Keen not to halt the progress of its 5G rollout, the U.K. government Tuesday concluded its telecoms supply chain review and issued guidance on how to treat ‘high-risk vendors’ (HRVs) such as Huawei as part of a new set of telecoms security requirements. It said these vendors should be excluded from sensitive ‘core’ parts of 5G and gigabit-capable networks.

Moreover, the U.K. government, for the first time, is placing a 35 percent hard cap on the network traffic volume passing through high-risk vendors’ equipment. Similarly, base station sites served by equipment from a high-risk vendor should be limited to 35 percent at most.

Following a meeting of the National Security Council (NSC) chaired by U.K. Prime Minister Boris Johnson, digital secretary Baroness Morgan said, “We want world-class connectivity as soon as possible but this must not be at the expense of our national security. High risk vendors never have been and never will be in our most sensitive networks. The government has reviewed the supply chain for telecoms networks and concluded today it is necessary to have tight restrictions on the presence of high risk vendors.” This, she said, would pave the way for secure and resilient networks, with the country’s sovereignty over data protected, while also building on its strategy to develop a diversity of suppliers.

The U.K.’s National Cyber Security Center (NCSC) had carried out a detailed technical and security analysis on what is needed to protect the U.K.’s digital infrastructure, and as a result set out the practical steps operators must take to implement the government’s decision on how to best mitigate the risks of high risk vendors in 5G and gigabit-capable networks. This advice says that high risk vendors should be:

  • Excluded from all safety related and safety critical networks in critical national infrastructure
  • Excluded from security critical ‘core’ functions, the sensitive part of the network
  • Excluded from sensitive geographic locations, such as nuclear sites and military bases
  • Limited to a minority presence of no more than 35 per cent in the periphery of the network, known as the access network, which connect devices and equipment to mobile phone masts

In an attempt to address the concerns of the international security alliance and presumably in response to pressure from the U.S. administration, Baroness Morgan added, “Nothing in the review’s conclusions affects this country’s ability to share highly sensitive intelligence data over highly secure networks, both within the U.K. and with our partners, including the Five Eyes. GCHQ [the U.K.’s intelligence agency] have categorically confirmed that how the U.K. constructs its 5G and full fibre public telecoms networks has nothing to do with how the Government shares classified data.

But then, what happens to network operators who already rely on high-risk vendors’ equipment, and whose network traffic or base stations currently exceed the recommended level of 35 percent?

The NCSC advises those operators to reduce to the recommended level as soon as practical. “We understand that this takes time, but consider that it should be possible for all operators to reduce their use of high-risk vendors’ equipment to the recommended levels within 3 years,” according to the agency.

But why 35 percent? Is this an arbitrary number, or is there any logic behind it?

The U.K. government explained, “We consider that a hard cap of 35% of a network equipment type allows for effective cyber security risk management. This cap properly balances two different security and resilience risks; the first being the risk associated with high-risk vendors, the second being the need for a diversity of supply in the market.”

The NCSC’s explanation of its security analysis

Coinciding with the announcement, the NCSC released a series of documents to explain the background to its analysis and guidance to network operators. Its technical director Ian Levy emphasized that 5G is just an evolution of various technologies that have evolved over the last 20 years. He was keen to dispel three key myths: 1) 5G swapping out hardware for software, 2) there’s no distinction between core and edge in 5G, and 3) mobile edge computing in a 5G network could mean that it would result in failure of being able to manage high-risk vendors.

On the first point, he said, just like 4G, a huge amount of software runs on vendor-specific hardware. However, in 5G, since the hardware is more likely to be commoditized and there will be more virtualization, the deployment and servicing models for software would change. But that doesn’t mean any network operator is simply going to update the software as on a home or enterprise network; software updates in any national scale network bring risks, and these risks would have to be managed properly.

On the second point, related to lack of distinction between core and edge, he said while in 4G sensitive functions were grouped together in ‘core’ locations, 5G would spread these out wider with a mix of both small as well as larger base stations. Levy said if your network design means you need to run really sensitive functions processing really sensitive data (i.e. core functions) on an edge access device, say on top of a bus stop, your choice of vendor is the least of your worries and you probably shouldn’t be designing critical national infrastructure. “The international standards that define what a 5G network actually is allow you to do all sorts of things, and some of those things could lead to security or operational risks that can’t be mitigated. That doesn’t mean you have to do them.”

On the third point, Levy notes the deployment of mobile edge compute (MEC) in a 5G network is a commercial decision; with MEC capability being a virtualized function, the NCSC’s guidance addresses this, indicating that virtualization can’t be provided by a high risk vendor.

On the subject of Huawei

On the topic of Huawei, Levy said, “GCHQ has been dealing with Huawei in the U.K. telecoms sector since 2003. We’ve always treated them as a ‘high risk vendor’ and have worked to limit their use in the U.K. and put extra mitigations around their equipment and services. We’ve never ‘trusted’ Huawei and the artifacts you can see — in the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports — exist because we treat them differently to other vendors. We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part.” He added the government’s decision talks about high risk vendors, and that Huawei is not the only one.

HCSEC is a facility in Banbury, Oxfordshire, which belongs to Huawei U.K. It provides security evaluation for a range of products used in the UK telecoms market. Through HCSEC, the government is provided with insight into Huawei’s UK strategies and product ranges. The existence of HCSEC provides the NCSC and government with clear and unbiased (according to the NCSC) evidence on the risks posed to the U.K. through the use of Huawei’s products by U.K. operators. It ensures that it is feasible that embedded malicious functionality could be detected should it exist. HCSEC deploys a range of tools and artificial intelligence (AI) to scan Huawei’s UK products, complemented by skilled analysts.

If government considers a vendor to be high risk, Levy noted several things become necessary:

  • Firstly, it is banned from being used in any of the sensitive functions a network needs to have – things previously labelled as ‘core’, but also includes other sensitive things like the legal intercept system and so on. They are restricted from use in other critical infrastructure sectors, safety related and safety critical system and sensitive government, military and intelligence systems.
  • Secondly, a cap is placed on the amount of access to the network a high risk vendor can provide equipment for. The cap balances two different security and resiliency risks; the first is the risk associated with high risk vendors and the second is the need for diversity of supply. The cap at 35% ensures the UK will not become nationally dependent on a high risk vendor while retaining competition in the market and allowing operators to continue to use two radio access network (RAN) vendors. The 35% figure has been subtly calculated to ensure it can’t be easily gamed, for example by using an high-risk vendors’ base stations in all the cities and a non-high-risk vendor’s products in the countryside.

This, according to Levy, starts to constrain any high-risk vendor, but they also need to put in place a bespoke mitigation strategy for each high risk vendor. “That requires things that only an agency like NCSC can do. For Huawei, this will be an evolution of the existing mitigation strategy, including but not limited to HCSEC (‘the cell’) which does things for us.”

The guidance from NCSC is aimed at ensuring those operators who choose to use high risk vendors like Huawei understand the risks properly and design their networks, support and operational systems and processes to manage those risks. Levy comments, “That means we’ll have to help them. NCSC has a mandate from government as the UK’s national technical authority for cybersecurity, responsibility for the long-standing Huawei mitigation strategy, knowledge of other vendor practices, access to national intelligence machinery, a world class vulnerability research team, international partnerships and the data, skills and capabilities to inform how the risks can be sensibly managed.”

What 5G functions are Huawei and other HRV’s not allowed to access?

So what exactly are high risk vendors banned from? According to the NCSC guidance, the cybersecurity risk of using high-risk vendors in the network functions set out below cannot be managed. Therefore, if effective risk management of high-risk vendors is to be undertaken, their products and services should not be used in the following network functions.

1) For all networks: IP Core, Security Functions, Operational Support Systems (OSS) , Management and Authentication, Authorization and Audit (AAA) functions, Virtualization infrastructure (including Network Function Virtualization Infrastructure (NFVI)), Orchestrator and controller functions (including Management and Network Orchestration (MANO) and Software Defined Networks (SDN) orchestrators/controllers), Network monitoring and optimization, Interconnection equipment, Internet gateway functions, Lawful Intercept related functions.

2) For 5G networks: 5G Core database functions, 5G core-related services including but not limited to Authentication Server Function (AUSF), Access and Mobility Management Function (AMF), Unstructured Data Storage Function (UDSF), Network Exposure Function (NEF), Intermediate NEF (I-NEF), Network Repository Function (NRF), Network Slice Selection Function (NSSF), Policy Control Function (PCF), Session Management Function (SMF), Unified Data Management (UDM), Unified Data Repository (UDR), User Plane Function (UPF), UE radio Capability Management Function (UCMF), Application Function (AF), 5G-Equipment Identity Register (5G-EIR), Network Data Analytics Function (NWDAF), Charging Function (CHF), Service Communication Proxy (SCP), Security Edge Protection Proxy (SEPP), Non-3GPP InterWorking Function (N3IWF), Trusted Non-3GPP Gateway Function (TNGF), Wireline Access Gateway Function (W-AGF), and future 5G core functions as specified by 3GPP TS 23.501.

3) For 4G networks: mobile core functions, including Home Subscriber Server (HSS), Packet Gateway (PGW), Policy and Charging Rules Function (PCRF) and, in some cases, the Mobility Management Entity (MME) and Serving Gateway (SGW).

Why have we become dependent on a just a few vendors?

The NCSC says that the underlying problem is that the market is broken – there are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson and Huawei. In his notes released today, Levy outlined why the market has consolidated so much:

The reasons the supply market has consolidated so much include:

  • Low margins – it’s hard to make a lot of money selling telecoms kit, because it’s hard for operators to make a lot of money.
  • High R&D requirements – telecoms infrastructure is extremely complex and bespoke. A significant investment in research & development is required to both enter the market and keep up with the pace of development.
  • Patents – telecoms technology is built on standards where companies contributing have patented key technologies. There’s a significant cost on new entrants to the market to pay for licenses for these key technologies (called standard essential patents).
  • Spectrum & regional requirements – frequency usage and preferred radio technology vary around the world. This means that vendors often have to have slightly different products for different markets, which further adds to expense.
  • Operator confidence – vendors have to prove they can be reliable, which puts new entrants to the market at a significant disadvantage. This also means you need a local engineering force, support structures and logistics for spares which can make it hard for existing vendors to enter a new regional market.
  • Interoperability – while equipment is built on standards, there are often gaps or inconsistencies which mean that equipment will not talk to each other ‘out of the box’, giving the incumbent vendor a stranglehold. There’s no incentive for vendors to interoperate with smaller vendors as it would make competition better.
  • A one-stop shop – creating a telecoms network requires building equipment, integrating equipment and operating the equipment. There’s a division of effort between operator and vendor and, when something goes wrong, it’s easier for the operator to have one person to shout at.
  • Scale of delivery – selling to a major operator requires the vendor to be able to deliver a very large quantity of equipment in a short timeframe to meet the operator’s expectations for network rollout. Any business could grow to accommodate these demands, but such growth takes time.