The UK government ruled Tuesday that Chinese telecom giant won’t be banned outright from selling equipment for mobile 5G networks there, though it will face severe limits. The question is: Will the restrictions provide the security protections that policymakers want?
The decision is the latest in a series of partial successes for Huawei in the face of ever-increasing pressure from the US government to block the company from mobile networks around the world. Washington effectively bans carriers from using the company’s equipment in US networks and has long warned that Huawei could build backdoors into its products that could be accessed by the Chinese government, something the company denies it has done or would do.
The UK’s move could put Downing Street at odds with the US. Earlier this month, Senator Tom Cotton (R-Arkansas) introduced a bill that would ban the US from sharing intelligence with countries that allow Huawei gear in their 5G networks. But like Germany and many other countries, the UK is reluctant to jettison Huawei, which has a reputation for making reliable equipment that costs much less than its competitors’ products. The UK is essentially trying to have it both ways, by allowing carriers to use some Huawei equipment without granting the company full access to its networks.
The UK said it will ban “high risk vendors” from “core” 5G and gigabit fiber network infrastructure, including security systems and authentication features. Equipment will only be permitted in the “periphery” of the network, meaning components such as antennas. Carriers won’t be able to use any equipment from high risk vendors at locations such as nuclear sites and military bases or in safety-related infrastructure. And at most only 35 percent of 5G or gigabit network traffic will be allowed to pass through equipment made by high risk vendors, and only 35 percent of cellular base stations can include equipment from those vendors.
“The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks,” the announcement from the UK Department of Culture says.
Tuesday’s announcement didn’t identify Huawei by name. However, supplementary guidance published by the UK National Cyber Security Centre singles out the company as a high risk vendor.
Security experts say that though the measures could help reduce some of the risks Huawei allegedly poses, in practice it will be hard to separate “core” equipment from gear considered “periphery” on a 5G network.
Jimmy Jones, a telecommunications security expert at Positive Technologies, says the line between core network functions and the periphery are blurring as all components become more software-driven. As a result, even the simplest gear can be vulnerable to hacking. Or as UC Berkeley security researcher Nicholas Weaver puts it: “5G ‘antennas’ aren’t simply wires, but complex computers in their own right doing a lot of signal processing.”
Experts also questioned whether the 35 percent limit on equipment from high risk vendors would be enough to safeguard the network from a malicious actor. “This decision limits some risk of collection at national scale, but wouldn’t mitigate the risk of more targeted forms of surveillance,” says Ryan Kalember of security company Proofpoint.
Even if a vendor can only access 35 percent of the data passing through a network, it could still conduct sophisticated surveillance on a network’s users, warns Sam Curry, a chief security officer at information security company Cybereason.. Because people will move around and use multiple different cell stations, it’s possible to glean quite a bit of information about their relationships and activities with only part of their data. Still, carriers may want to buy all the components for their 5G networks from a single supplier instead of splitting purchases of core and peripheral equipment. That would make it harder for any vendor deemed a high risk to attain a 35 percent presence in the UK’s peripheral networks.