Full Report
A summary of the NCSC’s analysis of the May 2020 US sanction which caused the NCSC to modify the scope of its security mitigation strategy for Huawei.
Analysis Summary
# Regulation/Compliance: NCSC Modified Strategy for Huawei in UK Telecoms (Post-May 2020 US Sanctions)
## Overview
This regulation represents a significant shift in the UK’s cybersecurity mitigation strategy for High-Risk Vendors (HRVs). Following the May 2020 US Department of Commerce sanctions—ing which restricted Huawei’s ability to use US technology and software to design and manufacture semi-conductors—the NCSC concluded it could no longer guarantee the security of future Huawei equipment. Consequently, the UK government mandated the phased removal of Huawei from 5G networks and prohibited the purchase of new equipment.
## Key Details
- **Issuing Authority:** National Cyber Security Centre (NCSC) / Department for Digital, Culture, Media & Sport (DCMS)
- **Effective Date:** July 14, 2020 (Announcement of policy change)
- **Jurisdiction:** United Kingdom
- **Status:** Final / In Effect
## Requirements
### Mandatory Requirements
1. **Ban on New Procurement:** Operators must stop purchasing new Huawei equipment for 5G networks.
2. **5G Removal:** All Huawei equipment must be removed from the UK’s 5G networks by the final deadline.
3. **FTTP Transition:** Transition away from Huawei in Full Fibre (FTTP) networks to ensure a diverse supply chain.
4. **Cap on Presence:** Limit Huawei’s presence in the non-core part of the 5G network to a specified percentage (previously 35%) before total removal.
### Recommended Practices
1. **Vendor Diversification:** Actively seek alternative suppliers (e.g., Ericsson, Nokia) to prevent vendor lock-in and enhance resilience.
2. **Inventory Auditing:** Maintain a precise asset register of all HRV components currently in the infrastructure.
## Affected Organizations
- **Industries:** Telecommunications (Mobile Network Operators and Managed Service Providers).
- **Organization Size:** All national-scale telecommunications providers.
- **Geographic Scope:** United Kingdom.
## Compliance Timeline
- **14 July 2020:** Policy announcement following NCSC technical analysis.
- **31 December 2020:** Final date for the procurement of new Huawei 5G equipment.
- **31 December 2027:** Deadline for the total removal of Huawei equipment from UK 5G networks.
## Implementation Guidance
### Assessment Phase
- **Supply Chain Audit:** Identify all Huawei-managed components in the 5G core and access networks (RAN).
- **Impact Analysis:** Determine the technical and financial impact of swapping out existing "rip-and-replace" hardware.
### Implementation Phase
- **Procurement Pivot:** Shift all new infrastructure contracts to non-HRV vendors.
- **Phased Decommissioning:** Systematic removal of Huawei hardware during scheduled maintenance windows to minimize service disruption.
### Validation Phase
- **Compliance Reporting:** Submit regular progress reports to DCMS and the NCSC regarding the percentage of HRV equipment remaining in the network.
## Technical Requirements
- **Hardware Sovereignty:** Transition to hardware that does not rely on "untrusted" supply chains created by US export control bypasses.
- **Core Isolation:** Strict exclusion of Huawei equipment from the "Core" of the network (the sensitive "brains" of the system).
- **Security Oversight:** Continued monitoring of existing legacy equipment via the Huawei Cyber Security Evaluation Centre (HCSEC).
## Penalties & Enforcement
- **Fines:** Under the Telecommunications (Security) Act, companies can be fined up to 10% of turnover or £100,000 a day for ongoing non-compliance.
- **Other Consequences:** Legal directives to remove equipment at the operator's expense; potential loss of operating licenses.
- **Enforcement:** Monitored and enforced by **Ofcom** based on NCSC technical guidance.
## Related Standards
- **Telecommunications (Security) Act 2021:** The legislative framework providing the government powers to enforce these requirements.
- **NCSC Telecoms Security Principles:** Framework for protecting UK networks from sophisticated state-level threats.
## Resources
- **Official Documentation:** [https://www.ncsc.gov.uk/report/summary-of-ncsc-analysis-of-us-may-2020-sanction]
- **Technical Blog:** [https://www.ncsc.gov.uk/blog-post/a-different-future-for-telecoms-in-the-uk]
## Practical Recommendations
- **Accelerate OpenRAN:** Explore Open Radio Access Network (OpenRAN) technologies to decrease reliance on a small pool of traditional vendors.
- **Stockpile Spares:** Ensure sufficient audited spare parts are available for existing 4G/5G Huawei equipment to maintain availability during the phase-out period.