The UK's strategy for monitoring of the use of Huawei technology in UK telecoms networks is proving effective, according to a senior intelligence chief.
"Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei," said Ciaran Martin, head of the National Cyber Security Center (NCSC) in a speech in Brussels. "And it is proving its worth," he said.
Huawei has grown rapidly in recent years but has also become the focus of concerns in some western countries about the growing role of Chinese technology in critical national infrastructure. Australia and New Zealand have blocked Huawei from their 5G networks on national security grounds, and the US has long voiced suspicions about the networking giant, banning it from government contracts back in 2014. Huawei has insisted it would never spy on its customers at the request of China.
Pressure from the US on its allies, including the UK, to dump Huawei has increased in recent months. The UK government is currently looking at the issue of 5G security, with a review expected to be published in the spring which could include a decision on whether Huawei technology can be used in future 5G networks. The decision that the UK makes will be watched closely by other nations undecided about the direction of their own policy on Huawei.
Martin said: "Everything is on the table. Contrary to some reporting no decisions have been taken."
Martin would not be drawn on whether the US has provided any new evidence about Huawei's activities but said under the oversight board report process he would be obliged to report evidence of deliberately malevolent activity by Huawei and said "we have yet to have to do that."
Until very recently the UK has been a solid market for Huawei and for nearly two decades its technology has been used in mobile and fixed networks. But recently even UK operators have been distancing themselves from the Chinese telecoms giant. In December, EE said it would not be using Huawei equipment in the core of its 5G network and was in the process of removing its hardware from the core of its 3G and 4G networks. Vodafone said it would 'pause' the deployment of Huawei kit in its core network.
One of the conditions for the use of Huawei equipment in UK networks has been oversight of its technology. For example, the UK established the Huawei Cyber Security Evaluation Centre in Oxfordshire, which examines Huawei kit for potential security flaws.
Martin said the way the NCSC is handling Huawei's presence in UK telecoms networks was an example of its mitigation framework, arguing that it is subject to "detailed, formal oversight".
"Because of our 15 years of dealings with the company and ten years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company," he said, noting that Huawei kit is not deployed in any sensitive networks.
Last summer the board that oversees the security of Huawei products used in UK networks warned that it had identified shortcomings in Huawei's engineering processes that had "exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management". The company has promised to address the issues, admitting they may take years to fix.
"We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case," said Martin. "We will not compromise on the improvements we need to see from Huawei."
Martin said that securing 5G is going to be particularly important, given the sorts of networks dependent on it, running anything from autonomous vehicles to smart cities.
For example, Martin said that where the supplier of the technology based was only one factor in terms of security, pointing out that last year his agency blamed Russia for attacks on UK telecoms networks and noting: "As far as we know, those networks didn't have any Russian kit in them, anywhere. The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run."
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version
He said that of the 1,200 significant cybersecurity incidents the NCSC has managed, the country of origin of technology suppliers has not featured among the main causes for concern in how these attacks were carried out.
Martin said there was a need for higher standards of cybersecurity across the entire telecommunications sector. "The market does not currently incentivise good cybersecurity," he said. He also said networks have to be more resilient. "We must assume that a global supply chain will have multiple vulnerabilities, whether intentional or, more likely, unintentional. Networks are built by human beings and human beings make mistakes. No network can be totally safe."
While it will be for ministers to take the final decision about whether to allow Huawei kit to be used in 5G networks, the NCSC seems to be indicating that any risk from Huawei can be managed and that banning it might have unpredictable consequences.
Martin he also warned that a market with a small number of suppliers — which would be one result of any ban on Huawei — could also put security at risk because a company with an "excessively dominant market position" would have no incentive to take cybersecurity seriously, and would also become the prime target of hackers.
"If you've built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you've built it the wrong way," he said.
PREVIOUS AND RELATED COVERAGE
Chinese tech giant launches new cloud region in Singapore, where it says it is looking to develop into one of its largest outside China and will deliver artificial intelligence capabilities.
Huawei skips Mobile World Congress in Spain to launch its P30 series flagship phones in France.
The US has told Hungary that America finds it 'more difficult' to partner with nations that have Huawei equipment deployed.
Security concerns found by the UK government last year will take between three and five years to resolve, Huawei has reportedly said, while it also awaits European decisions on whether it can take part in 5G deployments.
Huawei is developing their own OS as a contingency plan in the event US sanctions make using Android unviable. In a crowded market, is there room for a third OS?
Huawei Mate 20 Pro (CNET)
The Huawei Mate 20 Pro's impressive list of features puts it unquestionably among the top phones of the year. Shame you can't buy it in the US.