Sir Iain Duncan Smith leads a Westminster Hall debate on the security implications of including Huawei in 5G.
The government’s decision to go ahead with Huawei in the 5G network has angered our allies and perplexed those of us who see this as an avoidable risk. In its rush to go ahead with a 5G system for the UK that uses Huawei’s products extensively the UK government has brushed aside the concerns of all our most important allies, that there is an overwhelming body of evidence that indicates Huawei, which is an untrusted vendor should not be given any further opportunity to access our most vital communications networks.
This decision by the UK government leaves us utterly friendless.
After all, Huawei is effectively a state owned corporation in the People’s Republic of China under the Communist Party. Huawei Technologies is 99% owned by Huawei Investment Holdings. Huawei Investment Holdings is completely owned by the Huawei Investment Holdings Trade Union Committee. According to Chinese law, trade union committees are classified as “public” or “mass” organizations. Public organizations do not have shareholders as they are recognized under Chinese law as legal persons or entities in their own right. An example of a public organization would be the Communist Youth League.
Huawei is also seen as a National Security threat. They continue to deal with Iran; they built the mobile network for Korea; they have provided security, surveillance and censoring systems to authoritarian regimes, not least of course the Chinese government. Of course, it is well documented that Huawei also has a long and intimate history with the Chinese security services.
Furthermore, if that wasn’t enough to make one concerned, I hope the UK government has noticed that a superseding indictment was returned a few weeks ago in federal court in Brooklyn, New York, charging Huawei Technologies Co. Ltd. (Huawei), the world’s largest telecommunications equipment manufacturer, and two U.S. subsidiaries with conspiracy to violate the Racketeer Influenced and Corrupt Organizations Act (RICO).
Yet the government announced that here in the UK whist we recognised Huawei as an untrusted provider, we would not stop Network providers using Huawei equipment in the new 5G. Instead of banning them as our allies have done we would place limits on the locations and the extent to which Huawei products may be deployed in our 5G network, over time to reducing Huawei’s involvement to 35%.
Yet this plan to exclude Huawei products from the ‘core’ of the 5G infrastructure whilst restricting them to the ‘edge’ critically rests on the assumption that the core cannot be compromised from the edge. Most cyber experts know this is an unsafe assumption, because they know that whole 5G networks can be attacked starting from compromised edge components, indeed there is some evidence that such attacks have already taken place on a limited scale.
For example a hostile adversary might disable our 5G network is if they simply shut down the aerials and/or routers at the edge by remotely activating a malware. Embedded in the edge components such kill switches are nigh on impossible to detect or to mitigate.
The second issue the government prays in aid is that we need 5G now, because it offers three main benefits - faster data transmission rates; Shorter delays and increased network capacity.
Whilst faster data transmission rates can improve user experience, for most people, 5G will not significantly impact their experience. Tasks such as viewing a movie wouldn’t be perceptibly different from 4G. In any case, the data speeds offered by 5G (100Mb/s to 1000Mb/s) are in the range offered by more conventional superfast fibre broadband, so in many cases the desired performance can be achieved by other means right now. Completing that roll out is more important.
The government’s claim that 5G will increase network capacity, concerns the proliferation of connected Internet of Things (IoT) devices and a dramatic increase in self-driving cars with next-generation telematics. I am sure there may be response-time-critical benefits in future - such as how self-driving cars share safety-critical information with other cars. However, these applications overwhelmingly lie in the future and will importantly rely on a wider set of technological changes and significant change in social attitudes.
Yet even if the Government disagrees about the urgent need for such developments, surely security is a greater priority. Government policy must consider the wisdom of proceeding to deploy vast numbers of IoT sensors into our environment, offices and homes, unless and until current legitimate security concerns have been laid to rest concerning the possibility that these sensors might be used against us on an industrial scale.
Perhaps most bizarrely, this rush by government is driven by the fear we will be left behind by others, yet I find that difficult to comprehend, given that a growing number of leading Western nations have indicated their intention not to use Huawei or any other untrusted vendors, surely the worldwide rollout of 5G must inevitably slow down. In this context it should be seen as an opportunity to prioritise national security over breakneck 5G deployment.
Furthermore far from Huawei having some insurmountable technical lead, it seems the quality of their work isn’t all it is reported to be. I seem to recall Dr Ian Levy, technical director at GCHQ's National Cyber Security Centre (NCSC) referring a year ago to Huawei security as "very, very shoddy" and said it was "engineering like it's back in the year 2000."
The government points out that Telcos are all reliant on Huawei and that a delay would leave them significantly out of pocket. Of course, that reliance on Huawei is because Huawei was bid well below other market competitors for UK business. After all, there is a long history of the China development bank providing low cost financing for Huawei customers, such as guaranteed financing many times annual revenue and updated every few years. A recent report estimated that when one takes in tax breaks, grants and low cost land acquisition, this comes to more than $75bn.
Yet despite all that, what isn’t common knowledge is that at least one very significant UK Service provider has already made it clear they will not use Huawei in their 5G network system, suggesting that the idea that these systems cannot be created without Huawei is nonsense.
Furthermore, the NCSC’s guidance does not even mention services. I understand that Huawei are taking over the managed services for 3, which opens yet another huge area for the gathering of information – if you have a map of the radio network, you also have a map of everything that connects to that radio network – you know what each piece is an how to attack it.
Yet our dependence on Huawei is deeper than many realise. I have just noticed that Huawei is at present in the Emergency Services Network (ESN), often referred to as the Blue Lamp service. This service is part of our critical national infrastructure. I must say, I was astonished that this should be allowed. Imagine how dangerous any form of disruption would be to this service, it beggars belief. And Then I see that MI5 uses a systems provider I understand which is heavily Huawei dependent.
My worry then is I understand that the government is now working on what they call the Government Mobile System, or GOMO for short which they have decreed will be with one supplier only. So, it should stand to reason that unless the government blocks untrusted providers from the system, we will be handing over control of yet another vital and sensitive system.
So I ask my Hon Friend, will the government ensure that when this contract is let, the supplier will not have any input from untrusted providers such as Huawei?
What a terrible mess it all is. There was nothing in the statement about that was there?
Yet compounding the issue of Huawei and not yet spoken of in these debates, lies a further problem. This exposes the degree to which western governments have taken their ‘eye off the ball.’ It is that much of the available equipment including electronic sub-assemblies is of unknown security provenance. At present beyond existing contracted function, we have little or no idea what else lies now installed in the system. UK governments have done little to tackle this problem. Surely after all these years we should have worked
to ensure that as much as possible, product deployed into secure or critical national infrastructure is auditable. This is the sort of thing we should undertake in collaboration with our 5 eyes allies.
We are in a mess and the only way to get out of that mess is to agree to ensure that Huawei reduces from its present position to not just 35% but to 0% involvement over the next two to three years.
Successive British governments have cosied up to China in the hope that we can take advantage of their markets, yet in so doing we seem to be playing a dangerous game. After all, this totalitarian regime is not an ally of ours - even if the Foreign office is reluctant to admit China poses a threat to us, for fear of upsetting the Chinese. Not just in its cyber-attacks on our systems but also in the way it does not obey the international rules based order in trade.
As the UK leaves the EU, we should avoid kow-towing to China or anyone else. The British government should now commit to reduce and eradicate our dependence on Huawei, in line with our allies. After all, Defence of the realm is the first priority of any government not Demi-Defence as this decision to include Huawei in our systems ensures.