Huawei has been permitted to participate in the roll-out of 5G networks in the UK but equipment supplied by the Chinese telecommunications equipment provider will not be installed in "core" parts of the 5G network, Downing Street has announced.
In an expected move, the government said that while Huawei has not been outrightly banned from supplying equipment for the UK's 5G network, the company's products will form no more than 35 percent of the overall kit.
The National Cyber Security Centre, which categorizes Huawei as a "high risk vendor", said that 5G operators must limit the use of equipment provided by high risk vendors to 35 percent as the limit will allow them to carry out effective cyber security risk management and take measures to detect or prevent cyber threats.
The cyber security watchdog said that the 35 percent cap on the use of Huawei's 5G equipment will not only minimise risk, but will also ensure the diversity of supply in the market. It also advised 5G operators to not use more than one high risk vendor in any given network as the same will defeat effective cyber security risk management.
NCSC also shared a list of core 5G functions where operators will not be permitted to deploy Huawei's equipment or services. These include 5G Core database functions, 5G core-related services including but not limited to Authentication Server Function (AUSF), Access and Mobility Management Function (AMF), Unstructured Data Storage Function (UDSF), Network Exposure Function (NEF), Intermediate NEF (I-NEF), Network Repository Function (NRF), Network Slice Selection Function (NSSF), Policy Control Function (PCF), and Session Management Function (SMF) among others.
"Operators should only use an HRV if that HRV has in place a specific risk mitigation strategy, designed and overseen by NCSC. We do not believe that operators are able to manage the national risk the use of HRVs attracts without support from the national cybersecurity authority. It may not be possible to provide such a mitigation strategy in all cases," it added.
NCSC totally dissatisfied with security protocols in Huawei's engineering processes
In April last year, Reuters reported that the UK was willing to allow Huawei's equipment to be used in the development of "non-core" components of the country's future 5G networks, while completely restricting Huawei from all core parts of the 5G network.
This was despite the fact that NCSC technical director Ian Levy had termed Huawei's engineering processes as "very, very shoddy" and said that Huawei had done very little to reassure the government that its promised transformation programme will bear fruit in the coming years.
"The security in Huawei is like nothing else - it's engineering like it's back in the year 2000 - it's very, very shoddy. We've seen nothing to give us any confidence that the transformation programme is going to do what they say it's going to do," he told BBC Panorama.
On its part, Huawei promised that it would invest up to $2 billion (£1.54 billion) over a period of five years to "comprehensively improve" its software engineering capabilities and to resolve a set of security issues in equipment deployed in the UK that were highlighted by the Huawei Cyber Security Evaluation Centre (HCSEC).
This programme is part of a broader effort to redesign our Integrated Product Development process. Technology and networking environments are evolving. Customer and societal expectations for technology are evolving too, as are regulatory requirements. In recognition of these changes, we too are evolving our processes," said Ryan Ding, President of Huawei's Carrier Business Group in a letter addressed to the Commons Science and Technology Committee.