To ask the Minister for the Cabinet Office, pursuant to the Answer of 14 May 2019 to Question 252605 on Huawei: 5G, and with reference to the February 2019 blog by the technical director of the National Cyber Security Centre on Huawei, whether the National Cyber Security Centre monitors the number of UK telecoms operators that utilise HCSEC advice and guidance.
High risk vendors are not in our most sensitive networks. On telecoms CNI, the Communications Act 2003 places an obligation on Telecoms operators to ensure that they have 'appropriate measures' in place to manage the security and resilience of the network. Ofcom are responsible for ensuring that operators meet their obligations under the Communications Act. In addition, the Huawei Cyber Security Evaluation Centre (HCSEC) was established in 2010 as part of a wide mitigation strategy to minimise risk to the UK telecoms critical national infrastructure.
The HCSEC Oversight Board’s reports are publicly available and all telecommunications operators have access to its information. The latest Oversight Board report states that in 2018, several hundred vulnerabilities and issues were reported by HCSEC to UK operators. This information is expected to be fed into the operator’s corporate risk management processes. As I said in my Answer of 14 May, it is the responsibility of operators to ensure the security and resilience of their networks.