Vodafone’s Read perturbed as UK rations Huawei usage

In late‑January 2020, the UK government publicly confirmed that it was not minded to impose an outright ban on the use of equipment from Huawei Technologies. Based on advice from the National Security Council (NSC), the country is to impose restrictions on the use of technology from any entity considered a “high‑risk vendor” (HRV), with the Chinese giant the clear principal subject of the policy.

The ostensible headline impact is the capping of the collective presence of any technology provided by vendors considered a high risk to infrastructure security at 35%. Implementation of the limit will inevitably prove complicated and intricate, and while detailed (and often prescriptive) initial guidance has been issued to the industry on the expected outcomes and impacts of the decision (see below), fully codified rules are yet to be completed.

With its initial statement of intent, the government is targeting three specific objectives:

1. A fundamental upgrade of security for all UK operators.
2. A drastic shake up of the supply chain.
3. Managing specific HRVs.

Publication of the planned restrictions and guidelines enabled all sides to claim victory, and prompted considerable speculation on the likely changes in the UK telecoms ecosystem. Beyond the hot-takes, however, there are likely to be serious implications for operators, vendors large and small, and the political and regulatory overseers of the sector. These will ultimately flow from the final determinations of the security authorities and how they are implemented by the government.

At this stage, the government has officially decided there is a problem, and promised a solution. It has not yet finalised how it intends to fix it.

Johnson keeps relationships open with British fudge

In making its decision, the government appears to have opted for a geopolitical fudge designed to navigate the fiercely opposing lobbying of its key strategic ally, the USA, and economically critical China — as well as to accommodate consensually minded Europeans (including the region’s politicians, operators, and vendors).

“We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High‑risk vendors never have been and never will be in our most sensitive networks… [This package] not only paves the way for secure and resilient networks, with our sovereignty over data protected, but it also builds on our strategy to develop a diversity of suppliers. ”

— Baroness Morgan, then-Secretary of State for Digital, Culture, Media and Sport (DCMS).

This is broadly in line with expectations that the British Prime Minister would conclude the UK’s Telecoms Supply Chain Review (SCR) at one of the NSC’s regular meetings, and limit the use of Huawei kit. Based on initial reactions from Washington and Huawei, the compromise is promising, with the US appearing to grudgingly accept the coda, the Chinese vendor publicly upbeat on the outcome, and Europeans in sync.

“Ministers today determined that UK operators should put in place additional safeguards and exclude high‑risk vendors from parts of the telecoms network that are critical to security… The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state-sponsored attacks. ”

— UK government statement.

Next steps and timings are not fully clear, but the government has said it will expedite legislation to “limit and control the presence of high‑risk vendors in UK networks, and to be able to respond appropriately as technology changes”. The National Cyber Security Centre (NCSC) issued an accompanying outline of how it expects the safeguards to be met (see below).

These statements and guidelines may be immediately significant in terms of giving domestic operators clarity for investment, mitigation, and purchasing commitments. They can also be seen as globally relevant in terms of laying down a marker for other nations to follow.

The European Union (EU) conveniently released its own guidelines — or “toolbox” framework — the following day. It delegated final decisions to member states and avoided recommending an outright ban on specific suppliers, while advising ring‑fencing the network core against vendors deemed a security threat.

“[The EU will not] ban anyone because of their name and nationality [if they comply with security requirements]… and if they don’t, then they cannot operate. That’s it. It’s easy. ”

— Thierry Breton, EU Commissioner for Internal Market and Services.

NCSC: risk-manage Huawei as HRV

Drawing on the SCR, the government commissioned guidance from the NCSC relating to how it will define what are deemed HRVs, the restrictions it advises, and mitigation measures to take with them.

The NCSC has now released non-binding technical “advice on the use of equipment from high‑risk vendors in UK telecoms networks”, and is in process of drawing up a Telecoms Security Requirements (TSR) framework for the industry that will be the likely basis of legislation. Another anticipated consequence of this framework is that communications regulator Ofcom looks set for a further uprating in its already far-reaching role, helping to oversee the new TSRs.

The NCSC’s technical and security analysis is described as both world-leading and UK‑specific.

“The DCMS SCR has demonstrated the need to change the way we manage security in the UK’s telecommunications infrastructure. The TSRs will provide the framework for security in the next generation of the UK’s telecommunications networks. The SCR also showed that we need to manage the presence of HRVs in the UK’s telecommunications infrastructure more formally and actively. NCSC will continue to feed into any future legislative process and advise government on these matters. ”

— NCSC.

“The government is establishing one of the strongest regimes for telecoms security in the world. This will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime will be the National Cyber Security Centre’s Telecoms Security Requirements guidance. This will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. ”

— Baroness Morgan.

Security services maintain ‘we’ve got this’

Tying in with earlier reports that UK security services believe the risk from HRVs is manageable, the NCSC made clear that the its latest moves would just formalise and update (or upgrade) activity that has long been in place, saying, for example, that “Huawei has always been considered higher risk by the UK government, and a risk-mitigation strategy has been in place since they first began to supply into the UK”.

The NCSC has set out specific reasons for designating Huawei as an HRV (a view the UK government is said to agree with) including:

• Significant UK market scale.
• Risk of Chinese state influence (and belief that China is an active cyber-attacker against the UK and its interests).
• Poor quality cybersecurity and engineering.
• Significant presence on the prescribed US Entity List.

As a designated HRV under NCSC’s model, Huawei would be relegated to ‘non‑core’ elements of the UK’s 5G and Gigabit-capable next-generation networks, along with numerous other potentially significant restrictions.

It was notable that no vendor or national domicile was namechecked by the government in its formal statements, but the NCSC was explicit in its accompanying material, with Huawei and fellow Chinese vendor ZTE both designated as HRVs. However, only Huawei gets a pass because its risk is considered mitigated by existence of the Huawei Cyber Security Evaluation Centre in Banbury, UK. While a fuller list of HRVs has not been released, the NCSC did point out that they need not be Chinese.

“GCHQ has been dealing with Huawei in the UK telecoms sector since 2003, first through CESG [Communications-Electronic Security Group] and now through the NCSC. We’ve always treated them as a ‘high‑risk vendor’ and have worked to limit their use in the UK and put extra mitigations around their equipment and services. We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports) exist because we treat them differently to other vendors. 

“We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part. Even before HCSEC was set up in 2010, we were doing similar work but through a different mechanism. Technology has obviously evolved since that time and our security mitigation strategy, both generally and vendor-specific, has had to evolve with it. The move to 5G is another evolution of the technology and our security mitigations need to evolve again. 

“The government’s decision today talks about high‑risk vendors. The NCSC considers Huawei to be a high‑risk vendor, but not the only one. ”

— Ian Levy, the NCSC’s Technical Director.

Implementing 35% cap: where it might get complicated

A material (and adjustable) cap of 35% would apply in aggregate to all HRVs covering eligible network equipment types as well as the proportion of traffic within a specific network.

The NCSC suggests that operators be given no more than three years to rebalance their current ‘Huawei estates’ where breaching its recommendations. It also advised never to have more than one HRV in a network, which could perpetually exclude ZTE.

Specific areas of exclusion for HRVs would include:

• Safety-related networks.
• Security-critical core network functions.
• Sensitive geographic locations, such as nuclear sites and military bases.

The Financial Times reported that Huawei’s current UK market share is a neutral 34%, but this could be overly simplistic. Openreach, for instance, may be notably exposed with Huawei pervasive throughout its access network, and some mobile networks and altnets could also be over-reliant. Despite the apparent limited presence of Huawei within the VfUK set-up, the latest advice to operators from the NCSC on where HRVs should be excluded is farther-reaching than widely realised and open to revision, which could compel Vodafone to consider the vendor’s presence more carefully.

The advice applies to:

• All networks: operational support systems; virtualised infrastructure; network monitoring; interconnect; and gateway.
• 5G: many if not all core and user plane functions; slicing; policy control; session management; network data analytics; charging.
• 4G: home subscriber server; packet gateway; policy and charging.
• Legacy networks: “For 4G and legacy fixed access networks, NCSC’s advice to operators remains unchanged. Two vendors should always be used in the access network. While no specific volume cap has been recommended [here], NCSC has always expected approximately 50/50 split between vendors in a given network”.
• Other areas: which could be widely affected, too, “dependent on specific operator architecture and operation models”, including where they “aggregate significant amounts of personal data”. This could encompass business support systems; location-based services; online charging solutions; and managed services. Even voice systems are specifically referenced, along with logging and backup, and border network gateways.

“It is worth noting that this is about managing risk. Nothing we do can entirely remove risk in any telecoms network with any vendor and so our intent is to get the risk down to an acceptable level in all the different networks using all the different vendors. Basically, with a set of controls and other measures, can we reduce the risk of using an HRV to broadly the same as a ‘lower-risk’ vendor? The restrictions and controls we detail in the high-risk vendors framework give us a way of minimising the risk of using a high-risk vendor like Huawei. ”

— Levy.

Hot TIP on emerging players

The UK is reported to have also committed to work with its Five Eyes international security alliance partners (Australia, Canada, New Zealand, and the USA) to advance alternatives and ultimately substitutes to HRVs that represent “no high risk”.

“The government is now developing an ambitious strategy to help diversify the supply chain. This will seek to attract established vendors who are not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry. ”

— UK government statement.

Although this could be interpreted as a further sop to Washington (with the government also keen to stress that its latest decision would in no way affect the UK’s “ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes”), the move could provide a further fillip to proponents of the emerging generation of open, disaggregated hardware and software network components that Vodafone and other major telcos are already supporting. The Telecom Infra Project, an umbrella body for initiatives of this nature with which Vodafone is already actively engaged was even namechecked by the NCSC.

“Already, we ask all mobile operators to use two vendors in their radio access network for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson, and Huawei. That’s crazy, so we need to diversify the market significantly in the UK so that we have a more robust supply base to enable the long-term security of the UK networks and to ensure we do not end up nationally dependent on any vendor. 

“Being nationally dependent on any vendor would be bad, but it would be particularly bad when that’s a high‑risk vendor. We’re not nationally dependent on anyone now and the measures the government has announced today ensure that won’t happen in the UK in the future, regardless of the commercial drivers. 

“One of the biggest problems we have is one alluded to in the previous blog; telecoms security doesn’t pay. That’s true of the basic network security and business processes that support it. But it’s also true of the enhanced mitigations we ask operators to — voluntarily — do when using a high‑risk vendor such as Huawei. 

“In the last couple of years, the operators’ commercial drivers have come into direct conflict with the NCSC’s security advice. Those operators who chose to follow our advice and requests were putting themselves at a commercial disadvantage. That’s unsustainable. So, the government decision to significantly uplift the baseline telecoms security and formalise the handling of high‑risk vendors putting it all on a robust footing is very welcome. It provides clarity for operators and transparency about what we expect for the security of our national networks. Externalising the security costs of particular choices (including vendor) will help operators make better security risk management decisions. ”

— Levy.

Europe: muddy as ever

Beyond the UK, Vodafone continues to await news of any further disruption from the clampdown on HRVs. The picture is expected to become clearer in the coming weeks, with individual EU member states now beginning to review the organisation’s “toolbox” of guidelines with a view to implementing measures from June 2020. Political discourse continues to suggest a mix of approaches across regional markets, however.

• Germany: in a recent interview with Frankfurter Allgemeine Zeitung, Hannes Ametsreiter, CEO of Vodafone Germany (VfD), repeated his view that Huawei should not be chased out of a 5G Europe altogether. He called on EU member states to consider a unified decision on Chinese inclusion in next-generation infrastructure. “We need a common European answer to the security question”, said Ametsreiter. Angela Merkel, Germany’s Chancellor, seems sympathetic to this view (Vodafonewatch, #181). Merkel’s preference has been to avoid an outright ban on Huawei equipment, and instead introduce a catalogue of tougher security criteria for network suppliers. However, Merkel has faced opposition from members of her own party, the Christian Democratic Union, as well as the Social Democratic Party. According to reports, the two parties recently drafted a bill that would in effect exclude Huawei from the build‑out of the country’s 5G mobile network, while encouraging the use of equipment originating within Europe. Merkel was reported to have met top management from Ericsson and Nokia in mid-February 2020. Among VfD rivals, Telefónica Deutschland has publicly declared plans to use Huawei equipment in its 5G network, while Deutsche Telekom has reportedly put European 5G supply negotiations on hold.
• Italy: Stefano Patuanelli, Italy’s Minister of Economic Development, recently said Chinese equipment providers should be given the chance to compete for a role in Italy’s 5G development. He expressed confidence that cybersecurity technologies were strong enough to “guarantee national security”, even if 5G infrastructure was supplied by either Huawei or ZTE.
• Hungary: the country’s government, which has forged closer economic ties with China than most other European territories, recently said no evidence had been found that Huawei posed a threat to national security. Péter Szijjártó, Minister of Foreign Affairs & Trade, reportedly told an event in China during early‑November 2019 that Huawei will be involved in Hungary’s 5G rollout. In an email response to media questions, Vodafone Hungary incumbent rival Magyar Telecom said telecoms regulator Nemzeti Média‑ és Hírközlési Hatóság had already registered Huawei as a participant in 5G tenders.