Wednesday 4th March 2020

(4 years, 8 months ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Iain Duncan Smith Portrait Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
- Hansard - - - Excerpts

I beg to move,

That this House has considered the security implications of including Huawei in 5G.

It is a pleasure to serve under your chairmanship, Mr Paisley. I am pleased to see so that many right hon. and hon. Members want to speak, so I will be as brief as possible.

The Government’s decision to go ahead with Huawei in the 5G network in the UK—it is clear from the evidence—has angered our allies and perplexed many of us who see this as an avoidable risk. In the rush—I believe it is a rush—to go ahead with the 5G system for the UK using Huawei’s products extensively, the UK Government have brushed aside the concerns of all our most important allies and the people we generally rely on. There is an overwhelming body of evidence indicating that Huawei is an untrusted vendor, which should not be given any further opportunity of access to our most vital communication networks.

The decision of the UK Government leaves us, at the moment, utterly friendless among our allies. After all, Huawei is effectively a state-owned corporation in the People’s Republic of China under the Communist party. Huawei Technologies is 99%-owned by Huawei Investment & Holding, which in turn is completely owned by Huawei Investment & Holding’s trade union committee. According to Chinese law, trade union committees are classified as public or mass organisations, which do not have shareholders, as they are recognised under Chinese law as legal persons or entities in their own right. An example of a public organisation would be the Communist Youth League.

Bob Seely Portrait Bob Seely (Isle of Wight) (Con)
- Hansard - -

The relationship between Huawei and the state is the same as the Communist Youth League to the state. Therefore, is it not baffling that the Government continue to argue that Huawei is a private company, given that, by the western definition, that cannot be said in any meaningful sense?

Iain Duncan Smith Portrait Sir Iain Duncan Smith
- Hansard - - - Excerpts

I agree. That is exactly the point I was making.

--- Later in debate ---
Bob Seely Portrait Bob Seely (Isle of Wight) (Con)
- Hansard - -

It is a pleasure to serve under your chairmanship, Mr Paisley. I congratulate my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) on securing the debate. In the four minutes that I have I shall go through some of the important points that have not been covered. Huawei is a high-risk vendor and should not be in our critical national infrastructure. That is the first significant mistake that this Government have made. How bad and how serious it becomes will be obvious in time. I want to cover not only national security, which my right hon. Friend has eloquently spoken about, but data privacy, our values, our alliances, and, critically, other issues around the competence of Huawei, and fair trade and economics.

I still do not understand why the Government continue to claim that Huawei is a private firm. The point has been made already that it is 99% owned by Chinese trade unions, so will the Minister explain why he and previous Ministers—certainly previous Ministers—have argued that Huawei is a private firm when to all intents and purposes it is part and parcel of the Chinese state? The Government claim that Huawei can be safely limited to the periphery of a network. Most experts and many security agencies say not. I quote Mike Burgess, head of Australia’s version of GCHQ:

“The distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.”

Will the Minister comment on that? One of Mike Burgess’s senior directors, Simeon Gilding, tried to design a system that could have a high-risk vendor in Australia’s five G network. He failed and said it was not possible. He said that the British

“think they can manage the risk but we don’t think that is plausible given Huawei would be subject to direction from hostile intelligence services.”

Again, will the Minister comment on that? Are there espionage issues with Huawei? They are multiple. Chinese national intelligence law states that citizens have to co-operate. Furthermore, it states that the information that Huawei gets from the UK is the property of the Chinese state. Again, will the Minister comment?

China has a dreadful reputation for cyber-attacks. Chinese People’s Liberation Army soldiers have been charged with the 2017 cyber-security security attack on Equifax, which included data on millions of Britons. Why does the Minister think the Chinese want to collect so much information on so many millions of people in the west? That applies not only to Britons, but the 21.5 million files they stole on US federal employees in 2015. Can the Huawei Cell offer reassurances? Not really. It states that the Cell

“can only provide limited assurance that all risks to UK national security from Huawei's involvement...can be sufficiently mitigated”.

It complained that no material progress was being made by Huawei on the concerns of 2018, and it continued to identify security issues. Are there other security issues? Yes, for sure there are. I quote Finite State, a respected US company:

“Huawei devices quantitatively pose a high risk to their users.. In virtually all categories we studied, we found Huawei devices to be less secure.”

Bloomberg reported that Vodafone in several countries found illicit backdoors on Huawei technology. In March 2019, Microsoft uncovered Huawei MateBook systems running a system whereby unauthorised people could create super-user privileges. There are significant industrial espionage issues with Huawei. Will the Minister comment on those?

We know about Huawei’s involvement in China’s human rights abuses. It works closely with the state in Xinjiang province. Indeed, it boasts about it. In this country, it is a private company. In China, it is part and parcel of the state apparatus. I would love a comment from the Minister. Huawei claims it is a market leader. According to Chris Balding, an academic who studies Huawei, it is not. It is ranked fourth to sixth globally. It has a $100 billion credit line from the China Development Bank, which means that, apart from any other questionable business practices it has—we have been told of quite a few—it can undercut by 30% to 50% any other vendor. By allowing Huawei in the system, we effectively allow data privacy issues, damage to our alliances, and damage to free trade. We do western companies out of business so that we will have to become reliant in due course on China’s 5G as part of a significant power play in our critical national infrastructure.

--- Later in debate ---
Ruth Edwards Portrait Ruth Edwards (Rushcliffe) (Con)
- Hansard - - - Excerpts

I start by declaring an interest: I used to work for BT’s cyber-security team before I was elected. I have spent 10 years working in the cyber-security industry, and I refer the House to my entry in the Register of Members’ Financial Interests.

The security of our telecoms network is vital as we move towards an ever more connected society and economy. It does not, however, rest on the presence or absence of equipment from any single supplier. Strong cyber-security for any system, including our telecoms networks, is determined by: the security architecture principles that have been followed in its design; how the system is managed in-life, including the security controls and monitoring around it; the contingency planning that has taken place, which enables any risks that materialise to be dealt with effectively; and the testing of that contingency planning.

I will address each of those briefly, but the key thing I wish to emphasise is that there is no risk-free option. Regardless of the equipment used, our telecoms networks, Government bodies, businesses and critical national infrastructure operators will always be targets for nation states, aggressors, criminals and hackers. The key thing is to manage the risk and reduce it to an acceptable level. That is what, in my view, the telecoms security requirements achieve.

Bob Seely Portrait Bob Seely
- Hansard - -

I am sorry to interrupt; I know that time is short. Is my hon. Friend saying that there is no implication for 5G security, never mind the geopolitics and politics, of having a high-risk, untrusted vendor from a potentially adversarial state in the system? Is it not like giving the burglar the keys to our house, while pretending that we have a safe that is safe?

Ruth Edwards Portrait Ruth Edwards
- Hansard - - - Excerpts

For a start, there are no trusted vendors. Most companies operate a zero-trust policy when it comes to all cyber-security vendors. Secondly, the key point is how we manage that risk. I will go on to answer the question in a bit more detail, if my hon. Friend will bear with me.

The TSRs establish a baseline for security in telecoms, and put it on a statutory footing. They prohibit the use of high-risk vendors in sensitive functions of the network, and cap the use of such vendors at 35% across the network as a whole. As a result of their implementation, we will have some of the most secure networks in the world. The TSRs provide a clear and exhaustive list of sensitive functions related to the control, orchestration and virtualisation of our networks where high-risk vendors cannot be used. They will not be used in the intelligence or control planes of the network, and therefore will not interact with customer traffic in a detailed manner. Any impact of failure will also have a limited, localised geographical reach.

Many understandable concerns have been raised that moving to 5G networks will somehow merge those sensitive functions, often referred to as core functions, with less sensitive parts of the network in which equipment from high-risk vendors will be used. Moving to 5G network technologies could enable us to move sensitive functions out to the edge of the network, but “could” does not mean “should”. Were we to do so, using a high-risk vendor would be the least of our problems.

The further restrictions of only one high-risk vendor in the network and the hard cap of 35% further enhance the security standards. Security architecture principles are not a desperate measure to enable us to use a high-risk vendor; they are part of every network deployment everywhere, whether it is a telecoms network at national level or a business network at company level. More sensitive information and functions with higher risk are treated differently from those with lower risk. A blanket approach of doing away with all higher-risk vendors or technologies would mean that we could not use emerging technologies that offer so much benefit when deployed appropriately.

Today’s motion specifically references Huawei. The UK has globally leading insight into Huawei’s operations, processes and products through the Government-chaired Huawei cyber-security evaluation centre. Whoever the vendor is, any responsible telecoms provider will fully test all hardware and software before deploying it into their networks.

Bob Seely Portrait Bob Seely
- Hansard - -

Is that not the problem? So much of our kit is not being tested, which is why we need a fuller security audit. Also, the Cell is becoming increasingly concerned about Huawei, saying that Huawei is not delivering the improvements that the Cell needs. The Cell highlights those concerns in its reports.

Ruth Edwards Portrait Ruth Edwards
- Hansard - - - Excerpts

I thank my hon. Friend for that point. There are engineering problems in Huawei, and the Government and many UK customers have been very clear that they want Huawei to solve them. The news that I must give him is that if he started looking at the code of any supplier, he would see security issues. In security engineering, I am afraid that people make mistakes when it comes to software.

Equipment and performance is monitored in-life by telcos, and threat hunting is carried out across the whole network. Technologies are increasingly powered by artificial intelligence. AI look for anomalies of behaviour both inside the network, in terms of patterns of incoming traffic, and suspicious outbound traffic. Attempts to sabotage equipment or exfiltrate data at scale will be detected.

The National Cyber Security Centre, my former employer BT and many other telcos have all been very clear that they have not previously detected attempts at malicious activity by Huawei. If they had, they would hardly be doing business with them for their 5G networks. However, we cannot rely on the past to determine the future. That is why the cap on the amount of equipment provided by one supplier is so important, as it stops an over-reliance on one supplier in the network. Other arrangements, such as the escrow of source code, enable providers to isolate equipment in their networks and take over full operation of it, should that be deemed necessary due to mounting international tensions.

--- Later in debate ---
Bob Seely Portrait Bob Seely
- Hansard - -

Does my right hon. and learned Friend accept that the diversity argument is one of many flawed arguments, because Huawei is undermining diversity? Through Huawei and ZTE, the Chinese state is trying to build up other states’ dependency on it to provide advanced communications, so by getting Huawei in, we are undermining diversity in the market.

Jeremy Wright Portrait Jeremy Wright
- Hansard - - - Excerpts

I agree with my hon. Friend that it is sensible to make sure we do not undermine diversity through our own actions. However, as a matter of principle, taking suppliers out of the system does not assist diversity. The points he has made are substantially about security, and I agree that this debate must focus on that question. Whether we use market caps or bring along other suppliers in the market, diversity is a legitimate security objective, just as it is a legitimate economic objective. However, I am afraid that we do not have the luxury of inventing a domestic contributor to this market in a short space of time, so we have to deal with the market as it is.

There is a good reason why we focus on the security of the system as a whole and not on one supplier. If we are worried about China, as it is perfectly right for us to be, it is worth keeping in mind the fact that many of the competitor suppliers referred to in this debate use Chinese components in their equipment, or assemble their equipment in China. It is therefore important to recognise China’s potential to intervene.

--- Later in debate ---
John Nicolson Portrait John Nicolson
- Hansard - - - Excerpts

No, I would not put faith in them, not least because there is little consensus among former heads of intelligence about the issue.

Bob Seely Portrait Bob Seely
- Hansard - -

Will the hon. Gentleman give way on that point?

John Nicolson Portrait John Nicolson
- Hansard - - - Excerpts

I will not; I will make progress.

The UK has spent, and continues to spend, billions of pounds on the development, maintenance and renewal of 20th-century defence systems, such as Trident, that are simply not fit to face the security challenges of the modern era. The biggest threats we now face—terrorism, climate change and, of course, cyber-security—will not be deterred by multibillion-pound nuclear weapons in the firth of Clyde.

In the meantime, our telecoms infrastructure security has been left weak and exposed by decades of under-investment. Countering the threat would require serious investment in, and protection of, our native companies, which would involve a hard look at China’s enthusiasm for the acquisition of small engineering firms. The right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith) asked who has been asleep at the watch, but we all know which Government and which party has been in charge for the last decade. With China aiming to monopolise the market, it is not too late for the Government and the country to wake up.

--- Later in debate ---
Tom Tugendhat Portrait Tom Tugendhat
- Hansard - - - Excerpts

Will the Minister give way?

Bob Seely Portrait Bob Seely
- Hansard - -

Will the Minister give way?

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Our aim is not to be reliant on high-risk vendors at all. I appreciate that my right hon. Friend would like me to set out a timetable for that, but I cannot do that today.

There are major market problems we need to address and they are common to all western nations. We have to remain hard-headed and evidence-based. We want to ensure that, as new technologies develop, we have a vibrant and diverse ecosystem of suppliers that we can rely on. The decisions we have made in this area are the right ones because they are based on hard evidence.

Bob Seely Portrait Bob Seely
- Hansard - -

We are not getting at the Minister, who we hold in high regard, but at the decision that he is, unfortunately, having to defend. He is now talking about the economics. The problem is that because Huawei is so bankrolled by the Chinese state, it can simply undercut other providers. Even if Fujitsu and Samsung—not to mention UK companies—want to come into the market, so that there is a diverse, multiplayer, western market in 5G, it is very difficult to get to that because Huawei will always undercut, and telcos are heavily indebted and therefore will do Huawei’s bidding. That is a structural problem.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I will come on to what we will do to try to promote market diversification in a moment. Suffice it to say, we do not and will never put anything other than national security at the very top of our agenda on this issue.

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

Yes. Huawei and ZTE are both high-risk vendors, as we have said previously.

Bob Seely Portrait Bob Seely
- Hansard - -

Will the Minister give way?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I fear making no progress at all if I keep giving way.

Put simply, in the view of the most expert telecommunications specialists in the world, as others have said in the debate, a limited amount of carefully controlled hardware from China does not compromise our national security. This Government will continue to do all it can to put the experts who hold that view, both private and public sector, at the disposal of this House. I am grateful to all those hon. Members who have taken up the opportunities for such briefings and I wish they were greater in number. The Government are confident that we are putting the nation’s interests first.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

I hope my right hon. Friend takes significant comfort from what I have said: we want to get to a position where we are not reliant at all on high-risk vendors.

We have confidence in the independent technical assessment from our security experts and, importantly, the telecommunications industry has confidence in those assessments, too. That is why we have been in a position to publish as much of our security assessment as we have done. As a result, we have the most detailed study of what is needed to protect 5G networks anywhere in the world. We are not naive about Huawei or its relationship with the Chinese state. Since Huawei has entered the UK network, it has been carefully managed. Through the cyber-security evaluation centre and the oversight board, we have the greatest access to, and insight on, Huawei equipment anywhere in the world.

Bob Seely Portrait Bob Seely
- Hansard - -

I am grateful to the Minister for giving way yet again.

Does he understand that many of us take issue with what he has just said? First, figures from the security world who have publicly spoken up, such as Richard Dearlove, are hostile to what the Minister says. There is a sense that the Government have given our security agencies a fait accompli, because almost all our allies’ cyber-security agencies take a diametrically opposed view to the one that he presents. Secondly, will he acknowledge that the Banbury Cell now has very serious concerns about Huawei?

Matt Warman Portrait Matt Warman
- Hansard - - - Excerpts

As I said, we are introducing the new regime because of some of the concerns that my hon. Friend addresses. I reiterate the Government’s offer to put at the disposal of any Member of the House as many experts from the public and private sectors that we can, so that colleagues can be in touch with the latest thinking on this issue.

We understand the threat from China and are robust with it when our interests are challenged. We will continue to publicly call out malicious cyber-activity, and the decision to categorise Huawei as a high-risk vendor took into consideration the potential links between Chinese companies and the Chinese state, including the fact that Chinese companies are subject to China’s national intelligence law. The UK has also been vocal in drawing attention to the systematic human rights violations against Uyghur Muslims and other ethnic minorities in China. The Government have set out our expectations of businesses in the UK national action plan on business and human rights.

The telecoms supply chain review, which was laid before the House in July 2019, underlined the range and nature of the risks, highlighting the risks of dependence on one vendor, faults or vulnerabilities in network equivalence equipment, the back-door threat, and vendors’ administrative access. We need to be alive to the totality of the risks that the telecoms network faces today and will face in the future. High-risk vendors are part of that security risk assessment, but they are not the sole factor.

I want to address some of the myths about how the network will develop. It is true that technical characteristics of 5G create a greater surface area for potential attacks, but it will still be possible to distinguish different parts of the network. As my hon. Friend the Member for Rushcliffe (Ruth Edwards) said, what matters are the critical functions within the network. We need to ensure that critical functions, wherever they are, have appropriate security.