The government has agreed to conduct a review of Huawei’s Cyber Security Evaluation Centre, as recommended by the Intelligence and Security Committee (ISC).
The government also agrees that ministers should have been informed sooner about the awarding of key telecoms infrastructure contracts to Chinese equipment maker Huawei, and that the processes of considering national security issues in 2003 were insufficiently robust.
However, the government does not agree that there have been no improvements since then or that national security issues are overlooked, prime minister David Cameron told parliament.
He was presenting the government’s response to the Intelligence and Security Committee's (ISC) report on foreign involvement in the UK’s critical national infrastructure (CNI) published in June.
The investigation found that BT notified government officials in 2003 of Huawei’s interest in the contract for its £10bn rationalisation and upgrade project, but the matter was not referred to ministers until 2006, a year after the contract had been signed.
The prime minister said that the National Security Council (NSC), which did not exist in 2003, can and does consider similar issues today to ensure that the government’s approach balances economic prosperity and commercial competitiveness with national security.
“It is important that this balanced approach is taken. Boosting trade and investment is a key part of the government’s plan for growth and we are working hard to develop our economic relationships with key trading partners, including China,” said Cameron.
At the same time, he said the government works with major communication service providers in the UK to ensure that their networks and the services they provide are appropriately secure.
“Our work with Huawei and its UK customers gives us confidence that the networks in the UK that use Huawei equipment are operated to a high standard of security and integrity,” said Cameron.
Our work with Huawei and its UK customers gives us confidence that the networks in the UK that use Huawei equipment are operated to a high standard of security and integrity
Prime minister David Cameron
However, he said the government recognises this is a fast-changing environment and will continue to review procedures in this area regularly.
The ISC highlighted GCHQ’s confidence in BT’s effective management of the communications network.
“Notwithstanding this, we agree with the Committee that no complex telecommunications system – or any ICT system for that matter – can be totally invulnerable and that what is important is how these risks are managed,” Cameron said.
Government Huawei-run Cell
The ISC report praised the government for encouraging Huawei it to invest in the Cyber Security Evaluation Centre, known as “the Cell”, and become more transparent about its equipment and business practices.
However, the ISC questioned why the Cell is only now approaching full functionality, over seven years after the BT contract was awarded.
“It should be noted the Cell was not established until 2010, and was only required as Huawei gained further contracts with other UK communication service providers (CSPs),” said Cameron.
But he said the government agrees with the ISC’s recommendation that the National Security Adviser should carry out a review of the Cell, which will be completed before the end of the year.
The ISC said it was concerned that the Huawei-run Cell is responsible for providing assurance about the security of Huawei products.
In response, the government said a self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance.
“We therefore strongly recommend that the staff in the Cell are GCHQ employees. We believe that such a change is not only in both Huawei’s and the government’s interests, but that it is in the national interest,” said Cameron.
At a bare minimum, he said GCHQ must have greater oversight of the Cell and be formally tasked to provide assurance, validation and audit of its work; and government must be involved in the selection of its staff, to ensure continued confidence in the Cell.
Read more about critical national infrastructure
- UK infrastructure needs better security controls on suppliers, says ISC
- Critical infrastructure providers are less engaged with government cyber protection despite growing
- Government to monitor companies supporting critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Huawei looks to five years of growth
- Cyber security study reveals mismatch between awareness and preparedness
- Critical infrastructure security in dire need for standards
- RWE boosts security on Scada networks
- UK government launches cyber threat data-sharing partnership
- Security needs to be integral part of life, says McAfee
Managing risk to national infrastructure
In response to ISC’s concerns about the risks associated with private and foreign ownership of CNI suppliers, the government said that when it comes to the UK’s CNI, ministers must be kept informed at all stages.
The government said it shares the ISC’s view that it is not practicable to seek to constrain CNI companies to UK suppliers, nor would it provide any greater protection given the global nature of supply chains.
“The government also welcomes the ISC’s recognition that a risk-based approach is the correct way forward when considering portfolio investment into the UK’s critical national infrastructure,” said Cameron.
“Foreign investment in, or ownership of, CNI would not automatically create risks related to the operation of that CNI, hence the need to consider matters on a primarily case-by-case basis,” he said.
Since the creation of the NSC the government has put in place an approach which enables it to assess the risks associated with foreign investment and develop strategies to manage them.
The NSC, created in 2010, brings together the economic and security arms of the government and is the forum that balances the risks and opportunities of inward investment decisions.
The government noted that the NSC is supported by cross-Whitehall coordination by officials who identify and assess any risks in pipeline investment opportunities and bring these to the attention of ministers.
The government’s response noted that lead government departments are responsible for managing the protective security approach for their CNI sectors, identifying priorities, monitoring implementation of mitigating measures and agreeing what level of residual risk is acceptable.
We have robust procedures in place to ensure confidence in the security of UK telecommunications networks. However, we are not complacent
Cabinet Office spokesperson
“This is conducted in close collaboration with infrastructure owners and operators and with bodies such as the Centre for the Protection of National Infrastructure,” said Cameron.
The government said departments are aware of their responsibility to manage the risks, ensure they consult the relevant experts, and decide when issues should be escalated either to ministers or the NSC as the situation demands.
For each case, the decision-making process is signed off by senior officials and ministers within the asset owning department.
Ministers also have at their disposal a number of measures, both legislative and regulatory, that enable the safeguarding and control of operational investments.
“To ensure they remain fit for purpose, the powers of government are kept under regular review, and consideration is given to the question of whether any new powers are required,” said Cameron.
A Cabinet Office spokesperson said the government takes threats to the UK’s CNI very seriously and needs to be responsive to changes in a fast-moving and complex, globalised telecommunications marketplace.
“We have robust procedures in place to ensure confidence in the security of UK telecommunications networks. However, we are not complacent and, as such, we have agreed to the main recommendation of the report to conduct a review of Huawei’s Cyber Security Evaluation Centre to give assurance that we have the right measures and processes in place to protect UK telecommunications,” the spokesperson said.