UK infrastructure needs better security controls on suppliers, says ISC

An Intelligence and Security Committee (ISC) report reveals weaknesses in the UK's approach to critical national infrastructure

An investigation by Intelligence and Security Committee (ISC) has revealed a number of weaknesses in the UK’s approach to investment in critical national infrastructure (CNI).

The ISC was investigating the security implications of awarding key telecoms infrastructure contracts to Chinese equipment maker Huawei.

China is suspected of being one of the main perpetrators of state-sponsored cyber attacks, which are focused on espionage and the acquisition of information.

“In this context, the alleged links between Huawei and the Chinese state are concerning,” the ISC said in its latest report, Foreign Investment in the Critical National Infrastructure.

Ministerial referral

The investigation found that BT notified government officials in 2003 of Huawei’s interest in the contract for its £10bn rationalisation and upgrade project, but the matter was not referred to ministers until 2006, a year after the contract had been signed.

The ISC found that then secretary of state for trade and industry, Patricia Hewitt, did discuss the contract with BT, but this was in relation to the competition aspects of the decision and the implications for UK business, rather than any security concerns.

“There was no justification for failing to consult ministers about the situation when BT first notified officials of Huawei’s interest. Such a sensitive decision, with potentially damaging ramifications, should have been put in the hands of ministers,” the report said.

Systemic failure

The ISC found that the case highlights a number of weaknesses in the UK’s approach to deploying CNI equipment, including the lack of a requirement on companies that own CNI assets to inform or consult government prior to awarding a contract.

The ISC said the government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences or lack of appropriate protocols.

“However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked, and continue to risk, being overlooked,” the report said.

The ISC said it is not convinced there has been any improvement in the past ten years in effective procedure for considering foreign investment in the CNI.

“The difficulty of balancing economic competitiveness and national security seems to have resulted in stalemate. Given what is at stake, that is unacceptable,” the report said.

Procedural responsibility

The ISC has called on the National Security Council to ensure there are effective procedures and powers and clear lines of responsibility when it comes to investment in the CNI.

“Crucially, the government must be clear about the sequence of events that led to ministers being unsighted on an issue of national importance and take immediate action to ensure this cannot happen again,” the report said.

The ISC praised the government for encouraging Huawei to become more transparent about its equipment and business practices.

However, the ISC called for an urgent review of the security assurance processes to ensure the required level is achieved. It recommended they be run in future by GCHQ staff, not Huawei.

The report said that, while it is not impossible to constrain CNI companies to UK suppliers and eliminate the risk to CNI, government must ensure that the risk is managed properly.

“When it comes to the UK’s critical national infrastructure, ministers must be kept informed at all stages,” the report said.

ISC demands

The ISC report calls for:

  • An effective process by which government is alerted to the possibility of foreign investment in the CNI;
  • An established procedure for assessing the risks;
  • A process for developing a strategy to manage risks throughout the lifetime of the contract and beyond;
  • Clarity as to what powers government has or needs to have;
  • Clear lines of responsibility and accountability.

The report concludes that, from the evidence taken during this investigation, the procedural steps it outlined still do not appear to exist.

“However, as we went to press, we were told that the government has now developed a process to assess the risks associated with foreign investment into the UK,” the report said.

“Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that government does not find itself in the same position again.”

Responding to the report, a Cabinet Office spokesman said the government worked closely with companies that provide services supporting the CNI, to ensure any networks and systems are managed appropriately and securely.

“We recognise there are security risks inherent to any sophisticated telecommunications network and system, and we have effective measures in place to mitigate these risks,” he said.

Evolving processes

According to the Cabinet Office, the processes of 2005 have been updated.

“We now have governance structures and working practices in place which address these risks, including supply chain threats to the telecommunications infrastructure specifically, and escalation of decision-making processes as necessary.  But this is a complex and fast evolving technical area and we will keep it under close review and engage more closely with the ISC as we do,” said the Cabinet Office spokesman.

The Cabinet Office said boosting trade and investment is a key part of the government’s plan for growth and it is working to develop the UK’s economic relationship with key trading partners, including China.

Huawei and the UK

“Huawei itself, as well as actively supplying the UK telecoms sector, is making a significant investment in the UK economy and this is recognised by the fact that the company has been added to the government’s strategic relationship management programme earlier this year,” he said.

In a statement, Huawei sought to re-iterate its independence as a private, employee-owned company, saying it had the full support of the UK government and telecoms operators, including BT, having invested in the UK for 12 years.

“They trust Huawei because of its steadfast commitment to security and its open, discreet and cooperative attitude,” the company said.

Huawei said BT had audited the business thoroughly, including security, and that it has continued to meet BT’s requirements through a yearly audit process.

Read more on Privacy and data protection