Huawei 'failed to improve UK security standards'
- Published
Huawei has failed to adequately tackle security flaws in equipment used in the UK's telecoms networks despite previous complaints, an official report says.
It also flagged that a vulnerability "of national significance" had occurred in 2019 but been fixed before it could be exploited.
The assessment was given by an oversight board, chaired by a member of the cyber-spy agency GCHQ.
It could influence other nations weighing up use of Huawei's kit.
The report said that GCHQ's National Cyber Security Centre (NCSC) had seen no evidence that Huawei had made a significant shift in its approach to the matter.
And it added that while some improvements had been made, it had no confidence they were sustainable.
As a result, it concluded, the board could only provide "limited assurance that all risks to UK national security" could be mitigated in the long-term.
In July, the government announced that due to US sanctions Huawei would eventually be excluded from the new 5G telecoms network by 2027, but the Chinese company can continue to play a role in older mobile phone networks and fixed broadband.
The US has argued that using Huawei's equipment creates a risk of the Chinese state carrying out espionage or sabotage, something the company has always denied.
Despite the criticisms, British security officials say they can manage the current risks posed by using Huawei's existing kit, and they do not believe the defects they have found are a result of Chinese state interference.
Huawei has responded saying the report highlights its commitment to openness and transparency.
"The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities," a spokesman said.
Although the company now has limited prospects in the UK, it is still hoping to sell its 5G kits to other parts of Europe.
Earlier this week, the chief of its Italian business suggested that other countries could carry out detailed inspections of their own, external to help overcome security concerns.
"We will open our insides, we are available to be vivisected to respond to all of this political pressure," said Luigi De Vecchis.
However, the Financial Times has reported that Germany is set to be next, external to ban local networks from using the firm's 5G products.
One expert said setting up an operation like HSEC required a state to provide considerable resources, and offered no guarantee of success.
"Even if Huawei passes the technical evaluation, which we see from today's report is not certain, they may yet be blocked at the political level," said Emily Taylor, editor of the Journal of Cyber Policy.
Delayed findings
Huawei equipment has been used in the UK for a decade and a half.
Since 2010, a special Huawei Cyber Security Evaluation Centre (HCSEC), based in Banbury, has been tasked with checking its telecoms infrastructure products.
An oversight board then examines the work of HCSEC and reports to the UK's National Security Advisor annually, although the latest report covering 2019 was delayed because of the coronavirus pandemic.
Last year, the report raised serious concerns about standard of Huawei's equipment and software, and there is no major change in the latest assessment.
In 2018, Huawei committed to a $2bn (£1.5bn) five-year plan to improve its software engineering processes in response to previous criticism.
But the new report complains that Huawei has yet to convince that it can complete the effort on time, and adds that "unless a detailed and satisfactory plan has been provided, it is not possible to offer any degree of confidence that the identified problems can be addressed by Huawei".
In particular it highlighted "poor coding practices" and said there was a "range of evidence" employees were not following Huawei's own guidelines.
Huawei argues it is still in the early stages of the plan and real improvements will only be reflected in future reports.
Broadband flaw
The report adds the amount of vulnerabilities reported in 2019 were "significantly beyond" the number found in 2018, but says this is partly due to the increasing effectiveness of the checks rather than an overall decline in standards.
But it highlights one vulnerability of "national significance" in 2019, which required extraordinary measures to fix.
The BBC has learned this was related to broadband - but officials do not believe anyone exploited the flaw.
The report covers 2019, and so does not address the period when the US imposed new sanctions affecting Huawei.
Those sanctions technically affect HCSEC itself, since it is part of Huawei, and will require changes in its organisational structure.
Huawei is also currently building an alternative supply chain for crucial technology affected by the sanctions.
The report comes a day after NCSC's ex-chief explained why the UK had to be alert to the risks of using Huawei's kit in unusually plain language.
"We have to plan on the basis that at some point, Huawei could be made subservient operationally to the Chinese state," Ciaran Martin told a committee of MPs.
"You always have to have in mind a scenario where every bit of involvement of Huawei was turned against the UK.
"And you don't make that assumption for Nokia, you don't make that assumption for Ericsson."
Additional reporting by Leo Kelion
- Published29 September 2020
- Published24 September 2021
- Published23 September 2020