author photo
By Bruce Sussman
Wed | Jan 29, 2020 | 8:27 AM PST

Huawei is celebrating a UK decision allowing it to participate in the build-out of the UK's 5G network.

But we have to wonder if this is the "victory" Huawei was hoping for.

While the UK's National Cybersecurity Centre (NCSC) gave telecom providers the green light to use Huawei products as they roll out 5G, the NCSC also doubled down on Huawei as a "High Risk Vendor" and issued a long list of caveats around its 5G efforts in the UK.

UK rules and restrictions on Huawei 5G role

Here is a look at the restrictions the British government is placing on Huawei and 5G.

  • UK telecom providers must limit Huawei's equipment to no more than 35% of its 5G hardware, and the equipment must carry no more than 35% of expected user traffic. Says the NCSC:

"...a hard cap of 35% of a network equipment type allows for effective cyber security risk management. This cap properly balances two different security and resilience risks; the first being the risk associated with HRVs [High Risk Vendors], the second being the need for a diversity of supply in the market."

Here are additional Huawei telecom restrictions you can skim over, included for our main cybersecurtiy audience. (The rest of the story continues below). 

  • Huawei equipment should not be used in "IP Core, Security Functions, Operational Support Systems (OSS), Management and Authentication, Authorisation and Audit (AAA) functions, Virtualisation infrastructure (including Network Function Virtualisation Infrastructure (NFVI)), Orchestrator and controller functions (including Management and Network Orchestration (MANO) and Software Defined Networks (SDN) orchestrators/controllers), Network monitoring and optimization, Interconnection equipment, Internet gateway functions, Lawful Intercept related functions."
  • Huawei equipment should also not be used in "5G Core database functions, 5G core-related services including but not limited to Authentication Server Function (AUSF), Access and Mobility Management Function (AMF), Unstructured Data Storage Function (UDSF), Network Exposure Function (NEF), Intermediate NEF (I-NEF), Network Repository Function (NRF), Network Slice Selection Function (NSSF), Policy Control Function (PCF), Session Management Function (SMF), Unified Data Management (UDM), Unified Data Repository (UDR), User Plane Function (UPF), UE radio Capability Management Function (UCMF), Application Function (AF), 5G-Equipment Identity Register (5G-EIR), Network Data Analytics Function (NWDAF), Charging Function (CHF), Service Communication Proxy (SCP), Security Edge Protection Proxy (SEPP), Non-3GPP InterWorking Function (N3IWF), Trusted Non-3GPP Gateway Function (TNGF), Wireline Access Gateway Function (W-AGF), and future 5G core functions as specified by 3GPP TS 23.501."

That's quite a list.

UK National Cybersecurity Centre lists Huawei security concerns

The NCSC guidance also included the following list of concerns about Huawei's cybersecurity and transparency:

a. "Huawei has a significant market share in the UK already, which gives it a strategic significance;"

b. "it is a Chinese company that could, under China's National Intelligence Law of 2017, be ordered to act in a way that is harmful to the UK;"

c. "we assess that the Chinese State (and associated actors) have carried out and will continue to carry out cyber attacks against the UK and our interests;"

d. "our experience has shown that Huawei's cybersecurity and engineering quality is low and its processes opaque. For example, the HCSEC Oversight Board raised significant concerns in 2018 about Huawei's engineering processes. Its 2019 report confirmed that 'no material progress' had been made by Huawei in the remediation of technical issues reported in the 2018 report and highlighted 'further significant technical issues' that had not previously been identified;" 

e. "A large number of Huawei entities are currently included on the US Entity List. Although we do not have knowledge as to whether these entities will remain on the US Entity List, this listing may have a potential impact on the future availability and reliability of Huawei's products."

Huawei responds to UK decision on 5G

Huawei has taken to the airwaves and Twitter to spin the news as a complete win. However, its official statement by Abraham Liu, Huawei Chief Representative to the EU Institutions, is only two paragraphs:

"Huawei welcomes Europe's decision, which enables Huawei to continue participating in Europe's 5G roll-out. This non-biased and fact-based approach towards 5G security allows Europe to have a more secure and faster 5G network.

Huawei has been present in Europe for almost 20 years and has a proven track record with regard to security. We will continue to work with European governments and industry to develop common standards to strengthen the security and reliability of the network."

Can the UK trust Huawei? Can the United States trust Huawei?

Can we trust Huawei? Listen to our podcast interview with Huawei USA's Chief Security Officer Andy Purdy before he spoke at SecureWorld Seattle.

Purdy, by the way, has been labeled a "defender of Huawei," but says he rejects that.

"One frustrating thing is sometimes people hear that I'm a defender of Huawei and they have a tendency not to listen to what I'm actually saying. I would suggest I'm not a defender of Huawei. People say, well, do you trust China? And do you just trust Huawei? I don't trust anybody," Purdy says.

UK critics react to Huawei 5G policy

The Guardian reports that a number of Tories in Parliament are trying to force a vote that would tighten restrictions on Huawei's 5G involvement in the UK.

"Iain Duncan Smith, the former Tory leader, told the BBC's Newsnight: 'We want to see modifications and changes made. We want to see commitment to actually getting Huawei out of the system over a period of time. They've got more to do.'"

And the NCSC officials apparently agree there is more to come on this issue of Huawei and 5G in the UK:

"...we need to manage the presence of HRVs [High Risk Vendors] in the UK's telecommunications infrastructure more formally and actively. NCSC will continue to feed into any future legislative process and advise government on these matters."

For more, read the NCSC advice on the use of equipment from high risk vendors in UK telecom networks.

[RELATED: Huawei 'Goes Off' on Its Accusers]