The UK’s 5G Infrastructure Security – Update from CyberUK, Glasgow

Dr Madeline Carr, Deputy Head of STEaPP and Director of Research, reflects on CyberUK 2019, the UK government’s flagship cyber security event.

Last week thousands of cyber security practitioners, industry representatives, policymakers and academics gathered at the Armadillo in Glasgow for what has become one of the highlights of the annual calendar of events – CyberUK. The brainchild of the National Cyber Security Centre, this event offers a couple of days of carefully curated panel sessions, tutorials, games, social events and keynote addresses. CyberUK is an opportunity to pause and reflect on what’s happened in this dynamic space over the past 12 months, to get an update on strategic thinking that will shape the coming years and to engage with the very latest in research and development.

One of the dominant issues that continually fed into conversations both on and off the stages, was the question of supply chain security – particularly with regards to 5G. And particularly with regards to the Chinese giant, Huawei. If you’re not sure why 5G matters, (beyond the assumption that it must be better for mobile phones than 3G and 4G and therefore, we want it) you should read this blog post by the NCSC’s Technical Director, Dr Ian Levy. It’s a beautifully written piece that explains the broader significance (as well as some fancy technical details that I didn’t know) in clear, plain language.

In a nutshell, the roll-out and successful implementation of 5G will be the foundation upon which a lot of technological innovation (including the Internet of Things) will increasingly be built. It will be the framework – the scaffolding – that makes a lot of other innovations possible. As is often the case with technological innovation of this scale and complexity, there are a few key players leading the field. These include ZTE, Ericsson, Nokia and Huawei.

One of the factors that we focus on in the Digital Technologies Policy Lab is the link between technological innovation and political outcomes. We know that dominance in emerging technologies leads to a certain type of power to set the agenda, develop rules, and shape the future. The Internet emerged in an American vision, largely defined by the ‘Atari Democrats’ like Al Gore and Bill Clinton who saw it as a mechanism for expanding markets, promoting human rights and spreading democratisation. Given the long-term significance of 5G infrastructure, it is understandable that governments are thinking carefully about who to partner with.

To unpack this, CyberUK hosted a panel on the first morning that was the highlight of the event for me. They had a senior representative from each of the Five Eyes intelligence sharing group on stage to discuss (among other things) this question of supply chain security and 5G. Huawei has been banned from building the US 5G infrastructure due to concerns about the nature of its relationship with the Chinese state and there has been pressure (expected to intensify) from the US for all four intelligence partners to do the same. Australia has followed suit, but New Zealand and Canada are yet to decide on their position.

In the UK, Huawei has already been involved in building some parts of our 5G infrastructure. In order to establish a clear basis for the security and resilience of UK telecoms networks and services, the UK government implemented the Telecoms Supply Chain Review. The review has not yet been made public but last week, there was a Cabinet level leak which revealed that the UK intended to continue to allow Huawei to build some parts of the UK 5G infrastructure. (This transcript from the Hansard makes good reading.)

The CyberUK Five Eyes panel revealed close alignment in the sense that all agreed on the fact that 5G infrastructure security is critical. But it also revealed some divergence on how to get there. In his Plenary Address, the Director of GCHQ, Jeremy Fleming, pointed out that when they ‘analyse a company for their suitability to supply equipment to the UK’s telecoms networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks. The flag of origin of 5G equipment is important, but it is a secondary factor.’

The geopolitics of emerging technology is changing. We’re seeing a growing recognition that markets alone will not deliver the kind of cyber security necessary for future innovation and that governments do have an important role to play in incentivising and moderating private actors. It is clear that finding innovative ways to govern ‘wicked problems’ like global cyber security will be as essential for future positive outcomes as research that takes place at the lab bench. Providing forward momentum on this is at the heart of the Digital Technologies Policy Lab and it is part of why we value our education programmes so highly.

For the time being, it looks as though Huawei will continue to build out parts of the UK 5G infrastructure, under close supervision from the government and the NCSC. But as with many things in UK politics right now, let’s see what next week brings.