United Kingdom authorities said today they will allow communications service providers to use in their networks a limited amount of equipment made by “high risk vendors,” and impose restrictions on more extensive use of equipment from those firms.
The vendors were not named in the U.K. decision, but would undoubtedly include China-based firms that the U.S. says pose an unacceptable risk of engaging in spying activities on behalf of the Chinese government.
In a decision issued Jan. 28, the government said its restrictions will exclude those high-risk vendors from “sensitive ‘core’ parts of 5G and gigabit-capable networks,” and impose a 35 percent cap on high-risk vendor access to non-sensitive parts of networks.
The U.K. government decision wraps up its Telecoms Supply Chain Review, and the government said it will next seek “to legislate at the earliest opportunity” to put powers in place to implement the decision. The government said the decision “marks a change in the U.K.’s approach that will substantially improve the security and resilience of our critical telecoms networks.”
High-risk vendors are not specified by name in the government’s decision, but instead their attributes are described in such a way that would very likely match up with China-based equipment makers Huawei and ZTE, among others.
Those firms in particular have drawn strong suspicion from the U.S. government, which asserts that they have uncomfortably close ties to the Chinese government, and thus the use of their equipment poses unacceptable security risks to U.S. national security, and to worldwide information networks.
U.S. officials have been lobbying Western countries – and none less hard than the U.K. – to accept that strict view on Huawei and other Chinese firms, and today’s decision marks a notable defeat in that campaign.
While the U.S. State Department was quiet today about the U.K. decision, U.S. Secretary of State Mike Pompeo said in a social media post earlier this week, “The UK has a momentous decision ahead on 5G.” He continued, “British MP Tom Tugendhat gets it right: ‘The truth is that only nations able to protect their data will be sovereign.’”
Mark Lyall Grant, a former U.K. ambassador to the United Nations and National Security Adviser in the U.K. government, called the decision on high-risk vendors “sensible” and “evidence-based.” He predicted that it “will not affect key UK/US intelligence/security relationship.”
Recent historical context also helps explain the U.K. government’s decision. Huawei already has a sizeable market share among U.K.-based service providers, and for several years has been running at its own expense the Huawei Cyber Security Evaluation Centre (HCSEC) in Oxfordshire that allows U.K. authorities to inspect the company’s technologies for security concerns. The HCSEC Oversight Board is chaired by the CEO of the U.K. government’s National Cyber Security Centre.
Among the conclusions in the Oversight Board’s latest annual report in 2019: “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.”