My Lords, with the leave of the House, I will make a Statement on the security of the telecoms supply chain.
This Government are committed to securing nationwide coverage of gigabit-capable broadband by 2025, because we know the benefits that world-class connectivity can bring: from empowering rural businesses, to enabling closer relationships for the socially isolated, to new possibilities for our manufacturing and transport industries. We are removing the barriers to faster network deployment and have committed £5 billion of new public funding to ensure that no area is left behind. It is of course essential that these new networks are secure and resilient, which is why the Government have undertaken a comprehensive review of the supply arrangements for 5G and full-fibre networks.
The telecoms supply chain review—laid in the other place in July last year—underlined the range and nature of the risks facing our critical digital infrastructure, from espionage and sabotage to destructive cyberattacks. We have looked at the issue of how to maintain network security and resilience over many months and in great technical detail. We would never take decisions that threaten our national security or the security of our Five Eyes partners. As a result, the technical and security analysis undertaken by GCHQ’s National Cyber Security Centre is central to the conclusions of the review. Thanks to its analysis, we have the most detailed study of what is needed to protect 5G, anywhere in the world. It is also because of the work of the Huawei Cyber Security Evaluation Centre Oversight Board, established by the NCSC, that we know more about Huawei and the risks it poses than any other country. We are now taking forward the review’s recommendations in three areas.
First, on world-leading regulation, we are establishing one of the strongest regimes for telecoms security in the world—a regime that will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime, the NCSC’s new telecoms security requirements guidance will provide clarity to industry on what is expected in terms of network security. The TSRs will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. The Government intend to legislate at the earliest opportunity to introduce a new comprehensive telecoms security regime, to be overseen by the regulator, Ofcom, and government.
Secondly, the review also underlined the need for the UK to improve diversity in the supply of equipment to telecoms networks. Currently, the UK faces a choice of only three major players to supply key parts of our telecoms networks. This has implications for the security and resilience of these networks, as well as for future innovation and market capacity. It is a “market failure” that needs to be addressed. The Government are developing an ambitious strategy to help diversify that supply chain. This will entail the deployment of all the tools at the Government’s disposal, including funding.
We will do three things simultaneously: seek to attract to our country established vendors who are not present in the UK; support the emergence of new, disruptive entrants to the supply chain; and promote the adoption of open, interoperable standards that will reduce barriers to entry.
The UK’s operators are leading the world in the adoption of new, innovative approaches to expand the supply chain. The Government will work with industry to seize these opportunities, and we will partner with like-minded countries to diversify the telecoms market. It is essential that we are never again in a position of having limited choices when deploying important new technologies.
The third area covered by the review was how to treat vendors which pose greater security and resilience risks to UK telecoms. As I know the House has a particular interest in this area, I will cover this recommendation in detail. Those risks may arise from technical deficiencies or considerations relating to the ownership and operating location of the vendor. As noble Lords may recall, the Government informed the other place in July that they were not in a position to announce a decision on this aspect of the review. We have now completed our consideration of all the information and analysis from the National Cyber Security Centre, industry and our international partners. Today, I am able to announce the final conclusions of the telecoms supply chain review in relation to high-risk vendors.
In order to assess whether a vendor is high risk, the review recommends that a set of objective factors be taken into account. These include the strategic position or scale of the vendor in the UK network; the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market; the quality and transparency of the vendor’s engineering practices and cyber security controls; the vendor’s resilience, both in technical terms and in relation to the continuity of supply to UK operators; the vendor’s domestic security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with UK law; the relationship between the vendor and the vendor’s domestic state apparatus; and, finally, the availability of offensive cyber capability by that domestic state apparatus, or associated actors, that might be used to target UK interests.
To ensure the security of 5G and full-fibre networks, it is both necessary and proportionate to place tight restrictions on the presence of any companies identified as higher risk. The debate is not just about “the core” and “the edge” of networks; nor is it just about trusted and untrusted vendors. Threats to our networks are many and varied, whether from cyber criminals or state-sponsored malicious cyber activity. The most serious recent attack on UK telecoms has come from Russia, and there is no Russian equipment in our networks.
The reality is that these are highly complicated networks relying on global supply chains, where some limited measure of vulnerability is inevitable. The critical security question is: how to mitigate such vulnerabilities and stop them damaging the British people and our economy.
For 5G and full-fibre networks, the review concluded that, based on the current position of the UK market, high-risk vendors should be excluded from all safety-related and safety-critical networks in critical national infrastructure; excluded from security-critical network functions; limited to a minority presence in other network functions up to a cap of 35%; and be subjected to tight restrictions, including exclusions from sensitive geographic locations.
These new controls are also contingent on an NCSC-approved risk mitigation strategy for any operator who uses such a vendor. We will legislate at the earliest opportunity to limit and control the presence of high-risk vendors in the UK network and to allow us to respond as technology changes.
Over time, our intention is for the market share of high-risk vendors to reduce as market diversification takes place. I also want to be clear that nothing in the review affects this country’s ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes. GCHQ has categorically confirmed that how we construct our 5G and full-fibre public telecoms networks has nothing to do with how we share classified data. The UK’s technical security experts have agreed that the new controls on high-risk vendors are completely consistent with the UK’s security needs.
In response to the review’s conclusions on high-risk vendors, the Government have asked the NCSC to produce guidance for industry. This guidance was published earlier today on the NCSC’s website. The NCSC has helped operators to manage the use of vendors that pose a greater national security risk, such as Huawei and ZTE, for many years.
This new guidance will include how it determines whether a vendor is high risk, the precise restrictions it advises should be applied to high-risk vendors in the UK’s 5G and full-fibre networks, and what mitigation measures operators should take if using high-risk vendors. As with other advice from the NCSC on cybersecurity matters, this advice will be in the form of guidance. The Government expect UK telecoms operators to give due consideration to this advice, as they do with all their interactions with the NCSC.
I recognise that noble Lords may wish to pursue further the technical details of these proposals, not least with my officials and officials at the National Cyber Security Centre, who will be available to answer questions in Committee Room 11 from 4.30 pm today.
I hope the whole House will agree that if we are to achieve our digital connectivity ambitions, it is imperative that we trust the safety and security of our telecoms networks. Risk cannot be eliminated in telecoms, but it is the job of the Government, Ofcom and industry to work together to ensure that we reduce our vulnerabilities and mitigate the risks. The Government’s position on high-risk vendors marks a major change in the UK’s approach. When taken together with the tough new security standards that will apply to operators, this approach will substantially improve the security and resilience of the UK’s telecoms networks, which are a critical part of our national infrastructure. It reflects the maturity of the UK’s market and our world-leading cybersecurity expertise, and it follows a rigorous and evidenced-based review. It is the right decision for the UK’s specific circumstances.
The future of our digital economy depends on trust in its safety and security. If we are to encourage the take-up of new technologies that will transform our lives for the better, we need to have the right measures in place. That is what this new framework will deliver, and I commend this Statement to the House.