UK Telecommunications | Statement DCMS | House of Lords


Baroness Morgan of Cotes My Lords, with the leave of the House, I will
make a Statement on the security of the telecoms supply chain. This Government are committed to securing
nationwide coverage of gigabit-capable broadband by 2025, because we know the benefits that
world-class connectivity can bring: from empowering rural businesses, to enabling closer relationships
for the socially isolated, to new possibilities for our manufacturing and transport industries.
We are removing the barriers to faster network deployment and have committed £5 billion
of new public funding to ensure that no area is left behind. It is of course essential
that these new networks are secure and resilient, which is why the Government have undertaken
a comprehensive review of the supply arrangements for 5G and full-fibre networks. The telecoms supply chain review—laid in
the other place in July last year—underlined the range and nature of the risks facing our
critical digital infrastructure, from espionage and sabotage to destructive cyberattacks.
We have looked at the issue of how to maintain network security and resilience over many
months and in great technical detail. We would never take decisions that threaten our national
security or the security of our Five Eyes partners. As a result, the technical and security
analysis undertaken by GCHQ’s National Cyber Security Centre is central to the conclusions
of the review. Thanks to its analysis, we have the most detailed study of what is needed
to protect 5G, anywhere in the world. It is also because of the work of the Huawei Cyber
Security Evaluation Centre Oversight Board, established by the NCSC, that we know more
about Huawei and the risks it poses than any other country. We are now taking forward the
review’s recommendations in three areas. First, on world-leading regulation, we are
establishing one of the strongest regimes for telecoms security in the world—a regime
that will raise security standards across the UK’s telecoms operators and the vendors
that supply them. At the heart of the new regime, the NCSC’s new telecoms security
requirements guidance will provide clarity to industry on what is expected in terms of
network security. The TSRs will raise the height of the security bar and set out tough
new standards to be met in the design and operation of the UK’s telecoms networks.
The Government intend to legislate at the earliest opportunity to introduce a new comprehensive
telecoms security regime, to be overseen by the regulator, Ofcom, and government. Secondly, the review also underlined the need
for the UK to improve diversity in the supply of equipment to telecoms networks. Currently,
the UK faces a choice of only three major players to supply key parts of our telecoms
networks. This has implications for the security and resilience of these networks, as well
as for future innovation and market capacity. It is a “market failure” that needs to
be addressed. The Government are developing an ambitious strategy to help diversify that
supply chain. This will entail the deployment of all the tools at the Government’s disposal,
including funding. We will do three things simultaneously: seek
to attract established vendors to our country who are not present in the UK; support the
emergence of new, disruptive entrants to the supply chain; and promote the adoption of
open, interoperable standards that will reduce barriers to entry. The UK’s operators are leading the world
in the adoption of new, innovative approaches to expand the supply chain. The Government
will work with industry to seize these opportunities, and we will partner with like-minded countries
to diversify the telecoms market. It is essential that we are never again in a position of having
limited choices when deploying important new technologies. The third area covered by the review was how
to treat vendors which pose greater security and resilience risks to UK telecoms. As I
know the House has a particular interest in this area, I will cover this recommendation
in detail. Those risks may arise from technical deficiencies or considerations relating to
the ownership and operating location of the vendor. As noble Lords may recall, the Government
informed the other place in July that they were not in a position to announce a decision
on this aspect of the review. We have now completed our consideration of all the information
and analysis from the National Cyber Security Centre, industry and our international partners.
Today, I am able to announce the final conclusions of the telecoms supply chain review in relation
to high-risk vendors. In order to assess a vendor as high risk,
the review recommends that a set of objective factors be taken into account. These include
the strategic position or scale of the vendor in the UK network; the strategic position
or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK
market; the quality and transparency of the vendor’s engineering practices and cyber
security controls; the vendor’s resilience, both in technical terms and in relation to
the continuity of supply to UK operators; the vendor’s domestic security laws in the
jurisdiction where the vendor is based and the risk of external direction that conflicts
with UK law; the relationship between the vendor and the vendor’s domestic state apparatus;
and, finally, the availability of offensive cyber capability by that domestic state apparatus,
or associated actors, that might be used to target UK interests. To ensure the security of 5G and full-fibre
networks, it is both necessary and proportionate to place tight restrictions on the presence
of any companies identified as higher risk. The debate is not just about “the core”
and “the edge” of networks; neither is it just about trusted and untrusted vendors.
Threats to our networks are many and varied, whether from cyber criminals or state-sponsored
malicious cyber activity. The most serious recent attack on UK telecoms has come from
Russia, and there is no Russian equipment in our networks. The reality is that these are highly complicated
networks relying on global supply chains, where some limited measure of vulnerability
is inevitable. The critical security question is: how to mitigate such vulnerabilities and
stop them damaging the British people and our economy. For 5G and full-fibre networks, the review
concluded that, based on the current position of the UK market, high-risk vendors should
be excluded from all safety-related and safety-critical networks in critical national infrastructure;
excluded from security-critical network functions; limited to a minority presence in other network
functions up to a cap of 35%; and be subjected to tight restrictions, including exclusions
from sensitive geographic locations. These new controls are also contingent on
an NCSC-approved risk mitigation strategy for any operator who uses such a vendor. We
will legislate at the earliest opportunity to limit and control the presence of high-risk
vendors in the UK network and to allow us to respond as technology changes. Over time, our intention is for the market
share of high-risk vendors to reduce as market diversification takes place. I also want to
be clear that nothing in the review affects this country’s ability to share highly sensitive
intelligence data over highly secure networks, both within the UK and with our partners,
including the Five Eyes. GCHQ has categorically confirmed that how we construct our 5G and
full-fibre public telecoms networks has nothing to do with how we share classified data. The
UK’s technical security experts have agreed that the new controls on high-risk vendors
are completely consistent with the UK’s security needs. In response to the review’s conclusions
on high-risk vendors, the Government have asked the NCSC to produce guidance for industry.
This guidance was published earlier today on the NCSC’s website. The NCSC has helped
operators to manage the use of vendors that pose a greater national security risk, such
as Huawei and ZTE, for many years. This new guidance will include how it determines
whether a vendor is high risk, the precise restrictions it advises should be applied
to high-risk vendors in the UK’s 5G and full-fibre networks, and what mitigation measures
operators should take if using high-risk vendors. As with other advice from the NCSC on cybersecurity
matters, this advice will be in the form of guidance. The Government expect UK telecoms
operators to give due consideration to this advice, as they do with all their interactions
with the NCSC. I recognise that noble Lords may wish to pursue
further the technical details of these proposals, not least with my officials and officials
at the National Cyber Security Centre, who will be available to answer questions in Committee
Room 11 from 4.30 pm today. I hope the whole House will agree that if
we are to achieve our digital connectivity ambitions, it is imperative that we trust
the safety and security of our telecoms networks. Risk cannot be eliminated in telecoms, but
it is the job of the Government, Ofcom and industry to work together to ensure that we
reduce our vulnerabilities and mitigate the risks. The Government’s position on high-risk
vendors marks a major change in the UK’s approach. When taken together with the tough
new security standards that will apply to operators, this approach will substantially
improve the security and resilience of the UK’s telecoms networks, which are a critical
part of our national infrastructure. It reflects the maturity of the UK’s market and our
world-leading cybersecurity expertise, and it follows a rigorous and evidenced-based
review. It is the right decision for the UK’s specific circumstances. The future of our digital economy depends
on trust in its safety and security. If we are to encourage the take-up of new technologies
that will transform our lives for the better, we need to have the right measures in place.
That is what this new framework will deliver, and I commend this Statement to the House. Lord Griffiths of Burry Port My Lords, I am grateful to the Minister for
that Statement and for the reassurance given in large measure by what she read to us. Of
course, a number of questions are left open and will emerge. Given the time that was available
to me to read the various pieces of literature, my questions will be bundled out and no doubt
brought into more coherent shape as time passes. I note that we are promised “world-leading”
primary legislation but are not given an exact time. Yesterday, the word was mañana. Today,
in answer to the question of when, the reply is, “at the earliest opportunity.” I am
becoming accustomed to the various euphemisms for mañana that are put forward in government
reports. It will be a new, comprehensive telecoms security regime. I suppose that the various
measures that will be necessary to make sure that we oversee activity in this area will
be set out in detail. It would be reassuring to have “at the earliest opportunity”
unpacked, if that is at all possible, because we are in an area where developments happen
so quickly that the more time that lapses, the more behind the action and the curve we
become. I note that, as the UK’s 4G network relies
on Huawei, achieving zero presence today would be near impossible, so I suppose that a reduction
to 35% is welcome. But will this reduce over time to wean operators off the Chinese provider,
or will 35% be an enduring figure? The NCSC’s security analysis, which again
I read very quickly, concludes that “threat analysis highlights that our telecoms
sector is potentially vulnerable to a range of cyber risks. This analysis is backed up
by evidence generated from security testing of telecoms networks and by security incidents.” In other words, the risks are high—an added
pressure, perhaps, to ensure that not too much time elapses before measures are brought
before us. There is talk of the diversification of vendors
and the categories under which they might be grouped, but there is not much reference
to help us to understand how much home-produced material or producers will come forward. There
are a number of players on the global scene. Is the activity lively in our economy and
will it produce its own home-produced involvements in the provision of these measures? Under the objective factors that help us to
identify high-risk vendors, the claim is that we know more about Huawei and the risks it
poses than any other country, so, whatever investigations have taken place, it puts us
in prime position—according to the claims made here—to know the mind of Huawei, its
activities and all the rest of it. That leads me to ask: if that is the case, how do we
measure Huawei’s performance against its domestic security laws? How did Huawei pass,
given China’s law on compliance with state intelligence services and co-operation with
the police in the mass detention of Uighur Muslims in Xinjiang, for example? In other words, Huawei gets in at 35%. We
welcome that, but suppositions and assumptions are made about Huawei that we still need to
have clarified for us. A lot seems to go by on just remarks, assumptions and general statements.
Attracting established vendors not present in the UK and new disruptive entrants in promoting
open interoperable standards is welcome. But, given the subsidies that Huawei is said to
use to get market access, how do we know whether the subsidies exist and how much they amount
to, and how will new entrants compete tomorrow when they cannot today? Those are just a few
of the questions that occur to me. I should say that one or two of the quotations
I have used in making my remarks are attributable to members of the noble Baroness’s own party—so
these concerns are felt by all of us. So we welcome what is happening today because it
does set a direction of travel—but we travel with a few questions that are still waiting
to be answered.

One comment on “UK Telecommunications | Statement DCMS | House of Lords”

  1. #antimathequaledmath #Oumuamua says:

    You cannot compete with China tomorrow if you dont have 5G. I need to watch Cheers at a bus stop in 4K and I wont be interrupted by lagtime? My fridge can get my grocery list at its leisure, preferrably on 56K as I dont need my fridge to be cobstantly connected anf ordering from Amazon as I do not consume food fro. it at a constsnt rate.

Leave a Reply

Your email address will not be published. Required fields are marked *