My Lords, with the leave of the House, I will make a Statement on the security of the telecoms supply chain.
This Government are committed to securing nationwide coverage of gigabit-capable broadband by 2025, because we know the benefits that world-class connectivity can bring: from empowering rural businesses, to enabling closer relationships for the socially isolated, to new possibilities for our manufacturing and transport industries. We are removing the barriers to faster network deployment and have committed £5 billion of new public funding to ensure that no area is left behind. It is of course essential that these new networks are secure and resilient, which is why the Government have undertaken a comprehensive review of the supply arrangements for 5G and full-fibre networks.
The telecoms supply chain review—laid in the other place in July last year—underlined the range and nature of the risks facing our critical digital infrastructure, from espionage and sabotage to destructive cyberattacks. We have looked at the issue of how to maintain network security and resilience over many months and in great technical detail. We would never take decisions that threaten our national security or the security of our Five Eyes partners. As a result, the technical and security analysis undertaken by GCHQ’s National Cyber Security Centre is central to the conclusions of the review. Thanks to its analysis, we have the most detailed study of what is needed to protect 5G, anywhere in the world. It is also because of the work of the Huawei Cyber Security Evaluation Centre Oversight Board, established by the NCSC, that we know more about Huawei and the risks it poses than any other country. We are now taking forward the review’s recommendations in three areas.
First, on world-leading regulation, we are establishing one of the strongest regimes for telecoms security in the world—a regime that will raise security standards across the UK’s telecoms operators and the vendors that supply them. At the heart of the new regime, the NCSC’s new telecoms security requirements guidance will provide clarity to industry on what is expected in terms of network security. The TSRs will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. The Government intend to legislate at the earliest opportunity to introduce a new comprehensive telecoms security regime, to be overseen by the regulator, Ofcom, and government.
Secondly, the review also underlined the need for the UK to improve diversity in the supply of equipment to telecoms networks. Currently, the UK faces a choice of only three major players to supply key parts of our telecoms networks. This has implications for the security and resilience of these networks, as well as for future innovation and market capacity. It is a “market failure” that needs to be addressed. The Government are developing an ambitious strategy to help diversify that supply chain. This will entail the deployment of all the tools at the Government’s disposal, including funding.
We will do three things simultaneously: seek to attract to our country established vendors who are not present in the UK; support the emergence of new, disruptive entrants to the supply chain; and promote the adoption of open, interoperable standards that will reduce barriers to entry.
The UK’s operators are leading the world in the adoption of new, innovative approaches to expand the supply chain. The Government will work with industry to seize these opportunities, and we will partner with like-minded countries to diversify the telecoms market. It is essential that we are never again in a position of having limited choices when deploying important new technologies.
The third area covered by the review was how to treat vendors which pose greater security and resilience risks to UK telecoms. As I know the House has a particular interest in this area, I will cover this recommendation in detail. Those risks may arise from technical deficiencies or considerations relating to the ownership and operating location of the vendor. As noble Lords may recall, the Government informed the other place in July that they were not in a position to announce a decision on this aspect of the review. We have now completed our consideration of all the information and analysis from the National Cyber Security Centre, industry and our international partners. Today, I am able to announce the final conclusions of the telecoms supply chain review in relation to high-risk vendors.
In order to assess whether a vendor is high risk, the review recommends that a set of objective factors be taken into account. These include the strategic position or scale of the vendor in the UK network; the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market; the quality and transparency of the vendor’s engineering practices and cyber security controls; the vendor’s resilience, both in technical terms and in relation to the continuity of supply to UK operators; the vendor’s domestic security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with UK law; the relationship between the vendor and the vendor’s domestic state apparatus; and, finally, the availability of offensive cyber capability by that domestic state apparatus, or associated actors, that might be used to target UK interests.
To ensure the security of 5G and full-fibre networks, it is both necessary and proportionate to place tight restrictions on the presence of any companies identified as higher risk. The debate is not just about “the core” and “the edge” of networks; nor is it just about trusted and untrusted vendors. Threats to our networks are many and varied, whether from cyber criminals or state-sponsored malicious cyber activity. The most serious recent attack on UK telecoms has come from Russia, and there is no Russian equipment in our networks.
The reality is that these are highly complicated networks relying on global supply chains, where some limited measure of vulnerability is inevitable. The critical security question is: how to mitigate such vulnerabilities and stop them damaging the British people and our economy.
For 5G and full-fibre networks, the review concluded that, based on the current position of the UK market, high-risk vendors should be excluded from all safety-related and safety-critical networks in critical national infrastructure; excluded from security-critical network functions; limited to a minority presence in other network functions up to a cap of 35%; and be subjected to tight restrictions, including exclusions from sensitive geographic locations.
These new controls are also contingent on an NCSC-approved risk mitigation strategy for any operator who uses such a vendor. We will legislate at the earliest opportunity to limit and control the presence of high-risk vendors in the UK network and to allow us to respond as technology changes.
Over time, our intention is for the market share of high-risk vendors to reduce as market diversification takes place. I also want to be clear that nothing in the review affects this country’s ability to share highly sensitive intelligence data over highly secure networks, both within the UK and with our partners, including the Five Eyes. GCHQ has categorically confirmed that how we construct our 5G and full-fibre public telecoms networks has nothing to do with how we share classified data. The UK’s technical security experts have agreed that the new controls on high-risk vendors are completely consistent with the UK’s security needs.
In response to the review’s conclusions on high-risk vendors, the Government have asked the NCSC to produce guidance for industry. This guidance was published earlier today on the NCSC’s website. The NCSC has helped operators to manage the use of vendors that pose a greater national security risk, such as Huawei and ZTE, for many years.
This new guidance will include how it determines whether a vendor is high risk, the precise restrictions it advises should be applied to high-risk vendors in the UK’s 5G and full-fibre networks, and what mitigation measures operators should take if using high-risk vendors. As with other advice from the NCSC on cybersecurity matters, this advice will be in the form of guidance. The Government expect UK telecoms operators to give due consideration to this advice, as they do with all their interactions with the NCSC.
I recognise that noble Lords may wish to pursue further the technical details of these proposals, not least with my officials and officials at the National Cyber Security Centre, who will be available to answer questions in Committee Room 11 from 4.30 pm today.
I hope the whole House will agree that if we are to achieve our digital connectivity ambitions, it is imperative that we trust the safety and security of our telecoms networks. Risk cannot be eliminated in telecoms, but it is the job of the Government, Ofcom and industry to work together to ensure that we reduce our vulnerabilities and mitigate the risks. The Government’s position on high-risk vendors marks a major change in the UK’s approach. When taken together with the tough new security standards that will apply to operators, this approach will substantially improve the security and resilience of the UK’s telecoms networks, which are a critical part of our national infrastructure. It reflects the maturity of the UK’s market and our world-leading cybersecurity expertise, and it follows a rigorous and evidenced-based review. It is the right decision for the UK’s specific circumstances.
The future of our digital economy depends on trust in its safety and security. If we are to encourage the take-up of new technologies that will transform our lives for the better, we need to have the right measures in place. That is what this new framework will deliver, and I commend this Statement to the House.
My Lords, I am grateful to the Minister for that Statement and for the reassurance given in large measure by what she read to us. Of course, a number of questions are left open and will emerge. Given the time that was available to me to read the various pieces of literature, my questions will be bundled out and no doubt brought into more coherent shape as time passes.
I note that we are promised “world-leading” primary legislation but are not given an exact time. Yesterday, the word was mañana. Today, in answer to the question of when, the reply is, “at the earliest opportunity.” I am becoming accustomed to the various euphemisms for mañana that are put forward in government reports. It will be a new, comprehensive telecoms security regime. I suppose that the various measures that will be necessary to make sure that we oversee activity in this area will be set out in detail. It would be reassuring to have “at the earliest opportunity” unpacked, if that is at all possible, because we are in an area where developments happen so quickly that the more time that lapses, the more behind the action and the curve we become.
I note that, as the UK’s 4G network relies on Huawei, achieving zero presence today would be near impossible, so I suppose that a reduction to 35% is welcome. But will this reduce over time to wean operators off the Chinese provider, or will 35% be an enduring figure?
The NCSC’s security analysis, which again I read very quickly, concludes that
“threat analysis highlights that our telecoms sector is potentially vulnerable to a range of cyber risks. This analysis is backed up by evidence generated from security testing of telecoms networks and by security incidents.”
In other words, the risks are high—an added pressure, perhaps, to ensure that not too much time elapses before measures are brought before us.
There is talk of the diversification of vendors and the categories under which they might be grouped, but there is not much reference to help us to understand how much home-produced material or producers will come forward. There are a number of players on the global scene. Is the activity lively in our economy and will it produce its own home-produced involvements in the provision of these measures?
Under the objective factors that help us to identify high-risk vendors, the claim is that we know more about Huawei and the risks it poses than any other country, so, whatever investigations have taken place, it puts us in prime position—according to the claims made here—to know the mind of Huawei, its activities and all the rest of it. That leads me to ask: if that is the case, how do we measure Huawei’s performance against its domestic security laws? How did Huawei pass, given China’s law on compliance with state intelligence services and co-operation with the police in the mass detention of Uighur Muslims in Xinjiang, for example?
In other words, Huawei gets in at 35%. We welcome that, but suppositions and assumptions are made about Huawei that we still need to have clarified for us. A lot seems to go by on just remarks, assumptions and general statements. Attracting established vendors not present in the UK and new disruptive entrants in promoting open interoperable standards is welcome. But, given the subsidies that Huawei is said to use to get market access, how do we know whether the subsidies exist and how much they amount to, and how will new entrants compete tomorrow when they cannot today? Those are just a few of the questions that occur to me.
I should say that one or two of the quotations I have used in making my remarks are attributable to members of the noble Baroness’s own party—so these concerns are felt by all of us. So we welcome what is happening today because it does set a direction of travel—but we travel with a few questions that are still waiting to be answered.
My Lords, I thank the noble Baroness for the Statement and begin by declaring an interest: I was a member of the Intelligence and Security Committee when the security implications of Huawei’s involvement in these matters were first identified. I should confess that my attitude is still to a large extent conditioned by what we found then.
I do not share the enthusiasm of the noble Baroness for the compromises which have been announced, in particular since I spent two days last week in the United States. Any question of us being at odds with the US, and indeed other members of the Five Eyes, is something that we should not contemplate with anything other than great concern. The United States is of course our closest ally when it comes to intelligence, and I wonder to what extent account has been taken of the very strong expressions against our involvement that have come from the White House down. It has been said that the US will not share intelligence. By its very nature, we will not know what intelligence it will choose not to share—and, for all we know, such a failure may have considerable implications for the safety and the interests of this country.
Nothing that has been said or that I have read excludes in all circumstances the possibility of the risk that Huawei might be forced by the Chinese Government to exploit its position. Indeed, as has already been said, it is under something of a legal obligation to do so. I make that assertion without qualification because I am bound to say that were we in a situation where the positions were reversed and found ourselves with the kind of opportunities that a company acting on our behalf might have in a foreign nation and the national interests of the United Kingdom were at stake, we would undoubtedly seek to bring pressure on that company. That cannot be ignored.
Undertakings are frequently given, but we all know that, on many occasions, undertakings have a very short lifetime. They can be given and they can be conveniently forgotten. Throughout the discussion I have been asking this question: would the Chinese Government admit BT to such a sensitive opportunity as the United Kingdom is about to enlarge to Huawei? I doubt very much that they would.
I will conclude by saying this. It is an entirely laudable ambition to seek to extend broadband throughout the United Kingdom, but I hope that national security is not being sacrificed to that ambition.
I thank both noble Lords for their comments. Quite a lot of points have been raised and I am conscious that other noble Lords want to speak, so I shall try to deal with them quickly. The noble Lord asked when the legislation would be ready. Of course, it has not been possible to prepare the legislation until the decision made today by the National Security Council, but we are all very conscious of the need to legislate early. What today’s announcement means is that the National Cyber Security Centre is able to issue guidance to providers. Until now we have not had the ability, other than by asking nicely, to say, “Please do not use more than a certain percentage of high-risk vendor equipment in your networks”. The NCSC will be able to issue that guidance and that will by confirmed by legislation, which, as the noble Lord said, will provide for a legal enforcement mechanism by the regulator.
As both noble Lords have hinted, I am absolutely certain that noble Lords and Members of the other place will appreciate that this is a very complex decision, a point I touched on in the Answer to the Urgent Question that I repeated yesterday. There are undoubtedly concerns across the House—from Members of all backgrounds, regardless of which committees they have sat on—about the decision taken. People have different reasons for feeling that way.
The noble Lord mentioned the rollout of 5G and the speed; it is happening quickly and accelerating. Again, that is part of the reason for needing to take this step today: to be able to say to providers that there is a percentage above which they must not go on the edge of that rollout of 5G networks for high-risk vendors. I said in my Statement and reiterate that through market diversification we absolutely want to reduce the reliance on high-risk vendors over time. We want to get to a position in which we do not have to use a high-risk vendor in our telecoms network. That also ties in with the suggestion from the noble Lord, Lord Griffiths, who mentioned home-grown capability. The reality is that this is a market failure that we are dealing with. Although we have many excellent telecoms companies in this country, we do not have those that are making this equipment in such a world-leading way. As part of the diversification strategy, we therefore need to increase dramatically the amount of funding support we give to the research and development of companies in countries that we tend to work with and consider our allies, as well as the UK, to help plug this gap.
We know more about Huawei thanks to the actions taken over the years. Huawei started to be in our networks from 2006. In a way, the high-risk vendor test is perhaps not about meeting the criteria but about not meeting them. If the company does not meet them —in the sense that it operates in a system in which the Government expect companies or individuals to act in accordance with their wishes—that means the high-risk vendor test has not been met, so it is a high-risk vendor. Of course, the work of our services and the advice given to the National Security Council by the services is very much evidence-based.
The noble Lord, Lord Campbell, mentioned the Intelligence and Security Committee. I was struck yesterday when a member of the Intelligence and Security Committee in the previous Parliament said in the other place that he felt the risks with Huawei could be mitigated. Perhaps it depends on the evidence and inquiries that different Members have been involved with.
In relation to the Five Eyes relationship, the Prime Minister has spoken to President Trump. A number of us have been engaged in discussions with US counterparts over the last few months, and of course account has been taken of everything they have raised with us, but—because of our experience with Huawei and where we are on 4G and 5G—the view is taken that we are able to mitigate these risks. That is the advice we have had. I said in my remarks that today’s decision does not affect our ability to share sensitive intelligence data over highly secure networks both within the UK and with our partners, including the Five Eyes.
As I said in my Statement, it is not possible to exclude all risks in relation to telecoms. Cybersecurity and malicious cyberactivity are a 21st-century danger to all countries. That does not mean we should not have sophisticated telecoms networks and 5G networks. It means we have to be realistic about the risks and how we mitigate them. Finally, I absolutely assure the noble Lord, Lord Campbell, that in no way would this Government ever compromise national security, even for the very worthy goal of making sure that people in this country have access to broadband.
My Lords, the Secretary of State has made it clear that there are many risks in taking this decision about Huawei. Can she give the House some idea of what additional costs will be involved in monitoring technology and equipment manufactured and imposed on this country by a communist regime?
Yesterday I raised human rights with the Secretary of State, and I wonder what consideration has been given to the anti-slavery academics who describe what is happening in Xinjiang—where, as we have heard, probably 1 million Uighur Muslims are incarcerated and where Huawei is a key player—as the world’s worst incidence of state-sponsored slavery. What due diligence will be done on Huawei to ensure compliance with the UK’s legislation, which is world class and leading on anti-slavery and modern-day slavery issues? Can the Secretary of State say what consideration has been given to unbridled surveillance, mass imprisonment, relentless propaganda and egregious human rights violations, which are too high a price to pay for subsidised technology that endangers our security and compromises British values and a belief in human rights?
I thank the noble Lord. His latter point picks up on some of the points he made yesterday afternoon, when I was also standing in this position. To start with his first question, on the cost of compliance, thanks to the Huawei Cyber Security Evaluation Centre oversight board, there are already costs incurred of monitoring the use of Huawei technology in our networks. I cannot give him a specific figure now; if we are able to, I suspect it will be partly as a result of the necessary impact assessment that will have to be prepared by government and Ministers when putting legislation before this House. If I am able to give him anything approaching a figure at this stage, I will write to him with that information.
Yesterday, in this House, the noble Lord quite rightly raised the human rights abuses. The UK has been clear that China’s approach in Xinjiang must stop. We have led international condemnation of the systematic human rights abuses against the Uighur Muslims and other minorities in China. Ministers and senior officials regularly raise our concerns with the Chinese, and in October, the UK read a statement of concern on behalf of 23 countries at the United Nations in New York.
The challenge of today’s decision—and the reason Ministers rightly wanted to take a good length of time to consider it, and wanted there to be a secure and reliable evidence base on which to make it—is that although this is a decision about telecoms, it is set in a wider geopolitical context, some factors of which the noble Lord has highlighted. I do not agree with him that is an either/or situation. As a country, we have a relationship with China that gives us the ability to make statements to the United Nations of the sort I mentioned. Equally, Huawei is already in our networks. What we are doing today is constraining its use on the edge of the networks, which will also help with further market diversification so that we do not need to rely on Huawei in the future.
My Lords, I thank the Minister for her Statement. Will she explain, as I asked yesterday, why this decision has pre-empted the strategic defence and security review? The Minister spoke very strongly, and at length, on technical points, and I have the greatest respect for GCHQ and the National Cyber Security Centre, but this is not just a technical issue. This is critical national infrastructure that touches upon defence, security and many aspects of our foreign policy and foreign relations. The appropriate place to take this decision was during the strategic defence and security review. I hope that we have not added to the market failure that the Minister mentioned by political failure. I fear that this decision has been taken in a way that does not allow all necessary parties inside government who are interested to argue their case publicly and transparently. I hope I am wrong, but the idea that we can isolate one part of this system in the network world seems extremely optimistic.
I thank the noble Lord very much indeed for his points, which are based on great experience. He is right that we talked yesterday about the expected strategic defence and security review. While of course the decision took account of wider factors, as I have said, this is a decision about the telecom supply chain in this country, where the rollout of speedier connectivity is already happening and where we are not able, at the moment, to limit the use of high-risk vendors in those networks by providers who are already rolling this out. This decision was not taken overnight; this Government and the previous Government have been discussing it for quite a number of months. That is why the decision needed to be taken, and the factors talked about by the noble Lord were taken into account in the discussions to date.
My Lords, I welcome the Statement. The noble Lord, Lord Campbell, raised the matter of the American viewpoint. Is it not the position that the Americans regard China as their enemy and number one rival in a superpower world rivalry that some of us would regard as slightly out of date? But that is its position. Here, of course, we do not have the same viewpoint. In the networked world, we are taking a rather different, more subtle position. Does that not therefore mean that, provided we are very careful in the way that the Minister described, we can take a more balanced view than the Americans? Is it not really as simple as that?
I thank my noble friend very much indeed. He has boiled it down to a very simple point. He is absolutely right to say that we have taken the decision that is right for the United Kingdom, while, of course, listening to the views of allies around the world, including the United States. It is important that we make the right decision for the UK, for our connectivity and future networks. We are confident in the decision taken to ban Huawei from the core part of the network and for it to have limited access to the periphery of the networks. Although other countries have taken the view that that is not possible, the National Security Council’s advice is very much that it absolutely is.
My Lords, I declare an interest as one of the rather small trade union membership of former national security advisers. I entirely agree with the Minister that there is no risk-free solution in this situation, or in any security and intelligence judgment. I welcome the fact that the National Security Council was able to take a decision in a context where very strong arguments were being put on all sides. To answer the noble Lord, Lord Reid, I am sure that all the relevant interests around Whitehall argued their cases vigorously in the NSC; that is what it is for. I am glad that the Government seem to have been able to take the very professional advice from our world-class experts on cybersecurity.
I am sure that Ministers were delighted to have the barrage of no doubt well-intentioned advice from across the Atlantic, but given that many American commentators seem to see the slightest role of Huawei in our system as an existential threat, is it not quite extraordinary that the US does not have its own 5G technology solution to offer to western allies? Perhaps one of the lessons of this, as the Minister suggested, is that there has been a market failure and that, before we get to 6G, the West ought to be much more co-ordinated in its approach so that we have an entirely reliable basis in technology to go forward. In the meantime, this seems to be the right risk-managed solution for a diversified network in the circumstances we find ourselves in.
I thank the noble Lord very much indeed for his support. He is of course right that Ministers must take the decision with the advice of experts and based on the circumstances as we face them. The Prime Minister and the whole council were very clear about the need for urgent work on a diversification strategy with companies in the United Kingdom, but also, of course, with the technology expertise of our allies, including the United States. I very much hope that we can progress those discussions very speedily.
My Lords, the Huawei cybersecurity evaluation oversight board says:
“The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK”.
It goes on to say that
“it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated … At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme”.
Why can the Government not wait until the oversight board has seen and is content with Huawei’s transformation programme rather than going into this rather risky decision today?
That is because the evidence of the oversight board—it is extremely vital to our relationship with Huawei, a world-leading structure to have over it, and it provided the evidence that our services provided to the National Security Council—was not the only evidence that the National Security Council received that gave us the reassurances to make this decision today. Some of it cannot be discussed in public. The board will absolutely continue to operate and to work with Huawei to improve standards.
My Lords, in an ideal world we would not want the Chinese to provide us with telecoms equipment, build our nuclear power stations, own all our CCTV structures, buy British Steel or invest so much in the City, but we are not in an ideal world. The Americans make a lot of complaints about risks to intelligence. I was in the intelligence world for six years. I do not believe that there will be a risk to intelligence unless they say that they will not give information. This is extraordinary, bearing in mind that they released several hundred thousand of our very sensitive signals using SIPRNet, WikiLeaks and Snowden. We have to be a bit careful about shouting the odds about intelligence.
Does the Minister not think it inconceivable that the director of GCHQ and the head of the NCSC, who know more about this issue than probably anybody else in the UK, would ever give advice that put our intelligence at risk, bearing in mind that intelligence has been their bread and butter all their lives?
It is a delight to agree with the noble Lord. I and my colleagues have been thoroughly impressed with the careful, systematic way in which GCHQ, the NCSC and other services have advised the National Security Council on this matter. He is right: if they felt that different advice should have been given, it would have been given. I put on record my thanks to them for all the work that they have done on this.
My Lords, does my noble friend agree that there is real concern when dealing with a totalitarian state that thinks not in electoral cycles but in the long, long term? Can she give a total assurance that this matter will be kept under constant surveillance and review? I and many others fear that we may be going for short-term advantage and creating long-term vulnerability.
I can give the assurance to the noble Lord that this matter will, of course, be kept under constant review. That is one reason why we want to legislate to give the regulator and the Government the power not only to ask nicely for high-risk vendors not to be overly involved in our networks, but also to enforce a cap. In relation to the periphery, I stress again, for the benefit of all those watching or listening, that the high-risk vendors will not be part of our core network infrastructure. The noble Lord set out the concerns of many in relation to dealings with China, which we have fully understood and reflected in our discussions.
My Lords, I welcome the report, because it is evidence-based and has a comprehensive structure for reviewing and endeavouring to control. We should not underestimate the importance of the 5G network to the future of the UK in terms of the fourth industrial revolution and, as the Minister mentioned, to connectivity. Perhaps at the core—an unfortunate choice of word—of this decision is the view that you can separate Huawei’s involvement in the edge of the networks from any involvement at the core. Are we likely to get any more information at this meeting at 4.30 pm on what led to that conclusion?
I fear that the noble Lord may be asking whether it is worth attending that meeting. Of course, it is always worth attending meetings with my officials and others, but yes, that is certainly something which will be discussed there. I draw his attention to the two documents published alongside the Written Ministerial Statement. One is the guidance note from the NCSC, which will go to the providers. The other is a more detailed note on the security analysis for the UK telecoms sector of the information that can be made public. It explains the difference between core and edge, and why our services have taken that view. The guidance note sets out very clearly, for those who are technically minded, exactly what the high-risk vendors are able and not able to be involved with. I join him in saying that 5G is very important for the productivity and growth of our economy and the levelling-up agenda that the Prime Minister has talked about so much.
My Lords, I visited Huawei in Shenzhen. There is no doubting the quality of its products, which will make it difficult for the West to compete. Can my noble friend comment on the governance that we have in the UK for Huawei, which she has touched on? Is it adequate? I am conscious that, for example, if we sell arms in the US, we have to set up special boards which involve US citizens rather than UK citizens, to ensure that there are no problems for the US. Are the governance structures in the UK for this sensitive area adequate?
I thank my noble friend. I have already talked about the Huawei cyber security oversight board and its governance. In the discussions I have had with officials, no question has been raised about the adequacy of the governance. As a noble Lord set out earlier, the board needs to work through the conclusions with Huawei to make sure it is satisfying some of the points which have been raised. I will certainly take away the issue she has raised and check whether, in the course of carrying out these changes, there is anything further we should do on the governance structure.
My Lords, is this approach of separating access to core and non-core parts of the network now a general policy with regard to companies from other countries, wherever they are from? If so, would we apply the same principle if it were, say, a company from North Korea, Iran, Russia or any other country which applied to participate in the future?
As I said earlier, if the noble Lord looks at the documents, he will see that the process sets out clearly how a high-risk vendor is defined, which was one of the points raised by his Front Bench. The requirements that a company does not meet—there is a list of them—determine how it will be considered a high-risk vendor. Once it is considered a high-risk vendor, and if a provider wanted to include it in the networks, that would trigger involvement by the NCSC in working out how its involvement could be mitigated. So, there are a number of steps that I would expect, based on today’s announcement and where we are with the providers and rollout of 5G. I have made it clear that we want to reach a stage where there is no need for any high-risk vendors in our system. However, we are some way off that, which is why the NSC has taken the decision it has taken today.
My Lords, the issue of governance boards, rightly raised by the noble Lord without a tie, is a valid one. It was first flagged up that we had problems with Huawei, after a number of years, when it stated that it could no longer guarantee security. Huawei was told to put in place a lot of investment—£2 billion, I think. Has that investment been put in to harden up the systems and to correct those problems?
The oversight board’s conclusions are, I believe, public documents. As we heard earlier, there are question marks about things that Huawei has been asked to do which it has not done. I would need to check the specifics on whether it has spent that money and where we are in the latest process—the oversight board publishes its report annually—and I am happy to write to the noble Lord with further details.
My Lords, this subject is larger than telecommunications. After 31 January we will be ready to go global—widening and working together, particularly with the Five Eyes. What the outcome might have been I do not know but the point that has been made is, what was the rush? We have not yet decided our long-term policy and we have not had our discussions on security. Supposing we had said, “We will make a decision by June or December”. Can the Minister explain what the huge disadvantage would have been in waiting until then and having aired here some of the concerns, which I somewhat share?
The concerns that have been aired in this House today—which I am sure are being raised in the other place following a Statement by my right honourable friend the Foreign Secretary—are shared by many, even by those of us who have made the decision we have made today. It was not an obviously clear-cut decision of the kind that those who have been Ministers or involved in the leadership of any organisation will know it is sometimes easy to make.
The noble Lord asked about speed and why it was necessary to make these decisions. I am looking for that information but, on the rollout of 5G, as I said earlier, more and more companies are installing the masts and connecting not just tens of thousands but hundreds of thousands of premises to 5G, which is using Huawei equipment. At the moment there is no ability—other than, as someone said, asking nicely—to limit the involvement of Huawei. Today, with this guidance, the NCSC is able to say that on the periphery of the networks, involvement by Huawei is limited to 35%. That is a constraint for a number of providers; they will have to get down to that figure, which we expect to encourage wider diversification. The NSC could not have put off this decision for much longer, given the ongoing speed with which 5G is being rolled out in this country.