Though not officially announced, the press is buzzing with reports the UK Government has cleared the path for Huawei to supply equipment for non-core parts of the 5G network.

While the UK’s digital minister dismissed reports that clearance has been given, there are signals that indicate that approval will be given to Huawei. The head of the UK’s spy agency, GCHQ, hinted so in a speech yesterday, and Reuters reports a security source informed the agency that Britain will allow Huawei access to non-core parts of the 5G network but block it from all core parts of the system.

Delivering the keynote speech at National Cyber Security Council’s (NCSC) flagship security event CYBERUK 2019 in Scotland, the director of the UK’s intelligence and security agency GCHQ, Jeremy Fleming, said it was more important to look at the robustness and security of the technology rather than which country was providing the equipment for 5G.

He said with 5G likely to be one of the most important and impactful technologies of this era, the UK, like many countries, is looking at the right policy approach to 5G security. The review provides advice on a full range of options being considered by the government, which will be announced in parliament.

He commented, “Now GCHQ and the NCSC's role has been to offer expert, objective, technologically literate input into the security considerations around 5G. When we analyze a company for their suitability to supply equipment to the UK's telecoms networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks. The flag of origin of 5G equipment is important, but it is a secondary factor.”

Interpreting this simply, he was essentially saying the issue isn’t about Huawei and China, but about whether the equipment meets the needs of the network without compromising security.

Failure of Cybersecurity Policy

A professor of cyber security from the school of computing at the University of Kent in the UK, Shujun Li, would welcome the approval of Huawei’s involvement in building 5G networks in the UK. He said, “‘Technically speaking, banning any particular vendor will never work as a real solution to cybersecurity as the supply chain is very complicated and there are simply too many potential risks one has to consider. I would therefore argue that if the UK’s national security depends on a single company (Huawei or any other firm) always doing the “right” thing, then we have failed the cybersecurity assurance in the first place.”

Kerckhoffs Principle

He said what should be looked at instead is how a technical solution or product can be scrutinized and verified by independent experts and automated tools, which can detect not only risks from a particular vendor like Huawei but also those caused by any malicious parties in the supply chain.

Professor Li added, “In addition, in the cybersecurity research community, the widely-accepted Kerckhoffs’s principle [which says that even if everything about a system is known, it should still be secured with a key] and Shannon’s maxim tell us that the security of a system should not depend on hiding details of how the system works (as the attacker will learn the system) but other things (e.g., a secret password chosen by the user). Applying these rules to the Huawei case, it would be strange if Huawei were to base their system’s security on hiding details of how it operates (and therefore not being detected doing something it should not).”

No Incentive for Network Operators to Buy More Expensive Security

Another aspect to 5G networks and security was highlighted by the NCSC’s technical director Ian Levy earlier this year. Providing a dose of reality about market dynamics, he said that the network operators are commercial companies that exist to provide a service and make money.

“So, they’re going to prefer cheaper kit if it helps them provide the service they need (absent of any other considerations). No one currently buys telecoms services based on how secure they are, so a company wouldn’t get rewarded if they invested more than their competitors in making a more secure service. That leads to a weird situation where you don’t get rewarded for doing the right thing, which makes it hard to do, long term.”

In this context, he said the UK government was looking to understand the market and enable better cybersecurity in the equipment and software used, while having a diverse and vibrant vendor base in telecoms equipment supply. He added that it was also looking at how government could set objective security characteristics for telecoms operators, to ensure a higher priority is placed on security in the decision-making processes.