Opinions varied at a UK hearing on using Huawei equipment in its 5G network, but one conclusion was that the main reason to ban Huawei was to appease the U.S.
Two UK government committees last week issued their positions on the use of Huawei in the nation’s 5G networks. Their conclusion? That there are no technical grounds for excluding Huawei equipment from the network infrastructure, but political and ethical issues and the perception among allies like the U.S. and Australia must be taken into consideration.
Following a parliamentary hearing in June 2019 with evidence heard from all key players in the 5G ecosystem — including equipment providers (Huawei, Nokia and Ericsson), operators (BT, Vodafone, O2 and Three) as well as academics involved in 5G and telecoms research (University of Surrey, University of Oxford, and Munich University of Applied Sciences), the Science and Technology Committee of UK parliament concluded there were no technological grounds for excluding Huawei entirely from the UK’s 5G or other telecommunications networks.
However, the chair of the committee, the Rt Hon Norman Lamb, in a letter to the government’s secretary of state for Digital, Culture, Media and Sport, said there may well be geopolitical or ethical considerations that the government needs to take into account when deciding whether they should use Huawei’s equipment. “The Government also needs to consider whether the use of Huawei’s technology would jeopardize this country’s ongoing co-operation with our major allies.”
He also said, “The benefits of 5G are clear and the removal of Huawei from the current or future networks could cause significant delays.”
The implications of core vs. edge
The 248 questions during the hearing involved a thorough discussion of network security, vulnerabilities, and who could have access to network data. There was also a very distinct focus on the blurring of the lines between the core and edge of the network in 5G, and how this made it difficult to be specific on what can and can’t use certain pieces of equipment. Most of the operators said they were not using Huawei equipment in the core, but it would be difficult to switch out because the 5G network is essentially using the 4G core where there is already legacy equipment.
Steve Sampson, head of technology at Nokia UK and Ireland, commented on how 5G is disaggregating the network components, and some functions will be placed closer to the antenna system. In the future, core functions mostly associated with the data paths or the user plane would move to the mobile edge computing area and could have direct connectivity to other networks from that point, in order to limit the latency and reduce the latency for critical services. That is one the main tenets of the 5G service.
He added, “One aspect of moving to this core-edge component is that there will be core components, but there will also be virtualized RAN [radio access networks] as we discussed. That means that the distinction between core and RAN is no longer so simple. It is not a physical box anymore. It is layered on top of commodity-off-the-shelf hardware with open source software providing a resource that is used by all of the network functions, which make up the 5G network, and everything sits on top of everything else, and all of the security measures need to be built in at every one of the layers, as my colleague here mentioned, so there is no one fit.”
However, others, including Scott Petty, chief technology officer for Vodafone in the UK, commented that physically it may be correct that the core network of cloud-based infrastructure can be more distributed. Petty said, “The logical construct of the network does not change. There is a separation between the radio base station and any core network element, including mobile edge computing via an IP security gateway, and that gateway maintains the security separation between the core network and the edge network. That does not change — in our design, would never change — in versions of 5G. While it would be technically possible to remove that IPsec gateway, that would be removing an important layer of security that we would never do.”
The point of the core vs. edge discussion was to understand how easy it would be in 5G for companies or states to get access to sensitive information.
Access to network data
Huawei’s global cybersecurity and privacy officer, John Suffolk, got a particularly aggressive grilling, on issues of ethics, the massacre at Tiananmen Square, his company’s and his personal position on human rights, and particularly whether the Chinese government would be able to order it to provide access to networks.
Both Suffolk and others who gave evidence made it clear that network operators are essentially in charge of access to network data, and not the equipment providers. Huawei itself said it was a closely watched company and that if it were to engage in malicious behavior, it would not go unnoticed, and as the operators said, they would take their business elsewhere.
All vendors have China in supply chain
One point that was emphasized is that the supply chain for all the equipment vendors, not just Huawei, can involve many suppliers and almost all will involve manufacturing in China at some point in that chain. This came out in a question that asked whether Ericsson and Nokia’s supply chains were free of Chinese companies and possible state intervention.
Professor Rahim Tafazolli, director of the Institute of Communication Systems and founder and director of the 5G Innovation Centre at the University of Surrey, responded, “It does not matter who the vendor is; most of the equipment comes from China on the hardware side. The supply chain comes from China, India and other countries where the human resources are not that expensive. It is a global business. It is not that vendor A only makes the products in their own country. That is why the supply chain is quite sophisticated and complicated.”
He added, “When everything is put together, which is the responsibility of the vendor, with their own brand on it, it needs to go through the process of security assurance as a whole. Once it meets the certificate, it can go to the next step. It does not matter what the supply chain that puts everything together do. That process of certification is being defined which will be in place before the end of this year.”
Banning Huawei would not remove China influence
Lamb’s letter to the secretary of state emphasized that supply chains for telecommunications networks were global and complex, so a ban on Huawei equipment would not remove potential Chinese influence from the supply chain. He also said it would increase security vulnerability by reducing competition.
In his conclusions, Lamb emphasized that his conclusion that Huawei should not be entirely excluded from the UK’s 5G networks is based only on technical considerations. He said in its final decision, government might want to take into consideration geopolitical or ethical grounds. He specifically cited the example of Australia’s strategic policy institute's consideration of allegations that Huawei supplied equipment and support to Xinjiang’s public security bureau. He also said that Huawei’s John Suffolk clarified in the June parliamentary hearing that Huawei’s products are provided in Xinjiang through a third party, and not Huawei.
Statement on 5G Suppliers from Intelligence and Security Committee of Parliament
Don’t rely on the flag for network security
The second government statement last week was from the Intelligence and Security Committee of Parliament (ISC) on 5G suppliers, which said network security is more than just about where the technology comes from, and instead that networks must be built to it can stand up to attack from anyone or anywhere. It also said that delays in choosing suppliers for 5G networks were causing “serious damage to our international relations”, and that a decision must be made as a matter of urgency.
It said the National Cyber Security Centre (NCSC) — which, as part of GCHQ, provides cybersecurity advice — has been clear that the security of the UK's telecommunications network is not about one company or one country: the 'flag of origin' for telecommunications equipment is not the critical element in determining cybersecurity. In the statement, it said, “This is logical: we know, for example, that Russia has carried out significant hostile cyber activity against UK telecommunications networks, and yet there is no Russian equipment in the UK's networks.”
The point is not about whether or not Huawei, or indeed any company, might wish to, or be instructed to, sabotage the UK network or use it to spy on the UK. It is that the UK network has to be built in such a way that it can withstand attack from any quarter — whether that be malicious action from someone within the network, a cyberattack from actors outside, or simple human error.
As in any engineering project, the approach being suggested is that the network design should assume all worst-case scenarios and protect the network accordingly. In so doing, some parts of the network will require greater protection: critical functions cannot be put at risk. But there are also less sensitive functions where more risk can be carried.
The committee’s statement points out the need to make a distinction between sensitivity of functions to determine security, rather than where in the network those functions are located. It said that notions of ‘core' and 'edge' are misleading in this context. “We should therefore be thinking of different levels of security, rather than a one size fits all approach, within a network that has been built to be resilient to attack, such that no single action could disable the system,” highlights the statement.
The NCSC said that this can best be achieved by diversifying suppliers to reduce over-dependence and increase competition. If the network was dependent on just one vendor, it would render it less resilient. Also, by requiring mobile network operators to use equipment from more than one vendor increases competition between those vendors which forces them to improve their security standards. This raises the bar on cybersecurity standards across the board that is needed.
Issues are technological, but geostrategic too
The committee stressed that the UK must have a secure 5G network that is protected against a wide range of threats rather than focussing on just one potential threat. But the solution can’t be viewed solely through a technical lens — because it is not simply a decision about telecommunications equipment. “This is a geostrategic decision, the ramifications of which may be felt for decades to come.”
It goes on to talk about the intelligence-sharing relationship with the UK’s ‘Five Eyes’ partners, in which the U.S. and Australia have already been vocal in their concern that the UK might employ Huawei within its 5G network.
Lessons learned: don’t be over-reliant on China
Finally, the ISC statement said one of the lessons the UK government must learn from the current debate over 5G is that with the technology sector now monopolized by just a few key players, we are over-reliant on Chinese technology, not just in the UK, but globally. It added, “We need to consider how we can create greater diversity in the market. This will require us to take a long-term view — but we need to start now.”
In terms of the immediate issue, restricting those companies who may be involved in the 5G network will have consequences: both in terms of time and cost. The government needs to weigh these together with the security advice that any risk posed could be managed in a secure system, against the geostrategic issues outlined.
It added that it’s really necessary to make a decision soon, since the debate has been unnecessarily protracted, and it has damaged the UK’s international relationships. The committee is hence urging the new UK Prime Minister to take a decision on which companies will be involved in the country’s 5G network, ‘so that all concerned can move forward’.