Out-Law News | 07 Jun 2013 | 3:35 pm | 3 min. read
The Intelligence and Security Committee (ISC) said it had concerns that the UK's national security was at risk because insufficient processes and controls were in place to assess and manage the risk posed by foreign investment in CNI.
The ISC raised concerns about the way in which Chinese telecoms giant Huawei was able to contract with BT to supply "transmission and access equipment, including routers" for deployment in its upgraded telecoms network in 2005 without potential security dangers being flagged to Ministers.
Whilst BT informed Government officials of Huawei's interest in contracting with it, those officials did not inform Ministers about the potential deal, it said.
"There was no justification for failing to consult Ministers about the situation when BT first notified officials of Huawei’s interest," the Committee said in its report, entitled 'foreign involvement in the critical national infrastructure: the implications for national security'. (29-page / 832KB PDF) "Such a sensitive decision, with potentially damaging ramifications, should have been put in the hands of Ministers."
The ISC said that concerns relating to Huawei technology are based on its "perceived links to the Chinese State", which it said is "suspected of being one of the main perpetrators of State-sponsored attacks, which are focused on espionage and the acquisition of information".
The Committee said, though, that security concerns about Huawei's involvement in BT's upgraded telecoms infrastructure were not followed up until after the companies had signed their contract. It said it was concerned that the failings in the case could happen again and recommended that changes be brought about to address the "disconnect" between the UK's policy on inward investment and its policy on national security.
"There must be: an effective process by which Government is alerted to potential foreign investment in the CNI; an established procedure for assessing the risks; a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond; clarity as to what powers Government has or needs to have; and clear lines of responsibility and accountability," the ISC said in its report. "When it comes to the UK’s Critical National Infrastructure, Ministers must be kept informed at all stages."
"We do not believe that these crucial requirements existed when BT and Huawei first began their commercial relationship. From the evidence we have taken during this investigation, the procedural steps that we have outlined still do not appear to exist. However, as we went to press, we were told that the Government has now developed a process to assess the risks associated with foreign investment into the UK. Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that Government does not find itself in the same position again," it said.
Amongst the specific concerns the Committee raised was in relation to a cyber security evaluation programme funded and operated by Huawei. The scheme allows telecoms operators to raise any security concerns they have with Huawei's products. However, the ISC said it was "in the national interest" to ensure that the programme is staffed by GCHQ employees in future or at least have greater oversight of the scheme.
"The Government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences, or lack of appropriate protocols," the ISC said. "However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked, and continue to risk, being overlooked."
"The BT/Huawei relationship began nearly 10 years ago; the process for considering national security issues at that time was insufficiently robust. The Committee was shocked that officials chose not to inform, let alone consult, Ministers on such an issue. We are not convinced that there has been any improvement since then in terms of an effective procedure for considering foreign investment in the Critical National Infrastructure (CNI). The difficulty of balancing economic competitiveness and national security seems to have resulted in stalemate. Given what is at stake, that is unacceptable," it added.
In a statement BT said that it tests equipment provided by suppliers "both before and after deployment to ensure there are no vulnerabilities".
"The experts at GCHQ say BT is an ‘exemplar’ and that the UK network has not been at risk due to the measures we have taken," BT said. "Security is at the heart of BT and it will continue to be so in the future. Our testing regime enables us to enjoy constructive relationships with many suppliers across the globe. One of these is Huawei with whom we have had a long and constructive relationship since 2005."
Huawei faced similar criticisms about the security of its technology from a committee of the US Congress last year. The House Intelligence Committee said US businesses should not use parts manufactured by Huawei or fellow Chinese firm ZTE after deeming use of technology made by the companies a national security risk.
At the time Huawei criticised the report findings, claiming that HIC had appeared to have been "committed to a predetermined outcome" with the aim of shutting Chinese firms out of the US telecoms market. It said it had "proven track record of network security in the United States and globally".