Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Will UK's Huawei Decision Become a 5G Rollout Blueprint?

Chinese Tech Giant Pushes Other Countries for Non-Core Network Access
Will UK's Huawei Decision Become a 5G Rollout Blueprint?

Will Britain's Huawei decision serve as a blueprint for other nations' 5G infrastructure rollouts?

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

U.K. Prime Minister Boris Johnson on Tuesday announced that the country's four biggest telecommunications firms will be allowed to use equipment from Huawei for up to 35 percent of non-sensitive parts of their 5G and gigabit-capable networks (see: UK Approves 'Limited' Role for Huawei in 5G Networks).

Despite being labeled as a "high-risk vendor" in the U.K., Huawei - the world's largest telecommunications manufacturer - has scored a clear victory in the U.K. That comes despite efforts by the Trump administration to block the company's gear from allies' networks. The White House has especially been pressuring its Five Eyes intelligence alliance partners - Australia, Canada, New Zealand and the U.K. - to ban Huawei.

The U.K., however, has chosen a different approach. “The Trump administration’s dream of creating a global 5G network completely free of Chinese telecom equipment is not a reality,” Samm Sacks, a cybersecurity expert at the Washington-based think tank New America, tells The Wall Street Journal.

The so-called "Huawei question" is whether Chinese networking equipment manufacturers can be trusted, or if their technology might be subverted by the Chinese government to spy via other nations' infrastructure. Of particular concern is China’s National Intelligence Law of 2017, which Beijing could use to order a company to act in a manner that might harm other nations.

Surveillance is not the only concern. Journalist Jamie Bartlett, author of "The People Vs Tech," notes that in the future, China could make Huawei gear - including product updates and security fixes - a pawn in trade negotiations (see: 10 Highlights: Infosecurity Europe 2019 Keynotes).

Huawei Tries to Turn Decision Into Precedent

With the British government now granting Huawei some access to the nation's 5G rollout, the company has already begun pressing other nations to follow suit. In 2018, Australia banned the use of Huawei equpment in 5G networks.

Jeremy Mitchell, the director of public affairs for Huawei Australia, says Australia's decision was based on the country having received "incorrect advice" about 5G network rollouts.

“This decision by the U.K. government proves beyond doubt that there is a way to manage security on 5G networks without excluding vendors simply for being from a certain country," Mitchell says in a statement.

The Australian government has responded by saying its ban on Huawei will remain in place.

But the EU on Wednesday followed Britain's example by saying member states can decide if they want to block or restrict high-risk vendors such as Huawei. The EU also recommended that all member states use multiple suppliers.

Many countries have yet to determine their approach. German Chancellor Angela Merkel, for example, has resisted U.S. demands to ban Huawei, saying she does not want to single out any one vendor. Recently, she signaled that there would be no official decision from the German government until after a March EU summit.

Selling Point: Price

Telecommunications providers have been lobbying European governments hard to use Huawei equipment for 5G infrastructure and warning that excluding the company could delay rollouts by several years.

“Europe’s decision-making on 5G should continue being based on facts; it should be proportionate to threats and build on a solid understanding of technology reality,” lobbying group ETNO - the European Telecommunications Network Operators’ Association - says in a statement issued this week. The group's members include BT, Deutsche Telekom, Orange and Telefónica - owner of O2 - which all use Huawei equipment.

Equipment from other manufacturers is also available; Huawei's two biggest competitors are Sweden's Ericsson and Finland's Nokia. But analysts say the selling point of equipment built by Huawei, which is heavily subsidized by the Chinese state, is that it is much less expensive than rival offerings.

What remains to be seen, however, is whether countries that use Huawei's equipment will trade some degree of national security for a faster and less expensive 5G rollout.

Politically speaking, Britain's prime minister has been trying to balance multiple factors, especially as the U.K. prepares for its Friday exit from the European Union. The EU also comprises the U.K.'s biggest trading partner, followed by the U.S. and China. Of course, Johnson risks angering those last two, and future trade deals, if he mishandles the Huawei question (see: 5G Security in the Balance as Britain Navigates Brexit).

But Huawei’s vice president, Victor Zhang, this week welcomed what he called the U.K's “evidence-based decision" to allow some use of his company's gear, and called on other countries to follow Britain's lead and allow the company to supply them with high-speed, next-generation equipment.

The so-called "special relationship" enjoyed by the U.S. and U.K. also appears to be intact. U.S. Secretary of State Mike Pompeo, who's in London this week for talks, told reporters before arriving that the U.K. might re-examine its Huawei decision as its national "implementation moves forward."

Britain's Blueprint

Johnson's decision already imposes limits. He says high-risk vendors, including Huawei, will be "excluded from sensitive ‘core’ parts of 5G and gigabit-capable networks," meaning its gear can only be used in the periphery of the network, known as the access network, which connects devices and equipment to mobile phone masts.

That restriction has been put in place based on advice from Britain's National Cyber Security Center, which is part of intelligence agency GCHQ.

The NCSC, which runs a center dedicated to studying Huawei gear, believes that the use of Huawei technology in non-core settings can be managed. In official advice issued on Tuesday, the NCSC says Huawei must not be used in core functions, including anything to do with security, virtualization, software-defined networking, authentication, network monitoring or lawful intercept.

Under the U.K.'s new policy, for each of the country's big four mobile telephony providers, only 35 percent of their non-sensitive networks can be built using equipment from high-risk vendors.

NCSC says that hard cap is designed to balance two security and resiliency risks, "the first being the risk associated with high-risk vendors, [and] the second being the need for a diversity of supply in the market." It also notes that the share afforded to high-risk vendors may be decreased in the future.

Huawei's equipment will also be excluded from all safety-related and safety-critical networks in the critical national infrastructure, as well as nuclear sites and military bases.

Ciaran Martin, chief executive of Britain's National Cyber Security Center, which is part of GCHQ (Photo: Mathew Schwartz)

“This package will ensure that the U.K. has a very strong, practical and technically sound framework for digital security in the years ahead," says Ciaran Martin, chief executive of the NCSC. “High-risk vendors have never been, and never will be, in our most sensitive networks. Taken together, these measures add up to a very strong framework for digital security.”

UK Preps New Telecom Security Law

Some of Johnson's fellow Conservative MPs have already signaled that they will seek greater restrictions on Huawei, although it's unclear if they can muster enough backing to make that law.

The U.K. government says it's preparing a new law on telecom security requirements, based on the NCSC's recommendations, that will codify the restrictions on telecommunications providers.

NCSC says the requirements will be based on a security framework which, when followed by network operators, "will be designed to mitigate a range of national risks to a telecommunications network," and "will significantly reduce the likelihood of a successful attack and the harm caused when one happens."

Security experts, however, have warned that this is uncharted territory. "We have never in history managed to secure a complex and dynamic codebase against the threat model of malicious behavior," says Matthew Green, an associate professor of computer science at the Johns Hopkins Information Security Institute, via Twitter.

For example, he says, the NCSC has said that it cannot yet ensure that Huawei code that it has reviewed is the same code running on any given device.

"It’s important to understand that, if this works, it will require new engineering techniques that don’t yet exist," Green says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.