• As expected the UK government has skillfully swerved around the Huawei issue
• New regulations for network cyber security and supply diversity are to be nailed down
• But it’s too early to call on what should happen to Huawei in the UK

The UK has witnessed a disturbing upsurge in Jeremys. We have Jeremy Corbyn, Labour Leader of the Opposition in Parliament; we had Jeremy Hunt, Prime Ministerial hopeful until today when he was finally bested by Jeremy Johnson. And yet another Jeremy, one Jeremy Wright, who delivered, as the responsible minister, the sound of a can being kicked down the road. 

[Yes I know ‘Boris’ Johnson is the new prime minister, but I like to think of him as a Jeremy too]

Back to Jeremy Wright’s can

That particular Jeremy is the Digital, Culture, Media and Sport Secretary and he’s the man responsible for the Telecoms Supply Chain Review, put in train to find a sensible way out of the Huawei ‘security problem’. The idea was to find a formula that could avoid the nuclear option of banning Huawei from the UK’s 5G networks at the behest of President Trump. To ban it at this advanced stage would be catastrophic for the UK’s next generation network ambitions, to outright refuse to ban would risk the ire of the thin-skinned President.

So the can in question was the announcement today by Jeremy Wright that the UK government has delayed its decision on whether Huawei will be excluded from the roll out of 5G networks, with the minister insisting that it was "not yet in a position" to take a definitive decision. With Brexit looming (or not) and Trump likely to quietly shelve his objections to Huawei upon receipt of an acceptable China trade deal, careful can-control (rather than an outright ‘bend it like Beckham’ kick into the long grass) was the best solution, and most UK observers seem to agree. 

According to  Malcolm Taylor, a former senior intelligence officer and director of cyber security at ITC Secure Jeremy’s report, ”by omitting any mention of Huawei and being effectively generic, speaks to the real problem at the heart of this issue for the UK. 

It’s that its telcos can’t build a 5G capability without using Huawei. Being deprived of its kit for 5G build is bad enough, he implies, but requiring the removal of all the existing Huawei kit in the network takes things to “a whole different level of challenge,” and if mandated would put 5G years away for the UK, with significant accompanying economic damage. 

Malcolm says he’s “unsurprised that this report appears to leave all options on the table. It’s another can kicked, but probably wisely.”

That’s what it ignores, what does the review recommend?

Wright says his review identified three areas of supply chain concern. That while existing arrangements may have achieved good commercial outcomes, they’ve not incentivised cyber security risk management, so it recommends:

• That policy and regulation in enforcing telecoms cyber security must be significantly strengthened to address these concerns.
• That the lack of diversity across the telecoms supply chain which creates the possibility of national dependence on single suppliers, poses a range of risks to the security and resilience of UK telecoms networks.

The Review has concluded that the current level of protections put in place by industry are unlikely to do the trick.

So to improve cyber security risk management, policy and enforcement, the Review recommends the establishment of a new security framework for the UK telecoms sector. This would be “underpinned by a robust legislative framework” backed up by legislation at the earliest opportunity, with operators working “closely with vendors on a voluntary basis to ensure effective assurance testing for equipment, systems and software.

“The Government would therefore pursue a targeted diversification strategy, supporting the growth of new players in the parts of the network that pose security and resilience risks. And it will promote policies that support new entrants and the growth of smaller firms.”

“In addition,” said Wright, “we must have a competitive, sustainable and diverse supply chain if we are to drive innovation and reduce the risk of dependency on individual suppliers.”

“All of which means, plurality of suppliers is necessary for best practice solutions,” says Malcolm Taylor. “Procurement methods which make that difficult, need to change. IT provision and cyber security are different and will need different suppliers. Organisations who fail to adapt risk being subject to more, and more damaging, attacks.”

Fundamental problem

Problem is: the telecoms industry is very attached to its traditional dominant supplier ethos. The innovative suppliers, to which Jeremy Wright alludes, have been trying to break into the telecoms infrastructure and software market for years and, with a few exceptions, without noticeable success... at all. 

Most telcos tend to stick to their tried and trusted suppliers often ceding ‘end-to-end’ solutions to them, the better to hold their feet to the fire without vendor-to-vendor finger pointing if something goes wrong. 

As we discussed at TelecomTV’s recent DSP Leaders Forum, the problem is so bad that in the US, venture capitalists won’t fund start-ups that set out to rely on CSPs for revenue, since their procurement processes are so long and so painful. 

So the underlying problem may simply be telcos’ standard procurement processes and the group-think behind them. Without those getting a shake-up the prospects for a diversified, more secure, second and third sourced supply chain, may be negligible.

Please watch our DSP Leaders Forum sessions, in particular this one, where the procurement process problem gets a good airing. 

Unless you procure differently you can't become a DSP