UK could ‘manage’ Huawei 5G cybersecurity risk

While the US and other countries take steps to ban Huawei’s technology, the UK could take a “risk management” approach.
18 February 2019

Sign of Huawei store. Source: Shutterstock

A UK government agency has said it can manage any cybersecurity risk posed by the use of Huawei products within 5G technology.

Reported by the Financial Times, the as yet unpublished announcement by the National Cyber Security Centre (NCSC)— a government agency that provides computer security advice and support for the public and private sector— suggested it was too complex to simply ban the firm from the UK.

The statement, regarded as a “sensible approach” by cybersecurity experts, follows ongoing concerns in the US and Europe that use of the Chinese firm’s hardware could provide a gateway for Beijing’s tampering in foreign telecommunications networks.

So far, the US, Australia, and New Zealand have made moves to block the use of its technology, despite its potentially significant role as a component in the development of 5G infrastructure.

Security concerns surrounding the firm became focused on the UK earlier this month following Huawei’s failure to address issues raised in a previous investigation by the Huawei Cyber Security Evaluation Centre (HCSEC)— a body made up of government officials and telecoms firms— with the firm’s processes continuing to fall short of “industry good practice”.

UK phone carrier Vodafone paused installation of Huawei hardware within core networks, and BT and EE have indicated they will remove Huawei devices from 3G and 4G networks within two years.

The NCSC’s response suggests a more measured response is up for consideration.

“The NCSC has taken a very sensible approach to this issue, which I think stands in stark contrast to some other countries,” Malcolm Taylor, head of cybersecurity at ITC Secure, told TechHQ. “[…] Huawei makes and sells some of the most technically capable equipment at competitive prices – it’s commercially sensible to use Huawei when appropriate.”

On the other hand, “simply not using” Huawei is risk avoidance, said Taylor, while the approach indicated by the NCSC demonstrates a risk management strategy which, he added, is a tenet of effective cybersecurity where there are “no absolutes”.

The Chinese tech giant has said it is committed to working with governments around the world— it’s pledged to invest US$2 billion into its software engineering to ensure more trusted and reliable products are being developed, as well as the continued sharing of its source code with governments and telcos.

“As was made clear in July’s HCSEC oversight board, the NCSC has concerns around Huawei’s engineering and security capabilities. We have set out the improvements we expect the company to make,” said an NCSC spokesperson.

The latest annual report from HCSEC, if pertaining to the indicated risk management stance, could convince other nations to soften their stance on the Chinese firm. Discussions in Europe last month led to calls from certain states for a “common position” from NATO on Huawei, including the potential banning of its technology from member states.