The telecoms market is “broken” and needs to be diversified to ensure the security of UK networks, according the National Cyber Security Centre (NCSC).
Dr Ian Levy, technical director at the NCSC, said there were only three suppliers of 5G equipment that can be used in the UK and this was “crazy”.
Levy posted a blog as the Department for Digital, Culture, Media & Sport (DCMS) issued new restrictions on the use of “high risk vendors” (HRVs) in the UK’s 5G network.
DCMS said HRVs – including Huawei – would be excluded from “sensitive core parts of 5G and gigabit-capable networks” and there would be a 35% cap on HRV access to non-sensitive parts of the periphery of the network, known as the access network, which connects devices and equipment to mobile phone masts.
HRVs will be excluded from all safety related and safety critical networks and sensitive geographic locations, such as nuclear sites and military bases.
“The government will now seek to legislate at the earliest opportunity to put in place the powers necessary to implement this tough new telecoms security framework,” said DCMS.
The government has decided not to ban Huawei completely from 5G networks despite pressure from the US to do so.
In the blog Levy said: “The underlying problem in all this is that the market is broken.
“Already, we ask all mobile operators to use two vendors in their radio access network (RAN) for resiliency reasons. There are only three scale suppliers of 5G RAN kit that can currently be used in the UK: Nokia, Ericsson and Huawei.
“That’s crazy, so we need to diversify the market significantly in the UK so that we have a more robust supply base to enable the long term security of the UK networks and to ensure we do not end up nationally dependent on any vendor.”
A report on NCSC’s investigation into security in the UK telecoms market said an industry trend towards outsourced and centralised functions in international locations meant decisions could be taken without an understanding of local risks.
“This approach may be applied to business decisions, technical decisions, management processes and security processes. Business decisions, such as procurement decisions, are increasingly taken within an operator group HQ,” said the report.
“The most significant risks due to this trend are that business decisions may be taken without an understanding of the local threat environment and without full consideration of the local context or local risks.”
☛ Want to stay up to date with the news? Sign up to our daily bulletin.