3rd Party Risk Management , Critical Infrastructure Security , Governance & Risk Management
Huawei's Role in 5G Networks: A Matter of Trust
UK Government May Allow Chinese Manufacturer to Supply 'Noncore' InfrastructureAs governments around the world continue plans to build out their nations' 5G networks, worries persist about which equipment providers can be trusted.
See Also: OnDemand | Demonstrating the Value of Your Cybersecurity Program
Security experts are questioning whether restricting high-risk vendors to nonsensitive parts of the network might be a viable security strategy - and whether one nation's choices might have security repercussions for allies.
The U.S. has been spearheading a push to ban Chinese telecommunications equipment manufacturing giants, including Huawei, from allies' 5G networks entirely, with one National Security Agency official saying it doesn't want to put a "loaded gun" in Beijing's hands.
So far, Australia, New Zealand and Japan have agreed with the U.S. position and barred Chinese telecommunications gear from at least part of their 5G network rollouts. But other U.S. allies in Europe have said in no uncertain terms that they will make up their own minds.
Britain Moves Toward Partial Ban
On Tuesday, news leaked that the U.K.'s National Security Council voted to allow Huawei to supply equipment for some "noncore" parts of the U.K.'s 5G network, such as antennas, although the government wasn't yet prepared to publicly make that declaration. The NSC's meetings are secret, and officials in the conservative government led by Prime Minister Theresa May said they had launched an investigation into the identity of the leaker.
A British government representative tells Information Security Media Group that NSC meetings are confidential and that any final decision would first be announced to parliament, as was proper. "Decisions from those meetings are made and announced at the appropriate time through the established processes," the spokesperson says.
"As part of our plans to provide world-class digital connectivity, including 5G, we have conducted an evidence-based review of the supply chain to ensure a diverse and secure supply base, now and into the future," he says. "This is a thorough review into a complex area and will report with its conclusions in due course."
Netherlands Follows British Lead
On Friday, in line with the apparent British position, Dutch telecommunications giant KPN said it would select a "Western vendor" to provide equipment for the core of its 5G network. That left open the possibility that Chinese firms might be allowed to supply noncore infrastructure.
Taking into account "the evolving assessment on the protection of vital infrastructure and the influence this may have on future Dutch policy," KPN said that it "plans to select a Western vendor for the construction of the new mobile core network for 5G."
"We are not blind to the political discussion about the security of our networks and we do see various potential suppliers for the 5G network in the Europe and U.S.," KPN's CFO, Jan Kees de Jager, said at a press conference, the Guardian reported.
Under the Microscope: Huawei
British intelligence agency GCHQ has been studying Huawei equipment since 2010 via its Huawei Cyber Security Evaluation Center, which is run by GCHQ's National Cyber Security Center. A team of highly vetted NCSC international analysts has been reviewing Huawei's business strategies and testing all product ranges before they potentially get used in any setting that might have national security repercussions (see: Huawei Security Shortcomings Cited by British Intelligence).
"GCHQ and the NCSC's role has been to offer expert, objective, technologically literate input into the security considerations around 5G," said Jeremy Fleming, director of GCHQ, in a rare public appearance, delivering the opening keynote speech at last week's CyberUK conference in Glasgow, Scotland (see: Intelligence Agencies Seek Fast Cyber Threat Dissemination).
"When we analyze a company for their suitability to supply equipment to the U.K.'s telecom networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks," he said in his Wednesday speech. "The flag of origin of 5G equipment is important, but it is a secondary factor."
David Lidington, minister for the cabinet office in the conservative British government led by Prime Minister Theresa May, speaking at CyberUK on Thursday, made a similar point.
"The government's approach is not about one company or even one country. It's about ensuring stronger cybersecurity across telecoms, greater resilience in telecoms networks, and more diversity in the supply chain," said Lidington, who effectively serves as Prime Minister May's deputy. "We shall want to work with international partners to develop a common, global approach to improving telecoms' security standards."
Whatever decisions the British government makes could be subject to change. The Guardian reports that while the decision to allow Huawei to supply noncore infrastructure may have been agreed to by the NSC, it could be overturned by a new prime minister if the country sees a change in leadership.
Critical Infrastructure Protection
In a panel discussion at the CyberUK conference, hosted by NCSC, representatives from the Five Eyes intelligence alliance that includes Australia, Canada, New Zealand, the U.K. and U.S. all stressed that questions over Huawei remain at the top of their agenda.
"Critical infrastructure protection, I think everyone has mentioned it, it's a core component of this alliance," said NCSC CEO Ciaran Martin.
"One of the common aspects of this panel is, we all have connections to our intelligence agencies, and the one thing we're all united on is ... there are nations that do plan to come at our national infrastructure and pose a threat," said Rob Joyce, the senior cybersecurity strategy adviser to the director of the NSA. "All of us are pretty certain that we're not going to use those technologies in our most sensitive networks."
Of course that raises this question: "What is a sensitive network?" The U.S. government remains keen to get this question right and so avoid potentially giving Beijing a "loaded gun," Joyce said.
Such questions also informed Australia's approach. "The sovereignty of our country is very important to us," said Scott McLeod, first assistant director-general for protect, assure and enable at the Australian Signals Directorate, during the panel discussion, noting that this formed the basis for the official guidance given by ASD to government officials.
Risk-Reduction Strategy: 'Not Proven'
Panelists said the Huawei question remained part of wider discussions.
"For us this is really about how you address this systemic risk," said Scott Jones, head of the Canadian Center for Cyber Security, during the panel discussion, noting that the promise of 5G also brings new potential perils, given the speed and connectivity levels.
Some security analysts say that just as 5G standards and implementation strategies continue to unfold, so too do risk-reduction strategies. In short, none have yet been truly field-tested.
"The question is whether a partial ban on Huawei to keep it out of sensitive areas and the telecom core will work to reduce risk," says James A. Lewis, a senior vice president at the Center for Strategic and International Studies in Washington.
"The only answer is 'not proven'," he said. "Both core and edge functions will become more important as 5G enables many more things than your phone - self-driving cars, telemedicine, smart cities and the like - and letting Huawei in, even at the edge, could provide China with opportunities for mischief."
China Seeks 'Level Playing Field'
In the face of continuing opposition to using Chinese-built telecommunications equipment in some countries' 5G networks, Beijing has continued to mount its own offensive.
China's ambassador to Britain, Liu Xiaoming, writing in the Telegraph on Sunday, urged Britain to "make decisions independently and in accordance with their national interests."
He said that "the last thing the world needs is the introduction of any sort of discriminatory measures towards companies involved in 5G network development," while "the last thing China expects from a truly open and fair 'global Britain' is a playing field that is not level."
Discussions to Continue in Prague
The question of 5G networks and which suppliers can be trusted for which purposes is on the agenda at a Prague conference being held this week.
More than 30 countries are expected to attend the May 2-3 conference, organized by the Czech foreign ministry and cybersecurity agency NUKIB, to discuss how best to secure next-generation telecommunications networks.
"It's a hugely complex strategic challenge which is going to span the next few decades," GCHQ's Fleming said in his CyberUK speech. "How we deal with it will be crucial for prosperity and our security. And it's yet another demonstration of how significant cybersecurity is becoming to a nation's cyber power."