These pages are being tested. Go to standard HTML
This is a House of Commons Committee report with recommendations to the Government. The Government has two months to respond.
Date Published: 13 August 2020
5G will transform lives of many in the UK and across the world by facilitating the Internet of Things. This is a positive development and will bring with it numerous economic and social advances. We share the Government’s objective that the UK remains at the forefront of the 5G rollout as we move into the next technological era. However, 5G will increase our reliance on mobile connectivity, and this represents a security risk whether from ‘espionage, sabotage or system failure’. Many more items will be connected to the Internet through 5G meaning a greater surface for illicit actions which represents a risk to individuals as well as to defence and government.
Our inquiry into the security of 5G was launched in the context of a lively debate on the security of the UK’s 5G network in Parliament and across the country from late 2019 and through 2020 with a focus on the presence in our network of high-risk vendors, particularly Huawei. A significant Government announcement took place in January with restrictions placed on high-risk vendors followed by stricter rules announced in July, with Huawei to be removed from the UK’s 5G network by 2027.
During our study we found that the UK, and its allies, face many malicious cyber-attacks both from rogue individuals and state-sponsored attacks from states such as Russia and China. These attacks are diverse in their nature and in their aims, with some attacks aiming to steal individual data and state secrets whilst others seek to bring down the network in its entirety. These attacks impact our 5G networks as well as more widely in the cyber sphere. It is important that the Government calls out cyber-attacks from adversaries on the international stage and works to find a deterrent to counter them. There is currently a lack of global rules regulating international cyber-attacks and the Government should be working with allies to formulate a system to provide accountability for perpetrators. It should clarify why it is not deploying a cyberattack capability to deter aggressors.
The presence of Huawei equipment in our network increased the risk posed by these attacks and there is no doubt that Huawei’s designation as a high-risk vendor was justified. The Huawei Cyber Security Evaluation Centre consistently reported on its low-quality products and concerning approach to software development, which has resulted in increased risk to UK operators and networks. The presence of Huawei in the UK’s 5G networks posed a significant security risk to individuals and to our Government. We do, however, recognise that, prior to the United States’ sanctions placed on Huawei in May, advice to Government was that the presence of Huawei in the UK’s networks was a manageable risk. We know that the UK has one of the most active and effective cyber-security regimes in the world, and, from our public and private conversations with Government, we were confident that GCHQ and the NCSC were able to appropriately manage any increased risk posed by the presence of Huawei or other high-risk vendors in the UK’s 5G. Furthermore, we recognised that whilst the risk remained manageable, it was important to remember the benefits in having a greater number of vendors involved in 5G network provision, despite Huawei’s designation as high-risk, as this improves overall network resilience should a single vendor fail. Therefore prior to the US sanctions announced in May, the risk of Huawei products remaining in the UK’s 5G networks was, according to the Government, significant but manageable through monitoring and regulation. The situation changed when Huawei was deprived of reliable chip manufacturing capabilities and following these sanctions, it became much more difficult to guarantee and measure the quality of Huawei products. In principle, the Government has therefore made the correct technical decision to ban the purchase and presence of Huawei products in the future.
Some have contended that Huawei’s presence in 5G poses risks to our national security sites and sensitive communications, however we are content that Huawei has been, and continues to be, sufficiently distanced from sensitive defence and national security sites. The Defence Secretary has informed us that no Huawei 5G equipment is present on the defence estate and that sensitive communications are safe from compromise. Huawei’s continued presence in commercial 5G networks therefore does not impact on our ability to share sensitive information with partners.
We recognise that the Government has had to balance its own technical considerations with pressures from allies such as the United States and Australia. Our closest allies within Five Eyes originally embarked on a policy at odds with the UK’s and this had the potential to damage the UK’s close intelligence, security and defence relationship with them, although reassurances have been given by Ministers that this was not the case. The framing of the issue by the United States as a technical concern about the presence of Huawei in our networks has generated disagreement between the two Governments, given the contrasting conclusions of technical experts on either side of the Atlantic. Whilst the Government decision was ultimately taken because of the technical considerations resulting from the US sanctions the Government should have considered the potential damage to key alliances enough of a risk to begin to remove Huawei from the UK’s 5G network before the US sanctions were imposed.
A further geopolitical consideration our inquiry highlighted was Huawei’s relationship with the Chinese state. It is clearly strongly linked to the Chinese state and the Chinese Communist Party, despite its statements to the contrary, as evidenced by its ownership model and the subsidies it has received. Additionally, Huawei’s apparent willingness to support China’s intelligence agencies and China’s 2017 National Intelligence Law are further cause for concern. Having a company so closely tied to a state and political organisation sometimes at odds with UK interests should be a point of concern and the decision to remove Huawei from our networks is further supported by these links. Concern about Huawei is based on clear evidence of collusion between the company and the Chinese Communist Party apparatus, and it is important that the West does not succumb to ill-informed anti-China hysteria and recognises the mutual benefits of Chinese involvement in our economy. We recommend that the UK, and allies, should ensure that decisions taken around the involvement of Chinese companies are taken in an evidence-based manner, and only when risk is demonstrable should decisions around removal be made.
In the lead up to the decision surrounding Huawei’s removal, pressure had been exerted by the Chinese Government on the UK Government to retain the presence of Huawei in its 5G infrastructure through both covert and overt threats. Following the decision, China has threatened to withdraw from some areas of the UK’s economy, including in critical infrastructure such as nuclear. Whilst ending China’s involvement in the UK’s critical infrastructure would be a radical step with huge implications for the UK’s economy, if threats by the Chinese state continue and worsen, the Government should carefully consider China’s future presence in critical sectors of the economy. We recommend that the Government should make provision in its proposed National Security and Investment Bill to give it the power to intervene and stop investments in critical industries should threats or risks be present.
China dominates the telecommunications industry and it is evident that the UK has a lack of industrial capacity in this sector. This is not unique to the UK and in order to combat China’s dominance, we support the principle of proposals for forming a D10 alliance of democracies to provide alternatives to Chinese technology. Following consultation with allies, the Government should set out exactly what the role of this alliance would be, both regarding 5G and wider security considerations, and seek to make progress as quickly as possible on formulating joint 5G policy.
Following its decision to remove Huawei, the Government has faced pressure to remove it more quickly than by 2027. The evidence we have received, however, would suggest that a quicker timescale could result in signal blackouts, delay the 5G rollout significantly and cost both operators and the economy greatly. Therefore, for the time being, we consider the plan for a removal by 2027 to be a sensible decision. However, should pressure from allies for a speedier removal continue or should China’s threats and global position change so significantly to warrant it, the Government should consider whether a removal by 2025 is feasible and economically viable. Clearly these restrictions will delay the 5G rollout and economically damage the UK and mobile network operators. The Government should take necessary steps to minimise the delay and economic damage and consider providing compensation to operators if the 2027 deadline is moved forward.
The UK vendor market for 5G kit is not diverse enough and even with the inclusion of Huawei the market was “sub-optimal”. The Government’s decision to remove Huawei completely from 5G by 2027 poses a risk that could result in an even less diverse market, which brings security and resilience concerns of its own. The Government should work with mobile network operators to bring in new vendors to the UK, for example Samsung or NEC, as well as encouraging the development of industrial capability in the UK. This will not only improve market diversity but make our networks more resilient and lessen the potential security risks by removing Huawei and therefore leaving the UK reliant on Nokia and Ericsson alone. In addition to this, OpenRAN presents an opportunity to move away from the current consolidated vendor environment to one in which operators no longer have to consider which vendor to source from. The UK Government and mobile service operators should continue investment in OpenRAN technology and work to make the UK a global leader in both technological development and production.
Finally, we found that the current regulatory situation for network security is outdated and unsatisfactory. The planned Telecoms Security Bill is required to bring regulations up to date and allow the Government to compel operators to act in the interests of security. The current situation has led to commercial concerns trumping those of national security, which is unacceptable. The Government should not allow a situation where short-term commercial considerations are placed ahead of those for national security and defence. The Telecoms Security Bill is necessary in order to enhance the Government’s and Government bodies’ regulatory powers and should be introduced before 31 December 2020.