Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, pursuant to the Answer of 5 June 2019 to Question 257536 on Huawei: 5G, for what reason the answer does not make reference to whether the National Cyber Security Centre monitors the number of UK telecoms operators that utilise Huawei Cyber Security Evaluation Centre advice and guidance.
Answered by David Lidington
The National Cyber Security Centre engage with every operator who uses the Huawei Cyber Security Evaluation Centre to manage cyber security risks within their networks. Owing to commercial sensitivities this list cannot be disclosed. Other operators may use the guidance that is publicly available on the NCSC website, which we cannot track, or advice from other relevant bodies such as Ofcom, the regulator.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, pursuant to the Answer of 21 May 2019 to Question 255389 on 5G, if he will make an assessment of the potential merits of instructing the Huawei Cyber Security Evaluation Centre to (a) evaluate and (b) inspect Huawei 5G equipment.
Answered by David Lidington
The UK’s National Cyber Security Centre, as the national technical authority for information assurance and the lead Government operational agency on cyber security, leads for the Government in dealing with HCSEC and with Huawei more generally on technical security matters
The Huawei Cyber Security Evaluation Centre (HCSEC) is a private entity. As detailed in the HCSEC Oversight Board report, their plan of evaluation is driven by the commercial rollout of services by the UK operators that use Huawei equipment.
As new equipment is rolled out, Government can work with them to refocus their efforts but we cannot instruct them. When operators do begin deploying equipment then it can be tested. HCSEC has not begun assessing any 5G equipment.
We have undertaken a thorough, evidence-based review of the 5G supply chain to ensure the secure and resilient roll-out of 5G. It will report in due course, and to Parliament first.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, pursuant to the Answer of 22 May 2019 to Question 254274 on Huawei: 5G, whether the National Cyber Security Centre monitors the number of UK telecoms operators that utilise Huawei Cyber Security Evaluation Centre advice and guidance.
Answered by David Lidington
I refer the honourable member to my answer to Question 254274 on 22 May 2019.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether the functions and responsibilities of the Principal Cyber Security Risk Consultant will be similar to the functions and responsibilities of the (a) Government Chief Security Officer and (b) Chief Data Officer.
Answered by Oliver Dowden - Chancellor of the Duchy of Lancaster
The Principal Cyber Security Risk Consultant role is not similar in function or responsibility to either
the (a) Government Chief Security Officer and (b) Chief Data Officer
The Principal Cyber Security Risk Consultant role is an interim, specialist role focussed on the
information and cyber security of the digital services GDS builds, operates and uses.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what vetting and reliability testing the (a) National Cyber Security Centre and (b) Huawei Cyber Security Evaluation Centre has conducted on telecoms equipment destined for UK 5G infrastructure.
Answered by David Lidington
The National Cyber Security Centre is focused on the security of equipment deployed in current UK networks, none of which are currently making operational use of 5G equipment. Similarly, the Huawei Cyber Security Evaluation Centre conducts security assessments of Huawei products deployed in current UK telecoms networks.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether the Chief Data Officer position in his Department has been filled; and if he will make a statement.
Answered by Oliver Dowden - Chancellor of the Duchy of Lancaster
No. There is close co-operation between DCMS, GDS and ONS on data policy and governance, while strategic oversight for the collection and use of data held by government departments is currently provided by the cross-government Data Advisory Board, chaired by the Chief Executive of the Civil Service.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether his Department has recruited to the Government Chief Security Officer role.
Answered by David Lidington
Dominic Fortescue was appointed Government Chief Security Officer (GCSO) in December 2018, assuming post in January 2019 following a thorough and competitive recruitment process. As GCSO Mr Fortescue is responsible for leadership, oversight, coordination and delivery of protective security across all government departments, their agencies and arms-length bodies.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment he has made of the effect of recruitment of a Principal Cyber Security Risk Consultant on the recruitment processes for the (a) Government Chief Security Officer and (b) Chief Data Officer.
Answered by Oliver Dowden - Chancellor of the Duchy of Lancaster
The Principal Cyber Security Risk Consultant role is focussed on the information and cyber security of the digital services GDS builds, operates and uses. As such there is no direct effect on the recruitment of a Government Chief Security Officer and a Chief Data Officer.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, pursuant to the Answer of 14 May 2019 to Question 252605 on Huawei: 5G, and with reference to the February 2019 blog by the technical director of the National Cyber Security Centre on Huawei, whether the National Cyber Security Centre monitors the number of UK telecoms operators that utilise HCSEC advice and guidance.
Answered by David Lidington
High risk vendors are not in our most sensitive networks. On telecoms CNI, the Communications Act 2003 places an obligation on Telecoms operators to ensure that they have 'appropriate measures' in place to manage the security and resilience of the network. Ofcom are responsible for ensuring that operators meet their obligations under the Communications Act. In addition, the Huawei Cyber Security Evaluation Centre (HCSEC) was established in 2010 as part of a wide mitigation strategy to minimise risk to the UK telecoms critical national infrastructure.
The HCSEC Oversight Board’s reports are publicly available and all telecommunications operators have access to its information. The latest Oversight Board report states that in 2018, several hundred vulnerabilities and issues were reported by HCSEC to UK operators. This information is expected to be fed into the operator’s corporate risk management processes. As I said in my Answer of 14 May, it is the responsibility of operators to ensure the security and resilience of their networks.
Asked by: Jo Platt (Labour (Co-op) - Leigh)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, pursuant to the Answer of 8 May 2019 to Question 250002, how many and what proportion of UK 5G operators (a) use and (b) do not use the Huawei Cyber Security Evaluation Centre advice.
Answered by David Lidington
The annual report generated by the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board which includes communication service provider representatives is publicly available. We do not track how many operators use Huawei Cyber Security Evaluation Centre advice.
It remains the responsibility of operators to ensure the security and resilience of their networks, based on all the available advice from both Government and the private sector. Ofcom are the regulator for the telecoms industry and consider whether operators are meeting their responsibilities and investigate as appropriate.