To ask the Minister of State, Department for Digital, Culture, Media and Sport, what assessment he has made of whether Huawei has the ability to remove malicious code introduced by third-parties.
13 February 2020
The Government has complete confidence in the independent technical assessment of the UK’s security experts. The security analysis conducted by the National Cyber Security Centre underpinned the final conclusions of the Government’s Telecoms Supply Chain Review.
NCSC published a summary of its security analysis which informed the conclusions of the Review. This analysis includes a summary of NCSC’s assessment of the distinction between the ‘core’ and ‘edge’ of the network under section 8.3.1. The analysis states that:
“In 5G networks, core functions can be relocated nearer the ‘edge’ of the network. This has been described as blurring the line between core and edge. This is technically inaccurate as the ‘core’ is defined by a set of functions, standardised within , rather than a location. Consequently, the distinction between the two remains clear, as does the advice above. Our advice remains that HRVs are excluded from performing core functions, and this applies whether these functions are deployed centrally or towards the ‘edge’. Our understanding is that this clarification is unlikely to be consequential in the UK, as we are informed that core functions may run near the edge, but not actually on edge access equipment (such as base stations).”
The summary of NCSC’s security analysis can be found at: https://www.ncsc.gov.uk/report/summary-of-ncsc-security-analysis-for-the-uk-telecoms-sector.
In reaching the final decision on high risk vendors, the UK Government took into consideration the full range of risks, including in relation to malicious code or programming errors.
Huawei’s presence in the UK has been subject to detailed, formal oversight through the Huawei Cyber Security Evaluation Centre (HCSEC), and we remain confident in these arrangements. However the Government recognises that HCSEC alone cannot mitigate all the risks, and that is why the final conclusions of the Telecoms Supply Chain Review - as announced on 28 January - set out the additional controls that should be applied to high risk vendors.