The UK government is set to allow Huawei to build part of Britain's 5G network, despite calling the Chinese company a "high-risk vendor."
Prime Minister Boris Johnson made the decision - which must still be approved by Parliament - amid intense pressure from both the US and China. Each superpower suggested that the wrong choice could impact trade talks, as the UK prepares to leave the European Union.
The US alleges that Huawei is a security risk and has untoward ties to the Chinese state. The company denies the allegation.
A long history
Huawei, one of the leading providers of 5G technology (and one of the cheapest), is already deeply enmeshed in the fledgling 5G networks currently being built by British telecoms companies.
It has also built equipment for the nation's infrastructure for more than 15 years, and has been subjected to higher scrutiny than rival vendors. The British government created the Huawei Cyber Security Evaluation Centre (HCSEC) in 2010 to provide security checks on its hardware and software, but the group has been criticized for its close ties to Huawei - for the first five years of its operations, Huawei decided on bonus pay for HCSEC employees, for example.
In its 2019 report, HCSEC detailed numerous security failings in Huawei's products, but blamed lifecycle management and development failings, rather than intentional actions or backdoors. The same failures were described in a 2018 report, but were mostly not addressed by the company, HCSEC said.
"We’ve never ‘trusted’ Huawei and the artefacts you can see (like the HCSEC and the oversight board reports) exist because we treat them differently to other vendors," National Cyber Security Centre technical director Dr. Ian Levy said in a blog post marking today's announcement.
"We ask operators to use Huawei in a limited way so we can collectively manage the risk and NCSC put in place a wider mitigation strategy, of which HCSEC is the most visible part."
For the 5G roll-out, the UK government plans to put some restrictions on Huawei. It will be banned from the "core" of the network, and from operating at sensitive sites such as nuclear and military facilities. Its market share of the edge network will also be capped at 35 percent - the figure that the Department for Digital, Culture, Media and Sport estimates is Huawei's current share of the 4G market.
With Huawei banned from 'core' aspects of the network, it can only provide hardware for the periphery, including the base stations and antennas. "The network impact from disrupting or exploiting a single network element in the access network, such as a base station, is clearly lower than the impact of disrupting or exploiting core equipment," a security analysis of the UK telecoms sector by the NCSC states.
"The former may impact a local area, the latter could impact services across the entire country."
However, some security analysts have suggested that, by its nature, 5G could see core functions located nearer the edge of the network. "This has been described as blurring the line between core and edge," the NCSC report claims. "This is technically inaccurate as the ‘core’ is defined by a set of functions, standardized within, rather than a location. Consequently, the distinction between the two remains clear, as does the advice above. Our advice remains that [high-risk vendors] are excluded from performing core functions, and this applies whether these functions are deployed centrally or towards the ‘edge’.
"Our understanding is that this clarification is unlikely to be consequential in the UK, as we are informed that core functions may run near the edge, but not actually on edge access equipment (such as base stations)."
Dr. Levy said that the restrictions on Huawei, and other high-risk vendors, "will ensure the UK’s telecoms networks are appropriately secure into the future regardless of the vendors used.
"While every country will have its own definition of a high-risk vendor, we need to make sure that the UK does not have to rely on a high-risk vendor and certainly that we don’t become nationally dependent. That needs a plan to diversify the market along with actions to improve product security across all vendors, improve operator security and create a framework to manage vendors of different risk profiles over the coming years."
The bigger picture
Britain, which is set to leave the European Union at the end of the week, is currently negotiating trade deals with both the US and China.
Speaking to the BBC last year, Chinese diplomat Chen Wen warned that there could be "substantial" repercussions for her country's investment in the UK, were Huawei to be banned outright. "The message is not going to be very positive. Is UK still open? Is UK still extending a welcoming arm to other Chinese investors?"
At the same time, however, US diplomats have urged the country to do just that - ban Huawei.
The US, which put Huawei on its Entity List (nominally due to allegedly evading sanctions with Iran) last year, has launched a concerted campaign to convince its allies not to use the company's equipment, and threatened to withhold intelligence data with countries that embrace Huawei.
The efforts have led to some total or partial bans, including in Australia, Canada, and Japan - as well as the United States itself. Citing national security, the country has never provided proof for its allegations, which date back a decade.
In 2012, a House of Representatives report claimed Huawei posed a “national security threat” to America. The report covered the murky ownership structure of Huawei, and the alleged ties to the state. The authors claimed they received “internal Huawei documentation from former Huawei employees showing that Huawei provides special network services to an entity the employee believes to be an elite cyber-warfare unit within the [People’s Liberation Army].
“The documents appear authentic and official Huawei material, and the former employee stated that he received the material as a Huawei employee. These documents suggest once again that Huawei officials may not have been forthcoming when describing the company’s R&D or other activities on behalf of the PLA.”
The documents were never publicly released, and have not been independently verified.
The response
With the Prime Minister now having made a decision on Huawei's status in the UK, a Trump administration spokesperson said that the US "is disappointed."
US Senators Marco Rubio (R-FL), Tom Cotton (R-AR), and John Cornyn (R-TX), urged the UK's National Security Council to change its mind: “This letter represents a genuine plea from one ally to another. We do not want to feed post-Brexit anxieties by threatening a potential US-UK free trade agreement when it comes to Congress for approval. Nor would we want to have to review US-UK intelligence sharing.
"Not long has passed since America itself was forced to wake up to the dangers Huawei posed. We did so in part because our international friends, like the Australians, urged us to think through the implications of allowing Huawei to participate in 5G infrastructure."
Some members of Boris Johnson's own party also criticized the decision. "Sovereignty means control of data as much as land," Conservative MP Tom Tugendhat tweeted. "We need to decide what we’re willing to invest in and who were willing to share our tech with. The real costs will come later if we get this wrong and allow Huawei to run 5G."
The message was reshared by US Secretary of State Mike Pompeo, who added: "The UK has a momentous decision ahead on 5G. British MP Tom Tugendhat gets it right: 'The truth is that only nations able to protect their data will be sovereign.'"
Unsurprisingly, Huawei welcomed the move. “Huawei is reassured by the UK government’s confirmation that we can continue working with our customers to keep the 5G roll-out on track," company VP Victor Zhang said.
"This evidence-based decision will result in a more advanced, more secure and more cost-effective telecoms infrastructure that is fit for the future. It gives the UK access to world-leading technology and ensures a competitive market.”