Security concerns about Huawei are still unanswered

From today’s Times. TL;DR – Huawei’s security is pretty rubbish, plus there’s the supposed links to the Chinese government. What I haven’t seen yet is a comparison between suppliers. For example, does Ericsson have better security standards?…:

Yesterday the science and technology committee, which I chair, took evidence on 5G security. This isn’t just about downloading films faster on your mobile. It is set to enable new and important technologies such as smart cities, driverless cars and wearable health monitors. So it’s critical that the UK is confident in the security and reliability of its 5G networks.

It was clear from the evidence we heard that a complete ban on Huawei’s equipment would inevitably result in significant delays and added cost in realising all the benefits of 5G. But what about security?

Telecommunications networks and technology supply chains have become complex and global. Equipment vendors use many suppliers and manufacturers, most of which are not in the UK. Many are in China. Banning anything that might have been tampered with by the Chinese government, or even by a Chinese spy, is not a practicable solution. More to the point, network operators design their networks on the assumption that the equipment they use cannot be trusted.

So how should we address valid security concerns? The mobile network operators are responsible for making sure the networks are always working but they follow advice from the National Cyber Security Centre on a voluntarily basis. We should ask if this is sufficient. The Huawei Cyber Security Evaluation Centre’s Oversight Board has highlighted poor cybersecurity in Huawei’s products. Operators must be clear that this will have to improve significantly and quickly if Huawei is to remain competitive. We must make clear that this is what we expect.

Moreover, it is clear that essential services must not fail completely if there is network disruption. Driverless cars, for example, must be built to continue driving if they lose contact with the 5G network. This is important given fears of interference by foreign suppliers, but it is just as relevant given the potential disruption from adverse weather, external attacks and simple mistakes. But you don’t have to be a contractor to pose a threat to national security. The Russians have attacked our telecoms networks despite there being no Russian suppliers. And in December a 4G network went down for over a day due to a faulty update.

The National Cyber Security Centre has pointed out that there is no such thing as a 100 per cent safe system in cybersecurity. Instead, we must try to manage the risks and make our networks as secure as possible. If a ban on Huawei equipment were cost-free, then there would be little to lose from the incremental gain in security we might make. But such a decision wouldn’t be cost-free — it would delay the UK’s 5G network by years, with huge economic cost. It would also reduce competition in a market with few players, potentially damaging competition for the best performance, the lowest cost and the best security.

On technical grounds, banning Huawei does not appear to be proportionate, based on all the evidence we heard yesterday. All witnesses believed that the risks could be managed.

But there are more than technical considerations. There are geopolitical and intelligence sharing risks associated with a company that has a close relationship with the Chinese government. Should we do business with a company which appears complicit with the Chinese state in the gross human rights abuses under way in Xinjiang Province? The Australian Strategic Policy Institute first highlighted Huawei’s involvement in Xinjiang, where an estimated 1.5 million ethnic Muslims have been detained. Yesterday the response was, effectively, that this was not a concern for the company. Compliance with the law was their only responsibility.

If there was any doubt about the closeness of the relationship between the Chinese state and Huawei, that doubt was dispelled yesterday.

We heard overwhelmingly that most national security risks can be managed and the total removal of Huawei, as a supplier, would not mitigate risk. However, if they continue to operate in a moral vacuum it remains unclear what role they should play in the UK’s telecommunications infrastructure.

Sir Norman Lamb is a Liberal Democrat MP and chairman of the science and technology committee

Original article here