China’s Huawei and the UK’s critical national infrastructure

While governments in the USA and Australia are reluctant to allow Chinese telecoms giant Huawei to supply equipment into their infrastructures, the UK has been doing so for around eight years. Now the Intelligence and Security Committee, chaired by Sir Malcolm Rifkind, has published a report critical not so much of Huawei itself, but of the process that allowed BT to buy and use Huawei equipment with insufficient political oversight. The reality is that rather than prevent Huawei, it would now be almost impossible to extract Huawei.

The main criticism seems to be that Parliament was not made sufficiently aware that there might be security concerns. In January 2006, notes the report, “The Intelligence and Security Co-ordinator wrote to the Home Secretary to seek agreement to assist BT (at its request) to monitor Huawei’s work. This was the first time that Ministers were made aware of the security concerns (three years after officials were first notified).”

As concerns increased over the years, the UK government suggested to Huawei that a Cyber Security Evaluation Centre should be established. Commonly called ‘The Cell’, this is now in Banbury. Its purpose is to evaluate the security of Huawei equipment and software, and it is the only location in the world that houses Huawei’s source code outside of China. The problem for the Committee, however, is that although it reports to the UK, it is funded by Huawei – the staff evaluating Huawei security are technically Huawei employees. “While we recognise that there are some benefits associated with the current staffing arrangements for the Cell,” says the report, “these do not, in our opinion, outweigh the risks of Huawei effectively policing themselves.”

The main problem for the UK is that it does not have an indigenous Cisco or Huawei. Since it must import, there are strong economic imperatives to get the best possible deal – especially if it can include inward investment. "It is a personal priority of mine to increase trade links between the UK and China, and I cannot emphasize enough that the UK is open to Chinese investment," said Finance Minister George Osborne (reported by Reuters).

This leaves the country with a difficult balancing act. Since there is no actual evidence against Huawei, the government must be seen to be protecting the nation’s security while simultaneously maintaining good trade relations. Economists will stress the economic advantages of good trade relations, while security people will stress the dangers. “The fact is that, regardless of where equipment is developed and produced, if it’s to be integrated with our most critical infrastructure we need to be 100% certain that it’s trustworthy,” comments Chris McIntosh, CEO of ViaSat UK (and an ex-Lieutenant Colonel in the Royal Signals). “It shouldn’t matter whether equipment comes from the Americas, Europe, Asia or Africa: what matters is that we have full visibility and control over its integration and can trust the workings of every last item. There is simply no excuse for complacency.”

Adrian Culley, a consultant with Damballa (and a former Scotland Yard detective) wonders whether the Cell provides any real value in this debate. It is questionable, he suggests, “that the Cell that is investigating Huawei’s kit, which is run by Huawei employees, will add any value at all and give us a better insight into what’s going on there.” His real concern, however, is wider: “Given China and the USA's mutual global reach and role in technology matters, we may have been in danger of sleepwalking into Cyber Cold War.”

What’s hot on Infosecurity Magazine?