“If your network design means that you need to run really sensitive functions processing really sensitive data (i.e. core functions) on an edge access device on top of a bus stop, your choice of vendor is the least of your worries and you probably shouldn’t be designing critical national infrastructure”
Telecommunications companies in the UK may have to start pulling Huawei kit out of their networks under new rules introduced today, which limit the Chinese vendor’s inclusion in infrastructure to 35 percent at most.
In an explanation of the technical advice [pdf] it gave to the British government ahead of its closely watched decision today, the agency said telcos should get to work reducing their reliance on Huawei kit “as soon as practical”.
“Operators whose Huawei estates currently exceed the recommended level for an HRV (high-risk vendor) [should reduce this use] to the recommended level as soon as practical. We…. consider that it should be possible for all operators to reduce their use of HRVs to the recommended levels within three years.”
“Operators who chose to follow our advice were putting themselves at a commercial disadvantage; that’s unsustainable” – NCSC’s Technical Director
NCSC Technical Director, Dr Ian Levy emphasised in a separate blog that “one of the biggest problems” the country has faced in boosting network security is that “telecoms security doesn’t pay. That’s true of the basic network security and business processes that support it. But it’s also true of the enhanced mitigations we ask operators to – voluntarily – do when using a high risk vendor such as Huawei.”
He added: “Operators’ commercial drivers have come into direct conflict with the NCSC’s security advice. Those operators who chose to follow our advice and requests were putting themselves at a commercial disadvantage. That’s unsustainable.
Formalising the handling of high risk vendors “is very welcome” he wrote, noting that ti “provides clarity for operators and transparency about what we expect for the security of our national networks. Externalising the security costs of particular choices will help operators make better security risk management decisions.”
New Telco Penetration Testing Regime
Among the new elements being rolled out today as part of the decision is a penetration testing regime, TBEST, that will be run by regulator Ofcom.
As Levy notes: “Trusted penetration testers will regularly attack the live networks like a real attacker but in a controlled way, so we don’t accidentally break anything. Testing security controls is important and, while we expect operators to be testing themselves, independent testing is more likely to expose deficiencies or errors. The results of these tests will give operators information to help them better secure their networks.
Operators should “certainly not assume that all HRVs are Chinese companies” the NCSC added in its guidance today, while Levy emphasised a broader point: “The underlying problem in all this is that the market is broken.
“Already, we ask all mobile operators to use two vendors in their Radio Access Network (RAN) for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson and Huawei. That’s crazy…
“We need concerted efforts from governments and industry around the world to ensure we never end up in this position again.”