Recommendation 8

HM Government Acknowledged

The HCSEC is integral to the UK’s Huawei security mitigation strategy and it provides the UK a unique insight into the workings of Huawei equipment and software. The government requires that HCSEC continues to be maintained at an appropriate level while there is any Huawei equipment in the UK telecoms networks. Huawei has committed to this in writing. The Government is intending to introduce a new security framework through the Telecommunications (Security) Bill. This will consist of strengthened legal security duties in primary legislation and specific security requirements in secondary legislation, for all public telecoms providers to follow. Detailed technical guidance will be set out in codes of practice demonstrating how certain providers should meet their legal obligations. This new framework will place the emphasis on providers to ensure steps are taken to implement a higher baseline of security in the UK telecoms sector. These security requirements will raise the security standards across the sector and will apply to all providers and, by extension, all vendors who supply those providers. Not all vendors have the same security concerns that are attributed to Huawei; however, high security standards are essential for the secure and resilient functioning of telecommunication networks. Mitigation strategies for each high-risk vendor will be dependent on the specific risks relating to the vendor’s circumstances and the context in which they operate in the UK. An HCSEC-like model may not be appropriate for other high-risk vendors. The Telecoms Supply Chain Review recommended the creation of a national facility to help manage the security, functionality and interoperability of telecoms equipment used in the UK. We expect this to be a secure research facility, allowing teams from academia, subject-matter experts, critical industries and government to research, test and learn about security on the UK’s telecoms networks. Further detail is set out in the 5G Supply Chain Diversification Strategy. Creation of this facility, coupled with the requirements on providers to ensure vendor security as part of the new telecoms security framework, should raise the standard of security across the sector.