The UK government ruled Tuesday that Chinese telecom giant won’t be banned outright from selling equipment for mobile 5G networks there, though it will face severe limits. The European Union issued similar guidance Wednesday. The question is: Will the restrictions provide the security protections that policymakers want? The question is: Will the restrictions provide the security protections that policymakers want?
The decision is the latest in a series of partial successes for Huawei in the face of ever-increasing pressure from the US government to block the company from mobile networks around the world. Washington effectively bans carriers from using the company’s equipment in US networks and has long warned that Huawei could build backdoors into its products that could be accessed by the Chinese government, something the company denies it has done or would do.
The UK’s move could put Downing Street at odds with the US. Earlier this month, Senator Tom Cotton (R-Arkansas) introduced a bill that would ban the US from sharing intelligence with countries that allow Huawei gear in their 5G networks. But like Germany and many other countries, the UK is reluctant to jettison Huawei, which has a reputation for making reliable equipment that costs much less than its competitors’ products. The UK is essentially trying to have it both ways, by allowing carriers to use some Huawei equipment without granting the company full access to its networks.
The UK said it will ban “high risk vendors” from "core" 5G and gigabit fiber network infrastructure, including security systems and authentication features. Equipment will only be permitted in the "periphery" of the network, meaning components such as antennas. Carriers won't be able to use any equipment from high risk vendors at locations such as nuclear sites and military bases or in safety-related infrastructure. And at most only 35 percent of 5G or gigabit network traffic will be allowed to pass through equipment made by high risk vendors, and only 35 percent of cellular base stations can include equipment from those vendors.
"The government is certain that these measures, taken together, will allow us to mitigate the potential risk posed by the supply chain and to combat the range of threats, whether cyber criminals, or state sponsored attacks," the announcement from the UK Department of Culture says.
Tuesday’s announcement didn’t identify Huawei by name. However, supplementary guidance published by the UK National Cyber Security Centre singles out the company as a high risk vendor.
The EU likewise encourages member nations to limit reliance on any one telecom equipment vendor, and to restrict risky vendors from the core network functions. The guidance did not single out Huawei or any other company and encouraged members to make their own risk assessments.
Security experts say that though the measures could help reduce some of the risks Huawei allegedly poses, in practice it will be hard to separate “core” equipment from gear considered “periphery” on a 5G network.
Jimmy Jones, a telecommunications security expert at Positive Technologies, says the line between core network functions and the periphery are blurring as all components become more software-driven. As a result, even the simplest gear can be vulnerable to hacking. Or as UC Berkeley security researcher Nicholas Weaver puts it: "5G 'antennas' aren't simply wires, but complex computers in their own right doing a lot of signal processing."
Experts also questioned whether the 35 percent limit on equipment from high risk vendors would be enough to safeguard the network from a malicious actor. "This decision limits some risk of collection at national scale, but wouldn’t mitigate the risk of more targeted forms of surveillance," says Ryan Kalember of security company Proofpoint.
Even if a vendor can only access 35 percent of the data passing through a network, it could still conduct sophisticated surveillance on a network's users, warns Sam Curry, a chief security officer at information security company Cybereason.. Because people will move around and use multiple different cell stations, it's possible to glean quite a bit of information about their relationships and activities with only part of their data. Still, carriers may want to buy all the components for their 5G networks from a single supplier instead of splitting purchases of core and peripheral equipment. That would make it harder for any vendor deemed a high risk to attain a 35 percent presence in the UK's peripheral networks.
Huawei has long sought to defuse concerns by allowing the National Cyber Security Centre to audit the source code of its software. But that has limits. Last year the agency released a report warning of serious security flaws in Huawei's software. The report blamed shoddy engineering, not malice, for the issues. But critics warn that a vendor could disguise an intentional backdoor as a coding error. They also fear that Huawei could disclose security flaws to the Chinese government before fixing them or disclosing them to carriers, enabling the government to exploit those flaws before they're fixed.
The problem is made all the more complex because each software update could introduce new problems. Banning a vendor from doing updates isn't a viable solution either. Software bugs are inevitable and they need to be fixed.
Updated, 1-29-20, 1:15pm ET: This article has been updated to include reference to the European Union guidance.