Below is the text of the statement made by Dominic Raab, the Foreign Secretary, in the House of Commons on 28 January 2020.
Mr Speaker, with permission, I would like to repeat the statement by my noble Friend the Secretary of State for Digital, Culture, Media and Sport in the other place on the security of the telecoms supply chain.
This Government are committed to securing nationwide coverage of gigabit-capable broadband by 2025, because we know the benefits that world-class connectivity can bring—from empowering rural businesses to enabling closer relationships for the socially isolated and new possibilities for our manufacturing and transport industries. We are removing the barriers to faster network deployment, and we have committed £5 billion of new public funding to ensure that no area is left behind. It is of course essential that these new networks are secure and resilient; that is why the Government have undertaken a comprehensive review of the supply arrangements for 5G and full-fibre networks.
The telecoms supply chain review laid before this House in July underlined the range and nature of the risks facing our critical digital infrastructure, from espionage and sabotage to destructive cyber-attacks. We have looked at the issue of how to maintain network security and resilience over many months and in great technical detail; we would never take decisions that threaten our national security or the security of our Five Eyes partners.
As a result, the technical and security analysis undertaken by GCHQ’s National Cyber Security Centre is central to the conclusions of the review. Thanks to its analysis we have the most detailed study of what is needed to protect 5G anywhere in the world, and because of the work of the Huawei cyber-security evaluation centre oversight board, established by the NCSC, we know more about Huawei and the risks it poses than any other country in the world.
We are now taking forward the review’s recommendations in three areas. First, in terms of world-leading regulation, we are establishing one of the strongest regimes for telecoms security in the world, a regime that will raise security standards across all the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime, the NCSC’s new telecoms security requirements guidance will provide clarity to industry on what is expected in terms of network security. The TSRs will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. The Government intend to legislate at the earliest opportunity to introduce a new, comprehensive telecoms security regime to be overseen by the regulator, Ofcom, and Government.
Secondly, the review also underlined the need for the UK to improve its diversity in the supply of equipment to telecoms networks. Currently, the UK faces a choice of only three major players to supply key parts of our telecom networks, and this has implications for the security and resilience of those networks, as well as for future innovation and market capacity. It is a market failure that must be addressed. The Government are developing an ambitious strategy to help diversify the supply chain, and this will entail the deployment of all the tools at the Government’s disposal, including funding. We will do three things simultaneously: we will seek to attract established vendors who are not present in the UK to our country; we will support the emergence of new, disruptive entrants to the supply chain; and we will promote the adoption of open, interoperable standards that will reduce barriers to entry.
The UK’s operators are leading the world in the adoption of new, innovative approaches to expanding the supply chain, and the Government will work with industry to seize these opportunities. We will also partner with like-minded countries to diversify the telecoms market, because it is essential that we are never again in the position of having such limited choices when deploying such important new technologies.
The third area covered by the review was how to treat vendors who pose greater security and resilience risks to UK telecoms, and I know that the House has a particular interest in this area, so I will cover the recommendation in detail. The risks identified may arise from technical deficiencies or considerations relating to the ownership and operating location of the vendor. As hon. Members may recall, the Government informed the House in July that they were not in a position to announce a decision on this aspect of the review. We have now completed our consideration of all the information and analysis from the NCSC, industry and our international partners, and today I am able to announce the final conclusions of the telecoms supply chain review in relation to high-risk vendors.
In order to assess a vendor as high-risk, the review recommends that a set of objective factors are taken into account. These include the strategic position or scale of the vendor in the UK network; the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market; the quality and transparency of the vendor’s engineering practices and cyber-security controls; the vendor’s resilience both in technical terms but also in relation to the continuity of supply to UK operators; the domestic security laws in the jurisdiction where the vendor is based, and the risk of external direction that conflicts with UK law; the relationship between the vendor and the vendor’s domestic state apparatus; and, finally, the availability of offensive cyber-capability by that domestic state apparatus or associated actors that might be used to target UK interests.
To ensure the security of 5G and full-fibre networks it is both necessary and proportionate to place tight restrictions on the presence of any companies identified as high-risk. The debate is not just about the core and the edge of networks, nor is it just about trusted and untrusted vendors. The threats to our networks are many and varied, whether from cyber-criminals or state-sponsored, malicious cyber-activity. The most serious recent attack on UK telecoms has come from Russia, and there is no Russian equipment in our networks. The reality is that these are highly complicated networks, relying on global supply chains where some limited measure of vulnerability is almost inevitable. The critical security question is how to mitigate such vulnerabilities and stop them damaging the British people and our economy.
For 5G and full-fibre networks, the review concluded that, based on the current position of the UK market, high-risk vendors should be excluded from all safety- related and safety-critical networks in critical national infrastructure; excluded from security-critical network functions; limited to a minority presence in other network functions up to a cap of 35%; and subjected to tight restrictions, including exclusions from sensitive geographic locations. These new controls are also contingent on an NCSC-approved risk mitigation strategy for any operator who uses such a vendor.
We will legislate at the earliest opportunity to limit and control the presence of high-risk vendors in the UK network, and to allow us to respond as technology changes. Over time, our intention is for the market share of high-risk vendors to reduce as market diversification takes place, and I want to be clear that nothing in the review affects this country’s ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes. GCHQ has categorically confirmed that how we construct our 5G and full-fibre public telecoms networks has nothing to do with how we share classified data, and the UK’s technical security experts have agreed that the new controls on high-risk vendors are completely consistent with the UK’s security needs.
In response to the review’s conclusions on high-risk vendors, the Government have asked the NCSC to produce guidance for industry. This guidance was published earlier today on its website. The NCSC has helped operators manage the use of vendors that pose a greater national security risk, such as Huawei and ZTE, for many years. This new guidance will include how it determines whether a vendor is high-risk, the precise restrictions it advises should be applied to high-risk vendors in the UK’s 5G and full-fibre networks, and what mitigation measures operators should take if using high-risk vendors.
As with other advice from the NCSC on cyber-security matters, this advice will be in the form of guidance. The Government expect UK telecoms operators to give due consideration to this advice, as they do with all their interactions with the NCSC. I hope the whole House will agree that if we are to achieve our digital connectivity ambitions, it is imperative that we can trust the safety and security of our telecoms networks. Risk cannot be eliminated in telecoms, but it is the job of Government, Ofcom and industry to work together to ensure that we reduce our vulnerabilities and mitigate the risks.
The Government’s position on high-risk vendors marks a major change in the UK’s approach, and when taken together with the tough new security standards that will apply to operators, this approach will substantially improve the security and resilience of the UK’s telecoms networks, which are a critical part of our national infrastructure. It reflects the maturity of the UK’s market and our world-leading cyber-security expertise, and follows a rigorous and evidenced-based review. It is the right decision for the UK’s specific circumstances.
The future of our digital economy depends on having trust in its safety and security, and if we are to encourage the take-up of new technologies that will transform our lives for the better, we need to have the right measures in place. That is what this new framework will deliver, and I commend this statement to the House.