British ministers concluded that although Chinese Huawei Technologies Co. is still considered a "High risk vendor" (HTV), it will play a limited role in building the country’s next-generation mobile phone networks.
Ministers determined that UK operators should put in place additional safeguards and exclude high risk vendors from parts of the telecoms network that are critical to security. They consider high risk vendors are those who pose greater security and resilience risks to UK telecoms networks.
British Prime Minister chaired a meeting of the National Security Council (NSC), where it was agreed that the National Cyber Security Centre (NCSC) should issue guidance to UK Telecoms operators on high risk vendors.
U.K. decided to keep high risk vendors, alluding to Huawei, out of the most sensitive core parts of the networks but will allow the company to supply other gear that’s critical to the roll-out of 5G, such as antennas and base stations. High risk vendors are also to be “excluded from sensitive geographic locations, such as nuclear sites and military bases.”
According to the UK government, high risk vendors should be:
- Excluded from all safety related and safety critical networks in Critical National Infrastructure
- Excluded from security critical ‘core’ functions, the sensitive part of the network
- Excluded from sensitive geographic locations, such as nuclear sites and military bases
- Limited to a minority presence of no more than 35 per cent in the periphery of the network, known as the access network, which connect devices and equipment to mobile phone masts
The UK government will now seek to legislate to put in place the powers necessary to implement this tough new telecoms security framework.
The UK government is now developing a strategy to help diversify the supply chain. This will seek to attract established vendors who are not present in the UK, supporting the emergence of new, disruptive entrants to the supply chain, and promoting the adoption of open, interoperable standards that will reduce barriers to entry.
The country will impose a cap of up to 35% on the Shenzhen-based vendor’s radio access components, so phone carriers like BT Group Plc’s EE and Vodafone Group Plc may face a challenge reducing their dependence on Huawei.
In a statement, Huawei Vice-President Victor Zhang said it was “reassured” that the U.K. government will let the company keep working with carriers on 5G. “This evidence-based decision will result in a more advanced, more secure and more cost-effective telecoms infrastructure that is fit for the future,” he said, committing to build on Huawei’s more than 15 years supplying U.K. telecom operators.
By curbing Huawei’s access but still allowing the supplier to play a role in 5G, British officials are betting they can manage any security risks at home and still maintain intelligence-sharing ties with the U.S. and other allies.
According to NCSC's guidance:
Huawei has always been considered higher risk by the UK government and a risk mitigation strategy has been in place since they first began to supply into the UK. In terms of the HRV criteria set out above, the reasons NCSC continues to consider Huawei a HRV include at least that:
- Huawei has a significant market share in the UK already, which gives it a strategic significance;
- it is a Chinese company that could, under China’s National Intelligence Law of 2017, be ordered to act in a way that is harmful to the UK;
- the Chinese State (and associated actors) has carried out and will continue to carry out cyber attacks against the UK and our interests;
- Huawei’s cybersecurity and engineering quality is low and its processes opaque. For example, the HCSEC Oversight Board raised significant concerns in 2018 about Huawei’s engineering processes. Its 2019 report confirmed that “no material progress” had been made by Huawei in the remediation of technical issues reported in the 2018 report and highlighted “further significant technical issues” that had not previously been identified; and
- A large number of Huawei entities are currently included on the US Entity List. This listing may have a potential impact on the future availability and reliability of Huawei’s products.
- The Government has agreed that Huawei should continue to be treated as a HRV and asked us to consider issuing this advice, in particular to help operators mitigate the risk of their use of Huawei in UK telecoms networks. For the avoidance of doubt, this advice does not replace or supplant the role of the Huawei Cyber Security Evaluation Centre, which will continue to be an essential part of the future strategy by which the risks presented by Huawei will be mitigated.
- From a cyber security perspective, the NCSC advises operators whose Huawei estates currently exceed the recommended level for an HRV, to reduce to the recommended level as soon as practical. We understand that this takes time, but consider that it should be possible for all operators to reduce their use of HRVs to the recommended levels within 3 years.