of potential state-influence or control. HRVs should only be used with a specific risk mitigation strategy in place — ‘designed and overseen by NCSC’; currently, this is unique to Huawei.

It was notable that no vendor or national domicile was namechecked by the government in its formal statements, but the NCSC was explicit in its accompanying material, with Huawei and fellow-Chinese vendor ZTE both designated as HRVs. However, only Huawei gets a pass because its risk is considered mitigated by existence of the Huawei Cyber Security Evaluation Centre in Banbury, UK. While a fuller list of HRVs has not been released, the NCSC did point out that they need not be Chinese.

“GCHQ has been dealing with Huawei in the UK telecoms sector since 2003, first through CESG [Communications-Electronic Security Group] and now through the NCSC. We’ve always treated them as a ‘high risk vendor’ and have worked to limit their use in the UK and put extra mitigations around their equipment and services. We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports) exist because we treat them differently to other vendors.

We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part. Even before HCSEC was set up in 2010, we were doing similar work but through a different mechanism. Technology has obviously evolved since that time and our security mitigation strategy, both generally and vendor specific, has had to evolve with it. The move to 5G is another evolution of the technology and our security mitigations need to evolve again.

The government’s decision today talks about high risk vendors (HRVs). The NCSC considers Huawei to be a high-risk vendor, but not the only one.

— Ian Levy, NCSC Technical Director.

Implementing 35% cap: where it might get complicated

Under the new UK rules, a material (and adjustable) cap of 35% would apply in aggregate to all HRVs covering each eligible network equipment type as well as the proportion of traffic within an operator’s network.

The NCSC suggests that operators be given no more than three years to rebalance their current ‘Huaweiestates’ where breaching its recommendations. It also advised never to have more than one HRV in a network, which could perpetually exclude ZTE.

Specific areas of exclusion for HRVs would include:

  • Safety-related networks.
  • Security-critical core network functions.
  • Sensitive geographic locations, such as nuclear sites and military bases.

The FinancialTimes reported that Huawei’s current market share is a neutral 34%, although this potentially overly‑simplistic estimate does not account for Huawei prevalence across operators. Despite the apparent minimal presence of Huawei within the O2 UK set‑up, the latest advice to operators from the NCSC on where HRVs should be excluded is farther-reaching than widely realised and open to revision, which could see Telefónica compelled to consider the vendor’s presence more carefully. The exclusions cover areas including:

  • For all networks: operational support systems; virtualised infrastructure; network monitoring; interconnect; and gateway.
  • 5G: many if not all core and user plane functions; slicing; policy control; session management; network data analytics; charging.
  • 4G: home subscriber server; packet gateway; policy and charging.
  • Legacy networks: ‘For 4G and legacy fixed access networks, NCSC’s advice to operators remains unchanged. Two vendors should always be used in the access network. While no specific volume cap has been recommended [here], NCSC has always expected approximately 50/50 split between vendors in a given network.
  • Other areas could be widely affected, too, ‘dependent on specific operator architecture and operation models’, including where they ‘aggregate significant amounts of personal data’. This could encompass: business support systems; location-based services; online charging solutions; and managed services. Even voice systems are specifically referenced, along with logging and backup, and border network gateways.

“It is worth noting that this is about managing risk. Nothing we do can entirely remove risk in any telecoms network with any vendor and so our intent is to get the risk down to an acceptable level in all the different networks using all the different vendors. Basically, with a set of controls and other measures, can we reduce the risk of using an HRV to broadly the same as a ‘lower-risk’ vendor? The restrictions and controls we detail in the high-risk vendors framework give us a way of minimising the risk of using a high-risk vendor like Huawei.

— Ian Levy.

Hot TIP on emerging players

The UK is reported to have also committed to working with its FiveEyes international security alliance partners (Australia, Canada, New Zealand, and the USA) to advance alternatives and ultimately substitutes to HRVs that represent “no high-risk”.

The government is now developing an ambitious strategy to help diversify the supply chain. This will seek to attract established vendors who are not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry.

— UK government statement.

This position could provide a further fillip to proponents of the emerging generation of open, disaggregated hardware and software network components that Telefónica Group and other major telcos are already supporting. The Telecom Infra Project, an umbrella body for initiatives of this nature with which Telefónica is already actively engaged (see separate reports) was even namechecked by the NCSC.

The NCSC appears to believe that the UK’s telecoms supply chain is broken, including lacking supplier sustainability and diversity. Failure to incentivise good security has, ‘to date, driven some poor industry practices’. Among other things, it seeks for ‘operators to adopt network security architecture and operational practices that reduce the levels of successful network penetrations and allow intrusions to be identified and managed quickly’, particularly with development of new 5G and full-fibre networks. The TSR is intended to ‘provide a framework for security in modern telecommunications networks’. To help address this, the NCSC plans to facilitate action at industry-, UK government, and international-levels. This includes intention to establish a UK National Telecoms Lab with the DCMS, to ‘help de-risk new entrants to the market by providing a standard test bed, allow us to test and force better interoperability between vendors and ensure security is getting better’. It is also ‘looking at interesting hybrid models with established public cloud providers with good security records to see if they can provide some of the mobile edge compute infrastructure’.

“Already, we ask all mobile operators to use two vendors in their Radio Access Network (RAN) for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson and Huawei. That’s crazy, so we need to diversify the market significantly in the UK so that we have a more robust supply base to enable the long-term security of the UK networks and to ensure we do not end up nationally dependent on any vendor.

Being nationally dependent on any vendor would be bad, but it would be particularly bad when that’s a high risk vendor. We’re not nationally dependent on anyone now and the measures the government has announced today ensure that won’t happen in the UK in the future, regardless of the commercial drivers.

— Ian Levy.

“One of the biggest problems we have is one alluded to in the previous blog; telecoms security doesn’t pay. That’s true of the basic network security and business processes that support it. But it’s also true of the enhanced mitigations we ask operators to —voluntarily —do when using a high-risk vendor such as Huawei.

In the last couple of years, the operators’ commercial drivers have come into direct conflict with the NCSC’s security advice. Those operators who chose to follow our advice and requests were putting themselves at a commercial disadvantage. That’s unsustainable. So, the government decision to significantly uplift the baseline telecoms security and formalise the handling of high-risk vendors putting it all on a robust footing is very welcome. It provides clarity for operators and transparency about what we expect for the security of our national networks. Externalising the security costs of particular choices (including vendor) will help operators make better security risk management decisions.

— Ian Levy.

In a refreshing post fleshing out the security analysis behind the SCR, Ian Levy, the NCSC’s Technical Director, ridiculed what he considers nonsense circulating around 5G, in doing so positioning it very much as evolution not revolution. He made clear that 5G is still fundamentally hardware (‘a base station is a computer with an aerial’), not just software. He then stressed that the network core and edge have not been blended, even if they are shifting around — this is important to the NCSC, since the core needs to be physically- as well as cyber-secured. He went on to question the belief that mobile edge compute capability will literally reside at the physical edge, arguing that this seems unnecessary in the UK unless some ‘super-cool’ application really justifies it (and even then, it can be securely handled via virtualised capability isolated from an HRV).

“5G is just another evolution of that set of technologies, although sometimes it’s been imbued with mystical qualities that seem, at least to me, to defy the laws of physics and common sense.

In previous networks, sensitive functions were grouped together in a couple of locations we called ‘core’. In 5G, they are spread out a bit more, but sensitive functions are still sensitive functions and you can put your arms round them — for example, we list them in the guidance published today. Remember, in 5G you need lots of smaller base stations as well as big ones, and the small ones will be on lampposts, bus shelters and other places that aren’t secure from physical interference by bad guys.

So, if your network design means that you need to run really sensitive functions processing really sensitive data (i.e. core functions) on an edge access device on top of a bus stop, your choice of vendor is the least of your worries and you probably shouldn’t be designing critical national infrastructure. The international standards that define what a 5G network actually is allow you to do all sorts of things, and some of those things could lead to security or operational risks that can’t be mitigated. That doesn’t mean you have to do them.

— Ian Levy.