The board that oversees the security of Huawei equipment used in UK telecoms networks has said that technical issues with the Chinese company’s engineering processes have lead to new risks.
“Further significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks,” said the annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board. The board oversees the unit that evaluates the security of the Chinese company’s products used in UK telecoms network.
The report warned: “Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.” However, it said it did not believe that the flaws it had found were due to Chinese state interference.
The report also said that “no material progress” has been made by Huawei in the remediation of the issues reported last year. As a result, it said this made it inappropriate to change the level of assurance from last year “or to make any comment on potential future levels of assurance”.
In 2018, HCSEC said its work had continued to identify “concerning issues” in Huawei’s approach to software development, bringing significantly increased risk to UK operators, which required ongoing management and mitigation.
SEE: IT pro’s guide to the evolution and impact of 5G technology (free PDF)
The report said: “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK,” and warned that it would be difficult to appropriately risk-manage future products in the context of UK deployments, until the “underlying defects in Huawei’s software engineering and cyber-security processes are remediated”.
The report noted: “HCSEC has continued to find serious vulnerabilities in the Huawei products examined. Several hundred vulnerabilities and issues were reported to UK operators to inform their risk management and remediation in 2018. Some vulnerabilities identified in previous versions of products continue to exist.”
However, the board said its findings were largely concerned with basic engineering competence and cyber security hygiene that lead to vulnerabilities that were capable of being exploited by a range of actors. “NCSC does not believe that the defects identified are a result of Chinese state interference,” it said.
Huawei acknowleged in a statement that the report details concerns about Huawei’s software engineering capabilities. “We understand these concerns and take them very seriously,” it said and added that the company was spending $2bn to improve its software-engineering capabilities.
However, the HCSEC board report noted: “At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality.”
A spokesman for the UK’s National Cyber Security Centre said “We can and have been managing the security risk and have set out the improvements we expect the company to make. We will not compromise on the progress we need to see: sustained evidence of better software engineering and cybersecurity, verified by HCSEC. This report illustrates above all the need for improved cybersecurity in the UK telco networks which is being addressed more widely by the Digital Secretary’s review.”
In the background is the ongoing row about about Huawei and 5G, the next generation of mobile technology.
The US banned the Chinese networking giant from government contracts back in 2014 has continued to raise concerns about the use of equipment from Huawei in 5G networks, worried that it could create a backdoor to be used by the Chinese state for spying.
While the company has strenuously denied that this is possible (and pointed to a history of spying by the US), the US has been lobbying other states to dump Huawei kit from forthcoming 5G networks, with mixed results.
The UK is currently carrying out a review of 5G security but the country’s tech security agency has already said that it can manage the risks of using Huawei equipment, and that having a broad set of suppliers to be able to spread risk is also essential to security.