Huawei risk can be mitigated, cyber security experts say
The Chinese state could find easier and more effective ways to launch a cyber attack on the UK than exploiting any “backdoor” through Huawei equipment, UK experts concluded.
As the Government gave the green light for the controversial Chinese tech firm to play a limited role in the UK’s 5G network, the National Cyber Security Centre (NCSC) said the risk of its involvement was “manageable”.
Huawei is already subject to oversight arrangements which ensure that any “embedded malicious functionality could be detected should it exist”, the analysis said.
The US has warned allies not to allow the Chinese firm to play a part in their 5G networks, arguing that it is a security risk due to its close links to the Beijing government, something denied by Huawei.
The firm’s activities in the UK have been overseen by arrangements including the Huawei Cyber Security Evaluation Centre (HCSEC) – nicknamed the Cell.
The NCSC said: “Due to the UK’s mitigation strategy, which includes HCSEC as an essential component, our assessment is that the risk of trojan functionality in Huawei equipment remains manageable.
“Placing ‘backdoors’ in any Huawei equipment supplied into the UK is not the lowest risk, easiest to perform or most effective means for the Chinese state to perform a major cyber attack on UK telecoms networks today.”
The NCSC did raise concerns about any single supplier of equipment being allowed to play a dominant role in the network.
The guidance issued by NCSC excludes “high-risk vendors” such as Huawei from “core” parts of the network, and sensitive locations including nuclear sites and military bases.
They will also be limited to a minority presence of no more than 35% in the periphery of the network, known as the access network, elements which connect devices and equipment to mobile phone masts.
The NCSC stressed that it was “important to avoid the situation in which the UK becomes nationally dependent on a particular supplier”.
It added: “Without government intervention, the NCSC considers there to be a realistic likelihood that due to commercial factors, the UK would become ‘nationally dependent’ on Huawei within three years.”
National dependence on a high-risk vendor would present a “significant national security risk”, the NCSC said.
Ciaran Martin, chief executive of the NCSC, said: “This package will ensure that the UK has a very strong, practical and technically sound framework for digital security in the years ahead.
“The National Cyber Security Centre has issued advice to telecoms network operators to help with the industry roll-out of 5G and full-fibre networks in line with the Government’s objectives.
“High-risk vendors have never been, and never will be, in our most sensitive networks.
“Taken together these measures add up to a very strong framework for digital security.”