Britain has said it’s “not yet in a position” to make a final decision on whether Huawei should be involved with 5G networks, but tougher industry-wide security controls will be introduced.
The debate over how much Huawei should be involved in 5G has raged on for years, and even before that to some extent with previous-generation networks. Currently, the UK has Huawei equipment inspected at the Huawei Cyber Security Evaluation Centre (HCSEC) in Banbury.
Until last year, HCSEC reported it felt confident that security risks could be sufficiently mitigated. A follow-up report this year slammed Huawei as being slow to address concerns.
At the core of the debate is a concern the Chinese vendor is state-controlled and would be required to conduct espionage if requested, an allegation the company has always denied.
The debate has gone on for so long that UK networks have already begun their 5G network rollouts. Huawei’s equipment is being used in every UK mobile network, so a ban would be expensive, disruptive, and likely impact the UK’s current European leadership in 5G deployment.
"We've already started to deploy equipment for when we launch 5G in the second half of the year," said Three CEO David Dyson. "So if we had to change vendor now, we would take a big step backwards and probably cause a delay of 12-18 months."
For countries in Europe which are members of the EU, the bloc is currently in the process of attempting to establish a common approach to managing 5G risks. Earlier this week, 24 of the current 28 EU member states completed national 5G risk assessments to lay the groundwork for an EU-wide assessment by October.
According to the Commission’s statement, the EU’s assessment will focus on three core areas:
the main threats and actors affecting 5G networks;
the degree of sensitivity of 5G network components and functions as well as other assets; and
various types of vulnerabilities, including both technical ones and other types of vulnerabilities, such as those potentially arising from the 5G supply chain.
“The completion of the risk assessments underlines the commitment of Member States not only to set high standards for security but also to make full use of this groundbreaking technology,” Julian King, Commissioner for the Security Union, and Mariya Gabriel, Commissioner for the Digital Economy and Society, said in a joint statement.
“We hope that the outcomes will be taken into account in the process of 5G spectrum auctions and network deployment, which is taking place across the EU now and in the coming months. Several member states have already taken steps to reinforce applicable security requirements while others are considering introducing new measures in the near future.”
The UK’s own decision over Huawei’s 5G involvement will now be made under a new prime minister, most likely former London mayor Boris Johnson. The decision may not even be made until after the UK departs the EU in October, but the US will be closely following the decisions of all its European allies.
The US, which has led pressure on allies to ban Huawei from 5G networks, has even threatened to reduce security cooperation with countries which decide not to.
“Insufficient security will impede the United States’ ability to share certain information within trusted networks,” warned US secretary of state Mike Pompeo in May. “This is just what China wants – to divide Western alliances through bits and bytes, not bullets and bombs.”
While a UK decision on Huawei is yet to be made, wider telecoms industry security controls will be implemented.
Giving a statement in parliament this afternoon, UK digital minister Jeremy Wright said:
“The Review has concluded that the current level of protections put in place by industry are unlikely to be adequate to address the identified security risks and deliver the desired security outcomes. So, to improve cybersecurity risk management, policy and enforcement, the Review recommends the establishment of a new security framework for the UK telecoms sector. This will be a much stronger, security-based regime than at present.
The foundation for the framework will be a new set of Telecoms Security Requirements for telecoms operators, overseen by Ofcom and government. These new requirements will be underpinned by a robust legislative framework.”
The review suggests huge penalties, along the lines of those for breaching GDPR, will be levied on carriers that fail to meet the strict security standards it will bring in.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.