The UK Government reverses its approach to high risk vendors in telecoms
21 July 2020
In January 2020, the UK Government announced its intention to introduce a new comprehensive telecoms security regime. That announcement accompanied lengthy and long awaited guidance on the extent to which so-called “high risk vendors” (HRVs) can be used in the UK’s 5G and full fibre networks.
In the latest twist in the UK’s debate around the integration of technology supplied by HRVs into its telecommunications networks, in June 2020, it was confirmed that the UK was undertaking a further review of its position after the U.S. Government announced new export controls targeted at Huawei Technologies Co., Ltd (Huawei).
On 14 July 2020, following a meeting of the UK National Security Council to consider the outcome of the further review, the UK Government announced that it is reversing its position as announced in January. In this article, we provide an overview of the on-going regulatory developments in the UK and comment on what the Government’s new position could mean for the UK telecoms industry.
The UK’s developing position
In January 2020, the UK Government announced new restrictions on the use of HRVs in the UK’s 5G and full fibre networks. The Government’s announcement signalled the conclusion of its Telecoms Supply Chain Review (the Review) – a comprehensive assessment of the UK’s telecoms networks security. At the same time, the National Cyber Security Centre (the NCSC) – the UK Government’s technical authority on cyber security – issued further technical advice on the use of equipment from HRVs in all UK telecoms networks.
What are HRVs?
The UK Government has categorised HRVs as vendors that it considers pose greater security and resilience risks to UK telecoms. The Review recommended that a non-exhaustive set of objective factors are taken into account in order to assess a vendor as high risk, including:
- the vendor’s strategic position or scale in the UK network and other telecoms networks (particularly if the vendor is new to the UK market);
- the quality and transparency of the vendor’s engineering practices and cyber security controls;
- the vendor’s domestic security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with UK law; and
- the relationship between the vendor and the vendor’s domestic state apparatus and the availability of offensive cyber capability by that domestic state apparatus, or associated actors, that might be used to target UK interests.
Currently, the NCSC has assessed Huawei and fellow Chinese telecommunications company, ZTE Corporation (ZTE), as HRVs.
What restrictions did the UK Government place on HRVs?
For 5G and full fibre networks, the Review concluded that HRVs should be:
- excluded from all safety related and safety critical networks in critical national infrastructure;
- excluded from security critical network functions (i.e. the sensitive part of the network);
- subjected to tight restrictions, including exclusions from sensitive geographic locations, such as nuclear sites and military bases; and
- limited to a minority presence of no more than 35% in other parts of the network.
The NCSC further stated that HRVs’ products and services should not be used for a number of specific functions across all networks (i.e. not just 5G networks), including security functions, Operational Support Systems (OSS) and interconnection equipment. The NCSC also advised that operators should only use an HRV if that HRV has in place a specific risk mitigation strategy, designed and overseen by the NCSC.
Operators were given until January 2023 to reduce their use of HRVs to the recommended levels. In relation to Huawei, the NCSC advised that operators should “reduce to the recommended level as soon as practical” where they exceed it, rather than by January 2023.
Legal implications and response
The UK Government’s position and the NCSC advice did not have the force of law and no penalties were associated with failing to meet their requirements. The UK Government stated, however, that it intended to legislate, at the earliest opportunity, to introduce a new comprehensive telecoms security regime that would be overseen by the communications sector regulator, Ofcom, and the UK Government.
The UK Government’s decision to let Huawei continue to have limited involvement in the UK’s 5G networks was criticised by the U.S. Government and some backbench Conservative MPs, who sought unsuccessfully in March to introduce a legislative amendment to ban Huawei from UK networks completely.
Recent developments and next steps
May 2020 U.S. sanctions
In May 2020, the U.S. Department of Commerce announced new export controls targeted at Huawei which will effectively restrict Huawei’s ability to use U.S. technology and software to design and manufacture its semiconductors abroad. Semiconductors are needed for products such as telecoms network gear and smartphones. This targeted action came a year after the U.S. Government placed Huawei on its so-called “entity list”, which prohibited any person, U.S. and non-U.S., from selling U.S.-origin commodities, software, and technology to Huawei without a government licence. The Department stated that the new rule is designed to address a loophole whereby Huawei was still able to purchase semiconductors made outside the United States with U.S. software.
NCSC Review and the UK Government’s new position
Following the U.S. announcement, the UK Government confirmed that the NCSC has launched a further review into what impact the new U.S. restrictions might have on Britain’s telecoms networks. It was reported that the U.S. restrictions and further UK Government review would give UK Prime Minister Boris Johnson an opportunity to reverse the Government’s earlier decision to allow Huawei to have a limited role in UK telecoms networks.
On 14 July 2020, the UK National Security Council met to consider the outcomes of the NCSC’s further review and make a final decision over the role of Huawei and other HRVs in the UK’s 5G network. It has since been disclosed that the NCSC concluded that the U.S. sanctions mean that Huawei will need to make major changes to how it designs and builds its telecommunication products. The NCSC concluded that it no longer considers that the UK will be able to manage the security risks of using affected Huawei technology in its future 5G network.
Following that meeting, Oliver Dowden, the UK Secretary of State for Digital, Culture, Media and Sport, made a statement in the House of Commons announcing that the UK would implement a full phase out of Huawei from the UK’s 5G networks by the end of 2027. Additionally, buying new Huawei 5G equipment is to be banned after 31 December 2020 and the existing ban on Huawei from most sensitive “core” parts of the 5G network remains. The UK’s full fibre operators have also been advised to transition away from purchasing new Huawei equipment in accordance with a timetable that is to be determined following a technical consultation. The Government expects this period to last no longer than two years. This revised policy position is now expected to be put on a statutory basis with a new Telecoms Security Bill being introduced by the UK Government to give it the powers necessary to implement this new telecoms security framework.
At the same time, EU member states are also facing pressure from the European Commission to implement stricter 5G security rules. In January 2020, the Commission released a non-binding “toolbox” to assist member states in strengthening their security requirements. More recently, it has been reported that the European Commission is to choose a member state with “fully secure” telecom networks to host its new cyber security competence centre, with special emphasis on 5G security. The NIS Cooperation Group – which was established to ensure strategic cooperation and the exchange of information on cyber security among EU member states – is to prepare a report of the state of implementation of new security measures by member states. Such heighted political pressure could see further restrictions imposed on Huawei and ZTE across the EU.
What this means for telecommunication Companies
These recent developments represent a major U-turn from the UK Government on the role that HRVs can play in 5G and full fibre networks. Following the UK Government’s reversal of its January decision, there will no doubt be many questions about the feasibility of the timeline for phasing Huawei out of the UK’s telecommunications networks and the costs and time delays to 5G networks that switching suppliers will cause.
For the UK telecoms industry, this fast changing geopolitical landscape highlights how important it is for companies to keep abreast of developments and to review how regulatory changes could impact their operations. For many companies, this may mean having to reduce their reliance on HRVs, or remove them altogether, in the UK and beyond.
A version of this article first appeared in WorldECR
- https://hansard.parliament.uk/Lords/2020-06-02/debates/E41AA605-FF20-4E5C-841B22DB99E791FF/TelecommunicationsInfrastructure (LeaseholdProperty)Bill?highlight=huawei#contribution-231F4176-3E35-4D0B-AE72-E785C64DD966.
- https://www.consilium.europa.eu/en/media-galleries/tte/2020-06-05-tte-telecom/?slide=0; Commissioner Breton’s statement at minutes 6 to 7.