Tombaky - Fotolia

Huawei: MPs air concerns over security risks in code and managed contracts

The risk Huawei poses to the UK's 5G network roll out was raised during a recent Westminster Hall debate

Members of Parliament, who attended the Westminster Hall Debate on the role of Huawei in 5G networks, were told that the government and UK businesses have asked the Chinese network equipment firm to fix engineering problems.

In January, the government gave Huawei the green light to build up to 35% of the country’s new 5G network infrastructure. Many saw this decision as a massive risk to the country’s cyber defences, claiming Huawei has close ties to Chinese national security.

The debate, held on 4 March, gave MPs the opportunity to raise their concerns. While MPs discussed their concerns over Huawei’s involvement in the UK’s 5G roll out, the risks can be summed up succinctly in remarks made by Alex Sobel, Labour MP for Leeds North West, who said: “Giving Huawei 35% of the 5G network and allowing it into our infrastructure sends a message globally that in terms of telecoms security, anything goes in the UK.”

Shadow digital minister Chi Onwurah said: “With network design, cyber security specialists will always tell you to assume breach. But the approach of this government seems to be to design in breach by a foreign power at a time of unprecedented geopolitical tension.

“The government claims to care about political sovereignty – about ‘taking back control’ from foreign powers. It is high time they started caring about technological sovereignty, too.”

Labour MP John Spellar said: “One must ask, ‘Why is the government pursuing this course?’. I ask that because the right honourable gentleman is slightly in danger of accepting the argument that somehow Huawei is light years ahead of other companies in this field.

“It is probably a few months ahead, given the nature of this industry, which is always changing rapidly, and companies such as Ericsson, Nokia and Samsung are clearly developing, too. What those companies really need are orders, which are what Huawei has had from the Chinese government, to pull through their development.”

Commenting on the roll-out of 5G in Japan and South Korea, which is based on Samsung equipment, Iain Duncan Smith, Conservative MP for Chingford and Woodford Green, said: “I have read a note from Samsung declaring that it is completely feasible to do this work without any involvement from Huawei. Indeed, Samsung made very clear its belief that Huawei is a direct threat to our national security because its system is not a trusted one.”

Duncan Smith said that the UK’s reliance on Huawei comes as a result of it having constantly bid well below other market competitors for UK and other business. He claimed that it was able to bid lower than competitors due to Chinese state subsidies.

A recent report estimated that, when including tax breaks, grants and low-cost land acquisitions, the subsidy comes to more than $75bn. “No western company in this sector will be able to compete on those grounds,” Duncan Smith added.

Bugs in code and outsourcing risks

Jeremy Wright, Conservative MP for Kenilworth and Southam, discussed the fact that many equipment providers use Chinese components and factories to build their products.

“If we are worried about China, as it is perfectly right for us to be, it is worth keeping in mind that many of the competitor suppliers referred to in this debate use Chinese components in their equipment, or assemble their equipment in China. It is therefore important to recognise China’s potential to intervene,” he said.

Ruth Edwards, Conservative MP for Rushcliffe, told MPs that there are no trusted suppliers. “Most companies operate a zero-trust policy when it comes to all cyber security vendors. The key point is how we manage that risk,” she said.

She added that security architecture principles are part of every network deployment everywhere, whether it is a telecoms network at national level or a business network at company level.

“More sensitive information and functions with higher risk are treated differently from those with lower risk. A blanket approach of doing away with all higher-risk vendors or technologies would mean that we could not use emerging technologies that offer so much benefit when deployed appropriately,” she said.

A blanket approach of doing away with all higher-risk vendors or technologies would mean that we could not use emerging technologies that offer so much benefit
Ruth Edwards, MP

Edwards said equipment is monitored throughout its life by the telecommunications providers that use them, and artificial intelligence (AI) is used to identify threats.

“Threat hunting is carried out across the whole network. Technologies are increasingly powered by artificial intelligence to look for anomalies of behaviour both inside the network, in terms of patterns of incoming traffic, and in suspicious outbound traffic. Attempts to sabotage equipment or exfiltrate data at scale will be detected.”

Edwards went on to discuss the fact that the government and many UK customers wanted Huawei to solve “engineering problems”. But she said analysis of source code of any supplier would reveal security issues.

“In security engineering, I am afraid that people make mistakes when it comes to software,” she added.

But there are other risks, such as the risk inherent in equipment service contracts, warned John Nicolson, Scottish National Party MP for Ochil and South Perthshire.

“Equipment providers usually have automated authorised remote access to their hardware to provide support to carry out a managed services contract, with the equipment requiring regular software security updates and bug fixes,” he said.

“There is a lot of outsourcing in the sector, including to Huawei, with further potential for security breaches.”

Differences between core network and 5G

Responding to the questions raised, Mark Warman, Parliamentary under-secretary of the Department for Digital, Culture, Media and Sport, said: “The National Cyber Security Centre [NCSC] has provided expert technical and security advice on 5G.

“They are experts in the technical changes that will take place in the network and in the risks we currently face from the presence of ​high-risk vendors’ equipment in our networks and those of many of our allies. They are experts in security, including the national security threats that we face today.

“Our unique shared understanding of security threats and risks, together with that of the technical characteristics of the network, means that the NCSC is in the best possible position to advise on the cyber security of the UK’s telecoms national infrastructure.”

Warman quoted a recent blog from the NCSC’s technical director Ian Levy, which described the difference between core networking equipment and the 5G base stations that will need to located in insecure places, such as on top of a bus stop. The blog post implies that the edge requires a different level of security to the core network. 

In the blog, Levy wrote: “If your network design means that you need to run really sensitive functions processing really sensitive data (i.e core functions) on an edge access device on top of a bus stop, your choice of vendor is the least of your worries and you probably shouldn’t be designing critical national infrastructure.”

Read more about mobile infrastructure

Read more on Mobile networks

Data Center
Data Management