As well as targeting gear with backdoors
So that;s Cisco & Juniper out of the running as well then is it? I assume this will apply to all networking kit used for 5G, not just the wireless bits.
Not content with its planned ban on Huawei equipment in the UK's 5G phone networks, the British government now wants to threaten Huawei-using telcos with fines of £100,000 a day unless they follow binding new rules on how existing kit can be used. A new law being laid in Parliament today will allow the government to write …
"...allowing civil servants to create legally binding codes of practice without Parliamentary oversight. "
Hmm, do I detect the thin end of a wedge?
What's the point of having an expensive Parliament if the government can side-step it to avoid accountability and rule by diktat?
There might be good reasons for introducing such Draconian powers, but then there always are. No, like them or loath them, we need MPs to keep government honest. Just like Joanna Cherry MP and others did last year with the illegal proroguing of parliament.
It's standard practice for a lot of law covering low level details, and has been for decades if not longer. Pretty much any new bill will have provisions stating "Regulations may:" followed by a list of areas that are permitted to be covered by secondary legislation. Primary legislation simply can't cover a lot of low level details. Typical examples would be regulations that say a specific form must be completed or a call made to a particular number which change every few years, or technical rules for which Parliament is the wrong forum. Do you think MPs are best placed to determine the dimensions and other specifications of a BS1362 UK mains plug for example?
You do get the other approached used occasionally for contentious topics, the act for HS2 comes to mind which specified the entire route within it (the MPs would have it no other way if it goes through their constituency). The resulting bill was 50,000 pages long, i.e. long enough that no one has read it. How is that any better?
Even regulations are not entirely above Parliamentary scrutiny however. Generally they have to be filed with the House of Commons library and only become law a few weeks later. In the interim Parliament is free to review and strike down those regulations if it sees fit. You can bet the opposition parties do review what gets filed, and occasionally they do become the subject of debate. However, the vast, vast majority go through without any comment at all.
Politicians attempting to define technical architecture and functionality of network components..
More civil servants rather than politicians. And it's not necessarily a bad thing, eg-
* carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
* make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
* keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.
Except perhaps the last one, which may not play nicely with 'net neutrality, or lawyers. Rest is (or should be) pretty much best practice for telcos.
Access could be tricky, but prevent someone bimbling along and accessing craft terminals/console ports. Or just stealing cards from core switches/routers. But devils are in the details. So will 'preventing access' mean kit is locked in a rack? Or will it need to be in an access controlled area? Or no local control plane access permitted?
All of that is arguably a Good Thing(tm) but may present implementation issues, if 'core access' applies to kit collocated in common areas inside shared datacentres. Retrofitting those so telco kit is caged, or just all in a more secure telco-only room will be expensive in most of the popular datacentres. Disallowing craft/console access will obviously make the life of a field engineer FUN!
Datacentres already have their own security/access procedures, some good, some not so good, so a common standard, ie named staff, photo ID, confirmation via NOC is all good. Like one location where I'd dance for the NOC's security camera before they'd unlock the door. Luckily they controlled ingress, not egress. But I guess access restrictions could include requiring staff be vetted, which is already a thing for some sites, but may cause problems if extended to any ops staff with access. Especially I guess when those functions are outsourced & off-shored.
Same applies to audit. It's best practice, but sometimes challenging to tell ops types that they can't just jump onto a router and go ham. Which should then be part of telco's change management processes, ie all changes be logged, approved and tracked. Additional challenges come from good'ol SDN, which extends control plane functionality to customers, but most vendors I've seen have gotten better at providing capabilities to track & audit those changes.
Last one is potentially the most FUN. So touches on SLA's and potentially vague assurances wrt security and data integrity for customer traffic. So will this mean an Ofcom levied fine for network outages? The ICO already has power over breaches, so there's a possibility for bunfights there. But 'secure' is more vague, ie will that mean encrypting core links? That's possible, but by no means cheap on core switches that handle Tbps of data.
But the proposals in the Bill aren't that suprising, ie it's pretty much taking stuff from CESG's Manual of Protective Security and applying those to public networks. BT and many of the other big telcos would (or should) have systems & procedures in place given the public sector customers they manage.
HCSEC has been run by GCHQ and paid for by Huawei since 2013, and they have basically said, while their kit is efficent and cheap, their coding practices are a mess and if any back doors were intentional, they would be hard to distinguish from the not so intentional ones.
The Chinese requirements on their companies are no more than the US have under various laws and definatley no more than RIPA and DEA allow in the UK, the enforcement regieme may be a little more thourough ....
Basically, Huawei have the best kit, which also happens to be cheaper and on better finance terms.
Its also expensive kit to replace and has been part of our networks for a long time.
So if the UK really wants to start its independent way in the world by distancing China along with the EU, and not really having the US in its corner anymore .....
"If it was really about security then *all* vendors would have to submit their code for audit by GCHQ."
Exactly. This whole fiasco has never been about security. Going through the motions of auditing other vendors software would be a total waste of time as the verdict had already been decided. It wouldn't matter to the government if all the non-Huawei products were riddled with backdoors. :/
Just another example of Cardassian Law in action:
"On Cardassia, the verdict is always known before the trial begins. And it's always the same."
"In that case, why bother with a trial at all?"
"Because the people demand it. They enjoy watching justice triumph over evil every time. They find it comforting."
Are Parliamentarians [Roundheads] plotting or preparing for a Revolutionary Civil War against or with leading Cavaliers, and is it worldly wise of them in an age in which they have no chance of effective overall command and control?
Is someone in Westminster spiking the Honourable Members' mineral waters? Or is there another valid excuse for their perceived madness and destructive badness?
No, it looks like the politicians are preparing to join the (physical) US war with China, when it eventually happens. In return for a trade deal, of course.
The only lesson we learn from history...
No, it looks like the politicians are preparing to join the (physical) US war with China, when it eventually happens. In return for a trade deal, of course. ..... Anonymous Coward
Let's hope not, AC, for in that case too, what other excuse would there be for such madness, other than something they're taking being spiked and rendering them liable to harmful actions against states, or their being incredibly ignorant and arrogant and unwitting victims of coercion, bribery and corruption?
And whilst that would be certainly unfortunate, it pales into insignificance should it be something else entirely and a freely made personal choice, for virtually and practically much anything else and that has them facing the prospect of charges of high treason, and that is no joke. Such is real serious, grown up human type shit. And history, which can be cruel master, teaches the wages for that mortal sin is invariably a welcome unseemly and untimely death.
One would like to think though that any secret intelligence service monitoring and mentoring with national and international security operands would be able to take extremely effective suitable care of that pretty clear and present danger. If they either cannot or do not, are they in need of a totally new leadership, for that is where the epic fail resides and presides ........right at the top in the rotten heads of the Hydran beast.
>>allowing civil servants to create legally binding codes of practice without Parliamentary oversight.
Looks like the backdoor is being taken out of the equipment and left in government, where it rightfully belongs. No one is hacking this country without greasing the right palms.
For Huawei, you ask? of course not, it's an open equal opportunity backdoor.
Bitcoin preferred. Updated codes of practice within 3 months of payment. Speed it up with a "National security concerns" add-on, hide it from everyone with complete anonymity guaranteed, ask for details.
This post has been deleted by its author
Looks like the backdoor is being taken out of the equipment and left in government, where it rightfully belongs. No one is hacking this country without greasing the right palms. .... Anonymous Coward
Where it rightly belongs and is very convenient indeed, AC. Provide that sort of Sterling Stirling Service and one be immediately enabled and able to be immensely rich ..... and be immediately able to enable the immensely rich and populous dirt poor too via all manner of Novel Shenanigans and 0day Operations? :-)
It's a figleaf. It's not as if the Ministry for blah, blah, and also Sport has the staff or the equipment to do the checking, but the legislation will give them the ability to snoop at will without having to "waste time" with tiresome things like "due process" and getting a judge to issue a warrant. I mean, won't someone think of the children?
Nobody will die if an apprentice telecoms operator uses the wrong credentials to login to a maintenance terminal.If after accessing that maintenance terminal said apprentice unknowingly changes config that causes a packet storm, knocking a firestation out of the emergency communications network such that that firestation fails to receive a dispatch to a fire, people could die.
Nobody will die if a switch fails to get a bios flash.If that missed BIOS flash fixes an actively under exploit vulnerability, thus allowing that switch to be knocked offline thus breaking connectivity between a hospitals MRI machine and the terminals, thus preventing a diagnosis of a condition that requires immediate surgery, and not getting that surgery results in death, then yes people could die.
Nobody will die if a software patch fails.If the failed software patch results in a non-functional system, such as a blood-banks ordering system to send blood to hospitals, then people may die due to insufficient blood supplies at A&Es.
While these are extreme examples, they are realistic, our modern "Just In Time" society depends on communications infrastructure that can provide 'real-time' communications. If it is unavailable or compromised, people very well could die.
I guess you don't know much about telecoms. Neither a failed base station, a broken switch nor unpatched software interrupt service delivery. The call still gets through.
People die when railway signals are wrong.
People die when air traffic controllers are confused.
People do not die when a call is routed less than optimally. So I ask again, why is this draconian legislation necessary?
Ok so over 70 % of the VDSL fibre muxes in UK cabinets are Huawei (and aparently rising)
and about 30-50% of the DSLAMs in uk exchanges (for DSL max)
so its going to be time for Popcorn if the ministry of fun go all medieval on "high risk" vendors, and smoke signals.
BTW cisco who have anothe 40% of the DSLAMs are the only vendor to have been proven to be manipulated by security agencies, but somehow they are not "High Risk"
The UK Government eventually opted for a ban on Huawei kit because of heavy sustained pressure from the USA which was created by Donald Trump and for which nobody has been shown any hard evidence.
What if the incoming Government under Joe Biden decides to ease off significantly on the trade war with China and reverses the political decision to ban Huawei. What will the Johnson government do then ?
Will somebody think of the poor telcos ?
"Will somebody think of the poor telcos ?"
Not poor telcos - it will be their customers who end up footing the bill (in the billions) to just to satisfy the politicians whims.
And then they'll end up voting for them. Again. And Again. Turkeys....Christmas.
BTW Cameron promised to abolished OFCOM years ago. OFCOM - standing up for the interests of the public. Except when it's not.
Of the way that the UK likes to gold plate externally decided rules to be implemented zealously by jobsworths.
Like my county council imposed 24/7 parking charges on our village car park which is only ever full during office hours.
And now policed till 9pm and at weekends by zero hours subcontractors whose main qualification is how to be a jobsworth.
Biting the hand that feeds IT © 1998–2022