Huawei in the UK: a comedy of process errors

An ISC report has questioned UK critical infrastructure procurement processes, particularly about the risks of using Huawei equipment

The heat has been on Huawei in recent months as governments across the globe have become embroiled in debate over whether networking equipment from the Chinese supplier can be trusted.

China is suspected to be one of the biggest players of state-sponsored cyber attacks. Despite positive reviews from the private sector about Huawei’s equipment, many in government have said the time has come for the public sector to make a call on the use of the firm's equipment in national critical infrastructure.

In the US, it was a flat-out "no". 

The House Permanent Select Committee on Intelligence said in October 2012 that Huawei should be restricted from doing business across the country, as it posed a threat to national security, with the possibility of leaking sensitive information to the Chinese government.

In Australia, the government even took the controversial move to block Huawei from its National Broadband Network and continues to question company officials on any ties with the Chinese Communist Party (CCP).

Already on our shores

However, in the UK, Huawei equipment is already routinely deployed.

Homegrown telecoms giant BT put out a tender in 2003 for a manufacturer to provide equipment for its £10bn 21st-Century Network project – moving from cable to IP-traffic fibre networks – for which Huawei tendered a bid.

The National Security Information Exchange working group inside the Cabinet Office was informed of the interest. However, it decided blocking the contract could have serious diplomatic and trade implications for the UK, as well as put it in a position where BT could sue for not being able to choose the best deal. 

Eventually, the government said BT could make its own choice.

Some interest was shown by then secretary of state for trade and industry Patricia Hewitt two years down the line – but only from a competitive standpoint – and by the end of 2005, BT had awarded Huawei a contract to supply transmission equipment.

It was not until January 2006 that ministers were warned by the Intelligence and security co-ordinator there could be security implications in using Huawei products. 

BT, the government communication headquarters (GCHQ) and Huawei worked together to establish assurances for the equipment, although by then Huawei was already deeply ensconced in UK critical national infrastructure (CNI) – defined as certain ‘critical’ elements of infrastructure, the loss or compromise of which would have a major, detrimental impact on the availability or integrity of essential services, leading to severe economic or social consequences or to loss of life.

The Cyber Security Evaluation Centre has been in charge of monitoring such equipment since 2010, but even it admitted it had “not been created to look at every piece of hardware or software destined for the UK market,” but instead to assess software and hardware upgrades as and when they came in.

There was an issue discovered in 2011, details of which are scarce, but the government persevered with BT, so in turn using Huawei kit and accepted the promise from the company's headquarters in Shenzhen that it would be rectified.  

Yet again in 2012, The Cyber Security Evaluation Centre admitted it was not working to full capacity and could not give the level of assurance needed by government on the technology being used, while, of course, the equipment in question was live in UK CNI.

Now the Intelligence and Security Committee (ISC) has put its head above the parapet and released a report on its investigation into where things have gone wrong to allow networking products into UK CNI without the security implications fully investigated.

A serious disconnect

The ISC report concluded there was “a disconnect between the UK’s inward investment policy and its national security policy” and there was no reason it should have taken so many years – and until after BT had signed the contract with Huawei – to come before ministers with the security concerns raised.

“Such a sensitive decision, with potentially damaging ramifications, should have been put in the hands of ministers,” it said.

The main issue identified in the report was the lack of a formal practice for CNI procurement and no rules insisting companies which owned CNI assets needed to gain approval before signing contracts with other suppliers – be they at home or abroad.

“This is far too haphazard an approach, given what is at stake,” the report continued. “It means that the government may not be made aware of contracts involving foreign companies from potentially hostile states until they have already been awarded,” as indeed was the case with BT and Huawei.  

Even when the company involved, in this case BT, has been open about the deal, there was no system for ensuring the government officials take it forward to ministers, with there even being a lack of clarity around which minister would be the most suitable.

The government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences

Foreign involvement in the Critical National Infrastructure report, Intelligence and Security Commission

“The government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences, or lack of appropriate protocols,” it said. 

“However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked – and continue to risk – being overlooked.”

Formal process needed

The deal between Huawei and BT may have been struck 10 years ago, but the ISC believes these issues are still apparent now and could lead to future problems if not addressed. As a result, it has called on the National Security Council to get a formal process put in place.

“From the evidence we have taken during this investigation, the procedural steps that we have outlined still do not appear to exist,” the report concluded. “However, we were told the government has now developed a process to assess the risks associated with foreign investment into the UK.

“Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that the government does not find itself in the same position again.”

But even with all of this debate, reports and processes, nobody seems to have come to a firm conclusion on whether the Huawei equipment is posing a risk to the UK. 

GCHQ has backed BT, saying it had mitigated risk and worked well to manage such an important network. Yet, at the same time, it admitted that with a million lines of code with Huawei products, “it is just impossible to go through that much code and be absolutely confident you have found everything.”

Huawei still in limbo

Huawei remains in limbo, neither innocent nor guilty, but a company to be watched over and "managed" by both BT and various government organisations.

In the words of the ISC report: “There will therefore always be a risk in any telecommunications system worldwide. What is important is how it is managed, or contained.”

Huawei will continue on the charm offensive, contributing funding to The Cyber Security Evaluation Centre, as well as investing £1.2bn into its UK operations

In a statement it released following the report, it even thanked the UK government for “its ongoing support.”

So, disappointment to those who hoped the investigation would come to a conclusion as to whether Huawei equipment was safe to use or not. But the changes in the government process, following this comedy of errors, in awarding contracts may have just as big an impact on the telecommunications industry serving the public sector – both in the UK and abroad.

Read more on Network security strategy