- Industry looks set to be given three years to firewall Huawei, with potential 35% cap on High Risk Vendors.
- Security officials position the decision as largely a clarification and formalisation of current restrictions, but stringent caps could spark immediate change in industry security and procurement strategies.
- UK capex should be unlocked for NGN investment and risk mitigation, with next-gen vendors boosted.
- Oversight of the industry to remain key, and regulator Ofcom may see its extensive remit expanded even further, working with GCHQ’s cybersecurity arm.
- Vodafone confirms five-year plan to extract Huawei kit from core networks in Europe, and frets about supplier RAN quotas.
In late‑January 2020, the UK government publicly confirmed that it was not minded to impose an outright ban on the use of equipment from Huawei Technologies. Based on advice from the National Security Council (NSC), the country is to impose restrictions on the use of technology from any entity considered a “high‑risk vendor” (HRV), with the Chinese giant the clear principal subject of the policy.
The ostensible headline impact is the capping of the collective presence of any technology provided by vendors considered a high risk to infrastructure security at 35%. Implementation of the limit will inevitably prove complicated and intricate, and while detailed (and often prescriptive) initial guidance has been issued to the industry on the expected outcomes and impacts of the decision (see below), fully codified rules are yet to be completed.
With its initial statement of intent, the government is targeting three specific objectives:
- A fundamental upgrade of security for all UK operators.
- A drastic shake up of the supply chain.
- Managing specific HRVs.
Publication of the planned restrictions and guidelines enabled all sides to claim victory, and prompted considerable speculation on the likely changes in the UK telecoms ecosystem. Beyond the hot-takes, however, there are likely to be serious implications for operators, vendors large and small, and the political and regulatory overseers of the sector. These will ultimately flow from the final determinations of the security authorities and how they are implemented by the government.
At this stage, the government has officially decided there is a problem, and promised a solution. It has not yet finalised how it intends to fix it.
Pain and potential reverberate across the sector
With dumb equipment rapidly becoming scarcer in modern networks, major operators that are heavily reliant on Huawei — particularly UK incumbent BT Group’s EE and Openreach businesses, and potentially TalkTalk and Three UK — look set for a painful, multi‑year crash diet. BT is already warning of a £500m (€597m) financial hit over the coming five years (BTwatch, #309).
Vodafone UK (VfUK) appears somewhat cushioned from the disruption — although will clearly be hurt in terms of future supplier negotiations and network planning.
At Group level, Vodafone confirmed, following the UK government’s statement, that it was removing Huawei equipment from core networks across Europe at an anticipated cost of €200m. However, as well as this not being a back‑breaking number when spread across the Group’s various regional territories, VfUK itself has previously indicated that Huawei has no major presence in its core network, with Cisco Systems and Ericsson its main enablers — so appears essentially to fall outside this project (Vodafonewatch, #173).
Vodafone did not quantify the impact on VfUK’s radio access network (RAN) supply arrangements. In early‑2019, VfUK indicated that 32% of the 18,000 base stations that make up its network had Huawei kit installed, with Ericsson supporting the remainder. This, conveniently, puts VfUK just under the generic 35% cap on HRV supply — although it may require some network rejigging in sensitive areas and layers of the network where there is an outright ban. Vodafone confirmed that VfUK had “no exposure to ‘high‑risk vendors in the core or in London”, but did not go into any vulnerability elsewhere in its network.
Among rivals, Telefónica UK (O2 UK) looks to be least obviously affected by the Huawei rollback, having historically favoured Ericsson and Nokia, which is ironic considering Spain’s close strategic links with China as a nation, and the overall strong relationship between Telefónica Group and the vendor. In the wake of the government decision, an O2 UK spokesperson claimed that Huawei equipment comprises less than 1% of its owned network infrastructure. However, this does not protect O2 UK entirely, considering the use of Huawei equipment by VfUK for infrastructure that features within their Cornerstone Telecommunications Infrastructure (CTIL) network-sharing joint venture — and that the two operators are moving, through CTIL, to expand active equipment sharing outside of major cities (Vodafonewatch, #170 and #171).
Ericsson and Nokia look natural beneficiaries as operators review double- and perhaps increasingly to implement triple-vendor sourcing arrangements, but the industry ramifications could be far wider, with the UK very possibly also setting the tone for other countries as well.
With a longer-term lens, Telecom Infra Project’s (TIP) OpenRAN project, focused on disaggregation of traditional radio systems, has evidently been rising in focus within Vodafone as the Huawei situation has developed. Following up Vodafone’s late-2019 announcement of a request for quotations on OpenRAN infrastructure for deployment in its European networks, Santiago Tenorio, the Group’s Head of Network Strategy & Architecture, was in February 2020 appointed TIP Chairman. He has been leading Vodafone’s efforts around OpenRAN use case development, and said he will use his new role to “champion continued innovation and the opening up of supplier ecosystems to more competition”. Vodafone is also now displayed as a member of the parallel ORAN Alliance — a more technically-focused body concentrating on standardisation of open radio systems.
Johnson keeps relationships open with British fudge
In making its decision, the government appears to have opted for a geopolitical fudge designed to navigate the fiercely opposing lobbying of its key strategic ally, the USA, and economically critical China — as well as to accommodate consensually minded Europeans (including the region’s politicians, operators, and vendors).
“We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High‑risk vendors never have been and never will be in our most sensitive networks… [This package] not only paves the way for secure and resilient networks, with our sovereignty over data protected, but it also builds on our strategy to develop a diversity of suppliers. ”
— Baroness Morgan, then-Secretary of State for Digital, Culture, Media and Sport (DCMS).
This is broadly in line with expectations that the British Prime Minister would conclude the UK’s Telecoms Supply Chain Review (SCR) at one of the NSC’s regular meetings, and limit the use of Huawei kit. Based on initial reactions from Washington and Huawei, the compromise is promising, with the US appearing to grudgingly accept the coda, the Chinese vendor publicly upbeat on the outcome, and Europeans in sync.
“Ministers today determined that UK operators should put in place additional safeguards and exclude high‑risk vendors from parts of the telecoms network that are critical to security… The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state-sponsored attacks. ”
— UK government statement.
Next steps and timings are not fully clear, but the government has said it will expedite legislation to “limit and control the presence of high‑risk vendors in UK networks, and to be able to respond appropriately as technology changes”. The National Cyber Security Centre (NCSC) issued an accompanying outline of how it expects the safeguards to be met (see below).
These statements and guidelines may be immediately significant in terms of giving domestic operators clarity for investment, mitigation, and purchasing commitments. They can also be seen as globally relevant in terms of laying down a marker for other nations to follow.
The European Union (EU) conveniently released its own guidelines — or “toolbox” framework — the following day. It delegated final decisions to member states and avoided recommending an outright ban on specific suppliers, while advising ring‑fencing the network core against vendors deemed a security threat.
“[The EU will not] ban anyone because of their name and nationality [if they comply with security requirements]… and if they don’t, then they cannot operate. That’s it. It’s easy. ”
— Thierry Breton, EU Commissioner for Internal Market and Services.
If the UK’s government fudge succeeded in the short term in balancing out its various geopolitical pressures, its hold on the situation appears fragile. According to the Financial Times, US President Donald Trump vented “apoplectic fury” at Johnson in a phone call after it became clear that the UK would not be following US advice to exclude Huawei altogether from 5G networks. Subsequently, Mick Mulvaney, Trump’s acting Chief of Staff, was said to have warned of a “direct and dramatic impact” on intelligence-sharing with the UK if the proposals are firmed up. The Trump administration has constantly warned other members of the Five Eyes security alliance — Australia, Canada, New Zealand, and the UK — that intelligence‑sharing arrangements will be adversely affected if they use Huawei equipment of any sort in 5G rollout, and that ties might be severed if those warnings were not heeded. The threat played a part in recent decisions by Australia and New Zealand to ban Huawei from supplying 5G infrastructure altogether (Vodafonewatch, passim).
Vodafone lobbies to the last, but not overjoyed with result
As it became clearer that a government decision on Huawei’s position in the UK was imminent in the wake of the country’s December 2019 General Election, it seemed that Vodafone was leaving nothing to chance. According to reports, Nick Read, Chief Executive (CEO) of Vodafone, and BT counterpart Philip Jansen drafted a letter to the Prime Minister that asserted they had seen no evidence that warranted a ban on security grounds. It is not entirely clear if the joint letter was actually sent, but its contents certainly seem to have been well documented by the UK media.
Previously, Vodafone had volunteered to put on “pause” the installation of Huawei kit in its core networks (Vodafonewatch, #171), perhaps hoping the geopolitical furore might die down, and that it could emerge from the Chinese supplier debate unscathed from any accusations that it might be playing fast and loose with cybersecurity. It would then be free to push ahead with deployment of price‑competitive 5G equipment from Huawei. If this was the game plan, then it was only partially successful.
While moderately pleased that the UK government had made a distinction between core and RAN in terms of scope for cyber shenanigans, Read was not impressed by the prospect of costly disruption caused by RAN quotas. Nor was he happy about having to shell out €200m on core network recalibration at a time when the Group is making stringent efforts to cut costs and reduce debt. The project envisages a five‑year phase‑out of Huawei kit from 4G core networks in Europe — which come in the scope of government restrictions as they can support the non‑standalone version of 5G New Radio.
While the UK damage appears limited, contagion from the implementation of caps is a clear concern. Read argued that RAN supplier caps and related curbs on Huawei kit — if the idea were to catch on in other markets — would be debilitating for both customers and economies. “Huawei”, he ruefully noted, is an “important supplier to both Vodafone and the overall industry, reflecting their high‑quality technology”. “RAN quotas, which require us to swap out our modern 4G networks, would disrupt our customers, could drive higher prices given the cost involved, and, most importantly, would delay the roll out of 5G by two to five years, given the industry’s limited operational and financial resources”, he added.
The CEO’s preferred option to promote supplier chain diversity in Europe was to let market forces go to work, rather than count on what he deemed the artifice of RAN caps. Read flagged Vodafone’s heavy involvement in TIP’s OpenRAN project as one way to achieve this.
NCSC: risk-manage Huawei as HRV
Drawing on the SCR, the government commissioned guidance from the NCSC relating to how it will define what are deemed HRVs, the restrictions it advises, and mitigation measures to take with them.
The NCSC is positioned as the UK’s technical authority on cybersecurity, serving the public and private sector. It is an outpost of the Government Communications Headquarters (GCHQ) intelligence and security agency. In a footnote in its advice to operators, the NCSC stated that UK government networks can operate over public networks because they are “independently secured and do not trust public networks”.
The NCSC has now released non-binding technical “advice on the use of equipment from high‑risk vendors in UK telecoms networks”, and is in process of drawing up a Telecoms Security Requirements (TSR) framework for the industry that will be the likely basis of legislation. Another anticipated consequence of this framework is that communications regulator Ofcom looks set for a further uprating in its already far-reaching role, helping to oversee the new TSRs.
The NCSC’s technical and security analysis is described as both world-leading and UK‑specific.
“The DCMS SCR has demonstrated the need to change the way we manage security in the UK’s telecommunications infrastructure. The TSRs will provide the framework for security in the next generation of the UK’s telecommunications networks. The SCR also showed that we need to manage the presence of HRVs in the UK’s telecommunications infrastructure more formally and actively. NCSC will continue to feed into any future legislative process and advise government on these matters. ”
“The government is establishing one of the strongest regimes for telecoms security in the world. This will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime will be the National Cyber Security Centre’s Telecoms Security Requirements guidance. This will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. ”
— Baroness Morgan.
Security services maintain ‘we’ve got this’
Tying in with earlier reports that UK security services believe the risk from HRVs is manageable, the NCSC made clear that the its latest moves would just formalise and update (or upgrade) activity that has long been in place, saying, for example, that “Huawei has always been considered higher risk by the UK government, and a risk-mitigation strategy has been in place since they first began to supply into the UK”.
The NCSC has set out specific reasons for designating Huawei as an HRV (a view the UK government is said to agree with) including:
- Significant UK market scale.
- Risk of Chinese state influence (and belief that China is an active cyber-attacker against the UK and its interests).
- Poor quality cybersecurity and engineering.
- Significant presence on the prescribed US Entity List.
As a designated HRV under NCSC’s model, Huawei would be relegated to ‘non‑core’ elements of the UK’s 5G and Gigabit-capable next-generation networks, along with numerous other potentially significant restrictions.
The NCSC’s designation of an HRV is said to include consideration of a vendor’s strategic significance in ‘the UK network’ and other markets; engineering practices and cybersecurity controls; past behaviour; technical and supply chain resilience; ownership and domicile; and various elements of potential state influence or control. HRVs should only be used with a specific risk mitigation strategy in place — “designed and overseen by NCSC”; currently, this is unique to Huawei.
It was notable that no vendor or national domicile was namechecked by the government in its formal statements, but the NCSC was explicit in its accompanying material, with Huawei and fellow Chinese vendor ZTE both designated as HRVs. However, only Huawei gets a pass because its risk is considered mitigated by existence of the Huawei Cyber Security Evaluation Centre in Banbury, UK. While a fuller list of HRVs has not been released, the NCSC did point out that they need not be Chinese.
“GCHQ has been dealing with Huawei in the UK telecoms sector since 2003, first through CESG [Communications-Electronic Security Group] and now through the NCSC. We’ve always treated them as a ‘high‑risk vendor’ and have worked to limit their use in the UK and put extra mitigations around their equipment and services. We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports) exist because we treat them differently to other vendors.
“We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part. Even before HCSEC was set up in 2010, we were doing similar work but through a different mechanism. Technology has obviously evolved since that time and our security mitigation strategy, both generally and vendor-specific, has had to evolve with it. The move to 5G is another evolution of the technology and our security mitigations need to evolve again.
“The government’s decision today talks about high‑risk vendors. The NCSC considers Huawei to be a high‑risk vendor, but not the only one. ”
— Ian Levy, the NCSC’s Technical Director.
Implementing 35% cap: where it might get complicated
A material (and adjustable) cap of 35% would apply in aggregate to all HRVs covering eligible network equipment types as well as the proportion of traffic within a specific network.
The NCSC suggests that operators be given no more than three years to rebalance their current ‘Huawei estates’ where breaching its recommendations. It also advised never to have more than one HRV in a network, which could perpetually exclude ZTE.
Specific areas of exclusion for HRVs would include:
- Safety-related networks.
- Security-critical core network functions.
- Sensitive geographic locations, such as nuclear sites and military bases.
The Financial Times reported that Huawei’s current UK market share is a neutral 34%, but this could be overly simplistic. Openreach, for instance, may be notably exposed with Huawei pervasive throughout its access network, and some mobile networks and altnets could also be over-reliant. Despite the apparent limited presence of Huawei within the VfUK set-up, the latest advice to operators from the NCSC on where HRVs should be excluded is farther-reaching than widely realised and open to revision, which could compel Vodafone to consider the vendor’s presence more carefully.
The advice applies to:
- All networks: operational support systems; virtualised infrastructure; network monitoring; interconnect; and gateway.
- 5G: many if not all core and user plane functions; slicing; policy control; session management; network data analytics; charging.
- 4G: home subscriber server; packet gateway; policy and charging.
- Legacy networks: “For 4G and legacy fixed access networks, NCSC’s advice to operators remains unchanged. Two vendors should always be used in the access network. While no specific volume cap has been recommended [here], NCSC has always expected approximately 50/50 split between vendors in a given network”.
- Other areas: which could be widely affected, too, “dependent on specific operator architecture and operation models”, including where they “aggregate significant amounts of personal data”. This could encompass business support systems; location-based services; online charging solutions; and managed services. Even voice systems are specifically referenced, along with logging and backup, and border network gateways.
“It is worth noting that this is about managing risk. Nothing we do can entirely remove risk in any telecoms network with any vendor and so our intent is to get the risk down to an acceptable level in all the different networks using all the different vendors. Basically, with a set of controls and other measures, can we reduce the risk of using an HRV to broadly the same as a ‘lower-risk’ vendor? The restrictions and controls we detail in the high-risk vendors framework give us a way of minimising the risk of using a high-risk vendor like Huawei. ”
Hot TIP on emerging players
The UK is reported to have also committed to work with its Five Eyes international security alliance partners (Australia, Canada, New Zealand, and the USA) to advance alternatives and ultimately substitutes to HRVs that represent “no high risk”.
“The government is now developing an ambitious strategy to help diversify the supply chain. This will seek to attract established vendors who are not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry. ”
— UK government statement.
Although this could be interpreted as a further sop to Washington (with the government also keen to stress that its latest decision would in no way affect the UK’s “ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes”), the move could provide a further fillip to proponents of the emerging generation of open, disaggregated hardware and software network components that Vodafone and other major telcos are already supporting. The Telecom Infra Project, an umbrella body for initiatives of this nature with which Vodafone is already actively engaged was even namechecked by the NCSC.
The NCSC appears to believe that the UK’s telecoms supply chain is broken, including lacking supplier sustainability and diversity. Failure to incentivise good security has, “to date, driven some poor industry practices”. Among other things, it seeks for “operators to adopt network security architecture and operational practices that reduce the levels of successful network penetrations and allow intrusions to be identified and managed quickly”, particularly with development of new 5G and full‑fibre networks. The TSR is intended to “provide a framework for security in modern telecommunications networks”. To help address this, the NCSC plans to facilitate action at industry, UK government, and international levels. This includes intention to establish a UK National Telecoms Lab with the DCMS, to “help de‑risk new entrants to the market by providing a standard test bed, allow us to test and force better interoperability between vendors and ensure security is getting better’. It is also ‘looking at interesting hybrid models with established public cloud providers with good security records to see if they can provide some of the mobile edge compute infrastructure”.
“Already, we ask all mobile operators to use two vendors in their radio access network for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson, and Huawei. That’s crazy, so we need to diversify the market significantly in the UK so that we have a more robust supply base to enable the long-term security of the UK networks and to ensure we do not end up nationally dependent on any vendor.
“Being nationally dependent on any vendor would be bad, but it would be particularly bad when that’s a high‑risk vendor. We’re not nationally dependent on anyone now and the measures the government has announced today ensure that won’t happen in the UK in the future, regardless of the commercial drivers.
“One of the biggest problems we have is one alluded to in the previous blog; telecoms security doesn’t pay. That’s true of the basic network security and business processes that support it. But it’s also true of the enhanced mitigations we ask operators to — voluntarily — do when using a high‑risk vendor such as Huawei.
“In the last couple of years, the operators’ commercial drivers have come into direct conflict with the NCSC’s security advice. Those operators who chose to follow our advice and requests were putting themselves at a commercial disadvantage. That’s unsustainable. So, the government decision to significantly uplift the baseline telecoms security and formalise the handling of high‑risk vendors putting it all on a robust footing is very welcome. It provides clarity for operators and transparency about what we expect for the security of our national networks. Externalising the security costs of particular choices (including vendor) will help operators make better security risk management decisions. ”
Europe: muddy as ever
Beyond the UK, Vodafone continues to await news of any further disruption from the clampdown on HRVs. The picture is expected to become clearer in the coming weeks, with individual EU member states now beginning to review the organisation’s “toolbox” of guidelines with a view to implementing measures from June 2020. Political discourse continues to suggest a mix of approaches across regional markets, however.
- Germany: in a recent interview with Frankfurter Allgemeine Zeitung, Hannes Ametsreiter, CEO of Vodafone Germany (VfD), repeated his view that Huawei should not be chased out of a 5G Europe altogether. He called on EU member states to consider a unified decision on Chinese inclusion in next-generation infrastructure. “We need a common European answer to the security question”, said Ametsreiter. Angela Merkel, Germany’s Chancellor, seems sympathetic to this view (Vodafonewatch, #181). Merkel’s preference has been to avoid an outright ban on Huawei equipment, and instead introduce a catalogue of tougher security criteria for network suppliers. However, Merkel has faced opposition from members of her own party, the Christian Democratic Union, as well as the Social Democratic Party. According to reports, the two parties recently drafted a bill that would in effect exclude Huawei from the build‑out of the country’s 5G mobile network, while encouraging the use of equipment originating within Europe. Merkel was reported to have met top management from Ericsson and Nokia in mid-February 2020. Among VfD rivals, Telefónica Deutschland has publicly declared plans to use Huawei equipment in its 5G network, while Deutsche Telekom has reportedly put European 5G supply negotiations on hold.
- Italy: Stefano Patuanelli, Italy’s Minister of Economic Development, recently said Chinese equipment providers should be given the chance to compete for a role in Italy’s 5G development. He expressed confidence that cybersecurity technologies were strong enough to “guarantee national security”, even if 5G infrastructure was supplied by either Huawei or ZTE.
- Hungary: the country’s government, which has forged closer economic ties with China than most other European territories, recently said no evidence had been found that Huawei posed a threat to national security. Péter Szijjártó, Minister of Foreign Affairs & Trade, reportedly told an event in China during early‑November 2019 that Huawei will be involved in Hungary’s 5G rollout. In an email response to media questions, Vodafone Hungary incumbent rival Magyar Telecom said telecoms regulator Nemzeti Média‑ és Hírközlési Hatóság had already registered Huawei as a participant in 5G tenders.