The Chinese state could find easier and more effective ways to launch a cyber attack on the UK than exploiting any “backdoor” through Huawei equipment, UK experts concluded.
As the Government gave the green light for the controversial Chinese tech firm to play a limited role in the UK’s 5G network, the National Cyber Security Centre (NCSC) said the risk of its involvement was “manageable”.
Huawei is already subject to oversight arrangements which ensure that any “embedded malicious functionality could be detected should it exist”, the analysis said.
Placing ‘backdoors’ in any Huawei equipment supplied into the UK is not the lowest risk, easiest to perform or most effective means for the Chinese state to perform a major cyber attack on UK telecoms networks todayNational Cyber Security Centre
The US has warned allies not to allow the Chinese firm to play a part in their 5G networks, arguing that it is a security risk due to its close links to the Beijing government, something denied by Huawei.
The firm’s activities in the UK have been overseen by arrangements including the Huawei Cyber Security Evaluation Centre (HCSEC) – nicknamed the Cell.
The NCSC said: “Due to the UK’s mitigation strategy, which includes HCSEC as an essential component, our assessment is that the risk of trojan functionality in Huawei equipment remains manageable.
“Placing ‘backdoors’ in any Huawei equipment supplied into the UK is not the lowest risk, easiest to perform or most effective means for the Chinese state to perform a major cyber attack on UK telecoms networks today.”
The NCSC did raise concerns about any single supplier of equipment being allowed to play a dominant role in the network.
The guidance issued by NCSC excludes “high-risk vendors” such as Huawei from “core” parts of the network, and sensitive locations including nuclear sites and military bases.
The Government has announced the conclusions of the Telecoms Supply Chain Review, which highlights the need for new safeguards regarding high risk vendors in the UKâs telecoms networks.— DCMS (@DCMS) January 28, 2020
Hereâs what it means 👇 pic.twitter.com/D4u5ULiHUK
They will also be limited to a minority presence of no more than 35% in the periphery of the network, known as the access network, elements which connect devices and equipment to mobile phone masts.
The NCSC stressed that it was “important to avoid the situation in which the UK becomes nationally dependent on a particular supplier”.
It added: “Without government intervention, the NCSC considers there to be a realistic likelihood that due to commercial factors, the UK would become ‘nationally dependent’ on Huawei within three years.”
National dependence on a high-risk vendor would present a “significant national security risk”, the NCSC said.
NCSC technical director Dr Ian Levy said Huawei had always been treated as a high-risk vendor and the authorities have “worked to limit their use in the UK”.
“We’ve never ‘trusted’ Huawei and the artefacts you can see (like the Huawei Cyber Security Evaluation Centre (HCSEC) and the oversight board reports) exist because we treat them differently to other vendors,” he said.
“We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part.”
Ciaran Martin, chief executive of the NCSC, said: “This package will ensure that the UK has a very strong, practical and technically sound framework for digital security in the years ahead.
“The National Cyber Security Centre has issued advice to telecoms network operators to help with the industry roll-out of 5G and full-fibre networks in line with the Government’s objectives.
“High-risk vendors have never been, and never will be, in our most sensitive networks.
“Taken together these measures add up to a very strong framework for digital security.”