UK government expands and tightens cybersecurity ban on Huawei

(ATF) Britain has brought forward its deadline for telecom operators to stop using Huawei 5G and broadband equipment. It also announced new powers last week for the Secretary of State to manage national security risks posed by the use of designated vendors’ goods, services and facilities within the UK’s public telecommunications networks.

The changes were included in the Telecommunications (Security) Bill introduced to the UK Parliament last Tuesday (November 24, 2020).

The new draft law pushes forward the deadline to stop the use of Huawei 5G and broadband equipment. Telecom operators are being told to scrap Huawei equipment by next month, instead of the rather relaxed timeframes announced earlier under which operators would have continued using Huawei equipment for months, or years in some cases.

This new instruction calls for Huawei equipment to be stripped from broadband suppliers as well.

The documents specifically mention Huawei, but not other suppliers of similar ilk, such as ZTE.

British Telecom broadband, the UK’s main broadband infrastructure supplier, did not have anyone available for immediate comment, as no-one was available due to Covid-19 restrictions. It is unclear if BT uses any ZTE equipment. New deals have been signed with Nokia and Ericsson for future equipment needs.

The government has developed a draft designated vendor direction and a draft designation notice to illustrate how the powers contained in the new law could be exercised. The draft designation notice is addressed to what is referred to as Huawei or the Huawei Corporate Group. The draft designated vendor direction applies to public communications providers more generally and places controls on their use of Huawei goods, services and facilities.

After enactment of the Bill, the Secretary of State will follow appropriate processes, take account of all relevant considerations, and retain an open mind until he reaches any decision on whether to exercise his powers to issue designation notices or designated vendor directions.

UK expecting more Chinese cyber attacks

According to the draft, Huawei corporate group is headquartered in, and controlled from, China. The government assesses that the Chinese State and associated actors have carried out, and are expected to continue to carry out, cyberattacks against the United Kingdom and the United Kingdom’s interests.

In particular, the Chinese State and its associated actors continue to seek to exploit weaknesses in telecommunications service equipment, and/or in how providers of public electronic communications networks build and operate their networks, in order to compromise their security.

The UK believes Chinese laws, including the National Intelligence Law 2017, permit the Chinese State to require companies based in China and their employees to engage in activities which are harmful to the United Kingdom. The way in which the rules are operated means such companies can be required to direct their subsidiaries to engage in activities which are harmful to the United Kingdom.

Huawei’s employees can also be required to comply with directions issued by the Chinese State without the knowledge of Huawei. These powers give rise to a risk that covert and malicious functionality could be embedded in Huawei’s equipment.

This risk will further increase if the United Kingdom’s dependency on Huawei for the provision of Fibre To The Property (FTTP) networks and Mobile Access (MA) networks increases.

Should the Bill be passed in its current form, the government would intend to take a robust approach to monitoring compliance.

The government would be able to obtain, on a regular basis, information from public telecom providers on their compliance with a designated vendor direction issued to them. For example, such information could be sought from providers annually.

The government would be able to require providers to prepare plans on the steps that they are taking to comply with the requirements in such a direction, and the timing of those steps.

The government will also be able to publish compliance monitoring reports produced by Ofcom.