Huawei? Indeed, who are they? Well, ask no longer. The UK Government has published a paper on Huawei and the Critical National Infrastructure. The Intelligence and Security Committee have released a redacted paper explaining why they don’t like Huawei.
They say they are “shocked that officials chose not to inform, let alone consult, Ministers on such an issue”
- The Government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences, or lack of appropriate protocols. However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked, and continue to risk, being overlooked.
- • The BT/Huawei relationship began nearly ten years ago; the process for considering national security issues at that time was insufficiently robust. The Committee was shocked that officials chose not to inform, let alone consult, Ministers on such an issue. We are not convinced that there has been any improvement since then in terms of an effective procedure for considering foreign investment in the CNI. The difficulty of balancing economic competitiveness and national security seems to have resulted in stalemate. Given what is at stake, that is unacceptable.
- – The National Security Council should ensure that there are effective procedures and powers in place, and clear lines of responsibility when it comes to investment in the CNI. Crucially, the Government must be clear about the sequence of events that led to Ministers being unsighted on an issue of national importance, and take immediate action to ensure that this cannot happen again.
- • ***. REDACTED !!
- • While we note GCHQ’s confidence in BT’s management of its network, the software that is embedded in telecommunications equipment consists of “over a million lines of code” and GCHQ has been clear from the outset that “it is just impossible to go through that much code and be absolutely confident you have found everything”.54 There will therefore always be a risk in any telecommunications system, worldwide. What is important is how it is managed, or contained.
- • The UK Government has been able to leverage Huawei’sreputational concerns to encourage it to invest in the Cyber Security Evaluation Centre (the Cell) and become more transparent about its equipment and business practices. This is a significant achievement. However, we question why the Cell is only now approaching full functionality, over seven years after the BT contract was awarded.
- – Given these delays and the lack of evidence so far that it will be able to provide the level of security assurance required, we recommend that the National Security Adviser conducts a substantive review of the effectiveness of the Cell as a matter of urgency.More fundamentally, while we recognise that the Government does not expect the Cell to find every vulnerability, and that there are other mitigations in place, we remain concerned that a Huawei-run Cell is responsible for providing assurance about the security of Huawei products. Before seeking clarification, we assumed that Huawei funded the Cell but that it was run by GCHQ.
- – A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance. We therefore strongly recommend that the staff in the Cell are GCHQ employees. We believe that such a change is not only in both Huawei’s and Government’s interests, but that it is in the national interest.
- – We note that GCHQ considers that there are advantages to the staff of the Cell being employed by Huawei. On the evidence that we have seen thus far we have not found this argument to be compelling. If, after further work is done to explore this issue, there are found to be insuperable obstacles to the Cell being staffed by GCHQ employees, then as an absolute minimum:
- o GCHQ must have greater oversight of the Cell and be formally tasked to provide assurance, validation and audit of its work; and
- o Government must be involved in the selection of its staff, to ensure continued confidence in the Cell.
- • While we have considered the risks around the telecommunications infrastructure, the same issues apply to any aspect of the UK’s CNI. Where there is a privately owned company answerable to shareholders, many of whom may be based abroad, there will almost inevitably be a tension with national security concerns.
- • It is not practicable to seek to constrain CNI companies to UK suppliers, nor would that necessarily provide full protection given the global nature of supply chains. The risk to the CNI cannot be eliminated, but Government must ensure that it is managed properly. There must be:
- – an effective process by which Government is alerted to potential foreign investment in the CNI;
- – an established procedure for assessing the risks;
- – a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond;
- – clarity as to what powers Government has or needs to have; and
- – clear lines of responsibility and accountability.
- When it comes to the UK’s Critical National Infrastructure, Ministers must be kept informed at all stages.
- • We do not believe that these crucial requirements existed when BT and Huawei first began their commercial relationship. From the evidence we have taken during this investigation, the procedural steps that we have outlined still do not appear to exist. However, as we went to press, we were told that the Government has now developed a process to assess the risks associated with foreign investment into the UK. Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that Government does not find itself in the same position again.
Cached copy here