The UK has taken an intelligence-led approach in assessing the security of its critical network^[1]. This model carefully balances the commercial imperatives of network providers with national security risk in the supply chain. An approach taken well before the current debate on 5G. Until July 2020 this method justified the national security risk posed by Huawei’s involvement in the infrastructure through a separation of the ‘core’ sensitive parts of the network from its ‘edge’/periphery. In an apparent U-turn however, the UK government has recently taken decisive action on the potential threat to the stability of its Critical National Infrastructure (CNI) by excluding Huawei from its network. The decision was taken amidst pressure from its closest ally – the US and rising global tensions with a powerful technological adversary – China.

Abandoning the status quo

In 2007, Huawei’s equipment started being rolled out in the UK networks as part of a major infrastructure upgrade. In 2010, the UK government established the Huawei Cybersecurity Evaluation Centre with the mandate of analysing Huawei’s equipment for potential vulnerabilities with the aim of increasing the secure design of networks. When it came to the 5^th generation of mobile networks, the UK continued, with a decision issued in January 2020, with its cautious approach allowing Huawei in a maximum of 35% of its kit in the network's periphery. However, fast forward to July 2020, the UK government issued definitive guidance which significantly altered its approach stating that no new Huawei 5G technologies can be acquired after the end of 2020, and all existing Huawei equipment is to be stripped from existing infrastructure by 2027.

This U-turn was largely driven by the US issued sanctions, in May 2020, on semi-conductor chips which aimed to curb Huawei’s efforts to ‘undermine US export controls. In reality these sanctions restrict Huawei’s ability to use US technology and software in designing its semiconductors, therefore disrupting Huawei’s supply chain. Based on this decision, the National Cyber Security Centre (NCSC) issued a guidance stating that the UK could no longer manage the risk posed by using the company’s technology in future 5G networks.

The U-turn caused an initial stir amongst the UK telecommunication providers whose arguments focused on the laborious, lengthy and expensive endeavour to remove existing Huawei’s equipment from their network. However, the leaders of BT Group and Vodafone have acknowledged that since the 35% cap was imposed, they were already making such preparations, and they welcomed calls to diversify the supply chain^[2].

Removing the equipment is only one part of the problem, the bigger challenge is finding suitable alternatives. Not only do these alternative 5G providers have to produce rival which is technically as good, if not better, they also are under a renewed obligation to enhance the security. 5G providers are under a spotlight. Security is built upon trust and strengthened through accountability and transparency. If there is distrust in one part of the network, the rest of the infrastructure could potentially be weakened and jeopardized.

Laying the groundwork for the turn on Huawei

Serious cybersecurity concerns have been raised and tolerated throughout the UK’s continued assessment of supply chain security,^[3] and yet, the UK’s decision on 5G demonstrated a significant U-turn by the UK government. This begs the question of whether it will stimulate a domino effect on other countries who are in the process of making similar decisions.

Countries who had already taken steps to limit Huawei 5G technology in advance of the UK’s decision citing national security concerns include Australia, New Zealand, Japan, Taiwan and the US. Hence, the UK’s decision aligns with that of its intelligence allies.^[4] Nonetheless, many countries using Huawei technology already, in South East Asia, South America and Africa have expressed no intention to follow suit.

As a further step, the UK has proposed a new coalition of likeminded states to counter the role of Huawei through a group named the D10. This group includes the G7: UK, US, Italy, Germany, France, Japan and Canada – as well as Australia, South Korea and India. The purpose of which is to explore and invest in alternative 5G suppliers. Scepticism surrounding this proposal raises the question of whether the venture can successfully meet its objectives and take into account the challenges of free trade and global markets.

The European Commission has also urged member countries to diversify 5G suppliers. EU member states enjoy the prerogative to decide on limiting or precluding the company from their national infrastructure. France has encouraged telecom providers not to switch to Huawei but has not required companies to discontinue using its technology. Given ongoing geopolitical tensions it is highly unlikely that the EU member states will follow the UK’s example on its own accord. EU countries do not want their hand forced in the drawing of a digital iron curtain. It remains to be seen if 5G network technology provided by the ‘made in EU’ Nokia and Ericsson can rival the cost-effectiveness of Huawei and, if so, when. All eyes are on Germany to make a definitive decision on Huawei, which is expected soon. As is the case with several other countries, it will have to delicately balance its relationship with China and the demands of its telecoms industry.

A secure cyber infrastructure

The dawn of the 5G revolution has forced governments to reconsider what is critical national infrastructure and what are the best ways to protect it. It forces imperatives upon countries to take greater steps to secure this infrastructure however expensive.

Notes

[1] See recommendations from the Intelligence and Security Committee Report 2013 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/205680/ISC-Report-Foreign-Investment-in-the-Critical-National-Infrastructure.pdf and Huawei Cyber Security Evaluation Centre Report 2013 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/266487/HCSEC_Review_Executive_Summary_FINAL.PDF

[2] Oral evidence given in a UK Defence Subcommittee on 5G https://committees.parliament.uk/oralevidence/782/pdf/

[3] This caution was the product of various reviews and reports including: UK Intelligence and Security Committee, Statement on 5G Suppliers https://b1cba9b3-a-5e6631fd-s-sites.googlegroups.com/a/independent.gov.uk/isc/files/20190719_ISC_Statement_5GSuppliers_Web.pdf?attachauth=ANoY7cqHGcdVESj84FfMtqjpWpLYwHc8yD8fATQrlKU-l5Ibb_DOa61DRKcQQXkGCWLFs-Qk3zPnbqljRYee0fz4XKuKn2RNOJztn12MMJicfKvB5DJEdCwmzW8hXXmlxa8SQLhXfPZ6uBsb6p867DsQXJdUbNBMgUPN8URuFfBsQfEd-cQ5p6okC-D1MA-TBmu_MmZlzbhCymsw374MbgNAHYZLOCHZFYMu5DnI-2d1P7yKjWT20Gw6A8hOKTQBrq-9Xz5QK7pd&attredirects=0, UK Department of Digital, Media, Culture and Sport (DCMS), UK Telecoms Supply Chain Review https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/819469/CCS001_CCS0719559014-001_Telecoms_Security_and_Resilience_Accessible.pdf, Huawei Cyber Security Centre Evaluation Report 2019 https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019

[4] Note, the only member of the partnership who has not formally banned the company from its networks is Canada. https://www.reuters.com/article/us-canada-huawei-analysis/canada-has-eff...