Greig Paul, University of Strathclyde
The UK’s decision not to ban China’s Huawei from being a supplier for its next-generation mobile network has caused ructions. US politicians are outraged, with Newt Gingrich calling it a “major defeat” for his country. In the UK, there could be a Tory rebellion against forthcoming legislation on the matter.
In truth, the government had little choice. When you look at the background, the decision is at least understandable – and more complex than just a security issue.
Mobile phone networks comprise two parts: the core and the radio access network or RAN. The core handles security-sensitive aspects such as user authentication, routing calls, data and so on. The radio network consists of base stations and other networking equipment across mast sites nationwide.
When a user makes a call or uses the internet, a signal from their phone is picked up by a base station and is passed across the radio network to the core, where it is routed to wherever it is supposed to reach. While your call or data is encrypted, it is decrypted on the base station before being passed on – the base station can therefore see its content.
In the UK, the 5G equipment roll-out is well underway, with more to come. It’s difficult to get figures for the outlay by the four network operators – Vodafone, O2, EE and Three – but the radio network upgrade is certainly most of what is required and is spread throughout the country.
Commercial realities
Huawei has been banned from supplying the network core, but is to be allowed to supply a maximum of 35% of the radio network equipment. Let’s be clear here: the UK operators were lobbying hard for Huawei not to be excluded.
They are all using the Chinese company’s equipment to some extent in the 5G upgrades to their radio networks. Though they are still having to rethink their 5G plans because of the partial ban, they were facing huge costs and delays to rolling out 5G if the equipment had to be removed altogether.
This is partly because today’s 5G equipment piggybacks onto existing 4G base stations, and both the 4G and 5G kit tends to have to be supplied by one vendor. Banning Huawei would therefore mean replacing both 4G and 5G equipment. Vodafone alone said this would cost the company “hundreds of millions” of pounds.
Secondly, there are only three major radio suppliers: Huawei, Ericsson and Nokia (all of which manufacture in China). Excluding Huawei risked exposing operators to duopoly pricing. Partly for this reason, the government commissioned a review of the telecoms supply chain in 2018.
The resulting report last July said the government would develop a new security framework, and consult with industry on the best way forward. It also highlighted the need for more supplier competition, but there seems no easy solution.
The security issue
Without a doubt, the network operators’ commercial interests are potentially at odds with UK security interests over Huawei. People often worry about the threat of “backdoors” in Huawei equipment and software that would allow remote control from outside the UK, but the issue is more systematic security failings in the software that could be remotely exploited.
The 2019 report of the board that oversees the Huawei Cyber Security Evaluation Centre (HCSEC) said much of the software “lacks basic engineering competence” and “significantly increased risk to UK operators”. The board could only give “limited assurance” about managing the risks, and said Huawei’s coding practices make the “job of any code auditor exceptionally hard”. In other words, the verifiers could miss insertions or oversights that might enable security breaches.
Another risk is that equipment suppliers usually have authorised remote access to their hardware to provide support or fulfil a managed services contract, and the equipment needs regular software security updates and bug fixes. Security updates could be vetted by HCSEC, but this would probably be a difficult undertaking to scale. There is also a lot of outsourcing in this sector, including to Huawei, which opens up further potential for security breaches.
The UK National Cyber Security Centre, which advises the government, concedes the risks of admitting Huawei, but thinks they can be made “acceptable” by limiting access. This may be challenging with the changes 5G may bring to mobile networks. For example, connected and driverless vehicles needing to exchange information quickly won’t route all their data traffic via the network core.
Instead, many 5G core functions may take place in the radio network, making it increasingly harder to define Huawei’s permitted area. And with base stations inherently connected to the network core, there is a limit to the isolation which can be put in place anyway.
Risks and rewards
Overall, however, the government seems to have been caught between a rock and a hard place: faced with wounding the UK network operators and slowing the 5G roll-out, it has sought a compromise.
To some extent, this is the consequences of deciding too slowly. Had the UK banned Huawei in 2018 like the US and Australia, the mobile operators’ 5G roll-out plans would have been at an earlier stage. The US also compensated some of its networks for the costs of equipment removal.
The UK government is instead looking to the future. Nicky Morgan, the culture secretary, told the House of Lords on January 28 that the government wants to attract established equipment vendors to the UK who are not already present, to support new disruptive entrants, and reduce barriers to market entry.
On established vendors, she may be referring to companies that make radio network equipment but don’t compete aggressively in this space: Samsung, for example. As for new entrants, there may be a hope of enticing players who supply different types of networks, such as Cisco or Juniper. There is also significant potential to innovate in 5G networks. The UK’s Testbeds and Trials programme is enabling this and will continue to do so.
For the time being, the government can hardly be enjoying the fallout from its decision. To date, much focus has been on the confidentiality of communications over mobile networks, and risks of spying. A bigger issue is the need to keep the mobile phone network running. We are in an era where everything from Uber and Deliveroo to most credit card machines cannot function without it
The nightmare scenario is a hostile state-affiliated actor shutting down or damaging the mobile networks. It may have effectively been impossible for the UK to say no to Huawei, but the current compromise is far from ideal.
Greig Paul, Lead Mobile Networks & Security Engineer, University of Strathclyde
This article is republished from The Conversation under a Creative Commons license. Read the original article.