For a start, there are no trusted vendors. Most companies operate a zero-trust policy when it comes to all cyber-security vendors. Secondly, the key point is how we manage that risk. I will go on to answer the question in a bit more detail, if my hon. Friend will bear with me.
The TSRs establish a baseline for security in telecoms, and put it on a statutory footing. They prohibit the use of high-risk vendors in sensitive functions of the network, and cap the use of such vendors at 35% across the network as a whole. As a result of their implementation, we will have some of the most secure networks in the world. The TSRs provide a clear and exhaustive list of sensitive functions related to the control, orchestration and virtualisation of our networks where high-risk vendors cannot be used. They will not be used in the intelligence or control planes of the network, and therefore will not interact with customer traffic in a detailed manner. Any impact of failure will also have a limited, localised geographical reach.
Many understandable concerns have been raised that moving to 5G networks will somehow merge those sensitive functions, often referred to as core functions, with less sensitive parts of the network in which equipment from high-risk vendors will be used. Moving to 5G network technologies could enable us to move sensitive functions out to the edge of the network, but “could” does not mean “should”. Were we to do so, using a high-risk vendor would be the least of our problems.
The further restrictions of only one high-risk vendor in the network and the hard cap of 35% further enhance the security standards. Security architecture principles are not a desperate measure to enable us to use a high-risk vendor; they are part of every network deployment everywhere, whether it is a telecoms network at national level or a business network at company level. More sensitive information and functions with higher risk are treated differently from those with lower risk. A blanket approach of doing away with all higher-risk vendors or technologies would mean that we could not use emerging technologies that offer so much benefit when deployed appropriately.
Today’s motion specifically references Huawei. The UK has globally leading insight into Huawei’s operations, processes and products through the Government-chaired Huawei cyber-security evaluation centre. Whoever the vendor is, any responsible telecoms provider will fully test all hardware and software before deploying it into their networks.