Foreign Secretary's statement on Huawei
Foreign Secretary Dominic Raab gave a statement in the House of Commons on UK telecommunications and the government's position on high risk vendors.
Mr Speaker, with permission I would like to repeat a statement that my noble Friend the Secretary of State for Digital, Culture, Media and Sport in the other place on the security of the telecoms supply chain.
This government is committed to securing nationwide coverage of gigabit-capable broadband by 2025 because we know the benefits that world-class connectivity can bring. From empowering rural businesses, to enabling closer relationships for the socially isolated, to the new possibilities for our manufacturing and transport industries.
We are removing the barriers to faster network deployment and have committed £5 billion of new public funding to ensure no area is left behind.
It is, of course, essential that these new networks are secure and resilient. That is why the government has undertaken a comprehensive review of the supply arrangements for 5G and full fibre networks.
The Telecoms Supply Chain Review, laid before this House in July, underlined the range and nature of the risks facing our critical digital infrastructure – from espionage and sabotage to destructive cyber-attacks.
We have looked at the issue of how to maintain network security and resilience over many months and in great technical detail. We would never take decisions that threaten our national security or the security of our Five Eyes partners.
As a result, the technical and security analysis undertaken by GCHQ’s National Cyber Security Centre is central to the conclusions of the Review. Thanks to their analysis we have the most detailed study of what is needed to protect 5G, anywhere in the world.
And it is also because of the work of the Huawei Cyber Security Evaluation Centre Oversight Board, established by NCSC, that we know more about Huawei, and the risks it poses, than any other country in the world.
We are now taking forward the Review’s recommendations in 3 areas.
First, world leading regulation. We are establishing one of the strongest regimes for telecoms security in the world – a regime that will raise security standards across the all the UK’s telecoms operators and the vendors that supply to them.
At the heart of the new regime, the NCSC’s new Telecoms Security Requirements guidance will provide clarity to industry on what is expected in terms of network security. The TSRs will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks.
The government intends to legislate at the earliest opportunity to introduce a new comprehensive telecoms security regime – to be overseen by the regulator, Ofcom, and government.
Second, the Review also underlined the need for the UK to improve diversity in the supply of equipment to telecoms networks.
Currently, the UK faces a choice of only 3 major players to supply key parts of our telecoms networks. This has implications for the security and resilience of these networks, as well as for future innovation and market capacity. It is a ‘market failure’ that must be addressed.
The government is developing an ambitious strategy to help diversify the supply chain. This will entail the deployment of all the tools at the government’s disposal, including funding.
We will do 3 things simultaneously:
-
we will seek to attract established vendors who are not present in the UK, to our country
-
we will support the emergence of new, disruptive entrants to the supply chain
-
and we will promote the adoption of open, interoperable standards that will reduce barriers to entry
The UK’s operators are leading the world in the adoption of new, innovative approaches to expand the supply chain.
The government will work with industry to seize these opportunities. And we will also partner with like-minded countries to diversify the telecoms market. Because it is essential that we are never again in a position of having such limited choices when deploying such important new technologies.
The third area covered by the Review was how to treat those vendors which pose greater security and resilience risks to UK telecoms. And I know the House has a particular interest in this area, so I will cover this recommendation in detail.
Those risks may arise from technical deficiencies or considerations relating to the ownership and operating location of the vendor.
As honourable members, the government informed this House in July that it was not in a position to announce a decision on this aspect of the Review.
We have now completed our consideration of all the information and analysis – from the National Cyber Security Centre, industry and from our international partners.
And today, I am able to announce the final conclusions of the Telecoms Supply Chain Review in relation to high risk vendors.
In order to assess a vendor as high risk, the Review recommends a set of objective factors are taken into account. These include:
-
the strategic position or scale of the vendor in the UK network
-
the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market
-
the quality and transparency of the vendor’s engineering practices and cyber security controls
-
the vendor’s resilience both in technical terms and in relation to the continuity of supply to UK operators
-
the vendor’s domestic security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with UK law
-
the relationship between the vendor and the vendor’s domestic state apparatus
-
and finally, the availability of offensive cyber capability by that domestic state apparatus, or associated actors, that might be used to target UK interests
To ensure the security of 5G and full fibre networks, it is both necessary and proportionate to place tight restrictions on the presence of any companies identified as high risk.
The debate is not just about ‘the core’ and ‘the edge’ of networks. Nor is it just about trusted and untrusted vendors.
The threats to our networks are many and varied, whether from cyber criminals or state sponsored malicious cyber activity. The most serious recent attack on UK telecoms has come from Russia, and there is no Russian equipment in our networks.
The reality is that these are highly complicated networks relying on global supply chains, where some limited measure of vulnerability is almost inevitable.
The critical security question is: how to mitigate such vulnerabilities and stop them damaging the British people and our economy?
For 5G and full fibre networks, the Review concluded that, based on the current position of the UK market, high risk vendors should be:
-
first of all, excluded from all safety related and safety critical networks in Critical National Infrastructure
-
secondly, excluded from security critical network functions
-
and thirdly, limited to a minority presence in other network functions up to a cap of 35%.
And be subjected to tight restrictions, including exclusions from sensitive geographic locations.
These new controls are also contingent on an NCSC-approved risk mitigation strategy for any operator who uses such a vendor.
We will legislate at the earliest opportunity to limit and control the presence of high risk vendors in the UK network, and to allow us to respond as technology changes.
Over time, our intention is for the market share of high risk vendors to reduce as market diversification takes place.
And I want to be clear that nothing in the Review affects this country’s ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes.
GCHQ have categorically confirmed that how we construct our 5G and full fibre public telecoms network has nothing to do with how we share classified data. And the UK’s technical security experts have agreed that the new controls on high risk vendors are completely consistent with the UK’s security needs.
In response to the Review’s conclusions on high risk vendors, the government has asked NCSC to produce guidance for industry. This guidance was published earlier today on their website.
The NCSC has helped operators manage the use of vendors that pose a greater national security risk, such as Huawei and ZTE, for many years.
This new guidance will include how it determines whether a vendor is high risk. The precise restrictions it advises should be applied to high risk vendors in the UK’s 5G and full fibre networks. And what mitigation measures operators should take if using high risk vendors.
As with other advice from the NCSC on cyber security matters, this advice will be in the form of guidance. The UK expects UK telecoms operators to give due consideration to this advice, as they do with all their interactions with the NCSC.
I hope the whole House will agree that if we are to achieve our digital connectivity ambitions, it is absolutely imperative that we trust the safety and security of our telecom networks.
Risk cannot be eliminated in telecoms. But it is the job of government, Ofcom and industry to work together to ensure we reduce our vulnerabilities and mitigate those risks.
This government’s position on high risk vendors marks a major change in the UK’s approach. When taken together with the tough new security standards that will apply to operators, this approach will substantially improve the security and the resilience of the UK’s telecoms networks, which are a critical part of our national infrastructure. It reflects the maturity of the UK’s market and our world-leading cyber security expertise, and it follows a rigorous and evidenced-based review. It is the right decision for the UK’s specific circumstances.
The future of our digital economy depends on having that trust in safety and security. And if we are to encourage the take-up of new technologies that will transform our lives for the better then we need to have the right measures in place. That is what this new framework will deliver and I commend this statement to the House.