‘Limited assurance’ Huawei security risks can be managed, report says
Image credit: REUTERS
Huawei has failed to reassure security officials that the risks of using its equipment in critical telecommunications infrastructure can be managed, the latest Huawei Cyber Security Evaluation Centre (HCSEC) oversight board report concluded.
HCSEC was established by the government and Huawei UK to assess possible risks associated with using Huawei products in critical national infrastructure.
Its oversight board, which is government-led, has warned in its latest report that Huawei has made limited progress in addressing security issues raised last year and that it can only give “limited assurance” that security risks can be managed.
Vetting increased in 2019, meaning that more vulnerabilities were identified in Huawei equipment than in previous years. One issue identified with Huawei’s broadband products was considered to be of “national significance”, but was fixed before it could be exploited.
According to the report, the National Cyber Security Centre (NCSC) “does not believe that the defects identified are a result of Chinese state interference” and instead they are the result of sloppy engineering and security practices.
“These findings are about basic engineering competence and cyber-security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors,” the report said, calling for evidence of improved practices.
While it did not find evidence that the vulnerabilities had been exploited by state-backed hackers, it warned that these vulnerabilities still present a risk. “If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” it said. However, it acknowledged that UK networks are no more vulnerable than they were previously.
The report said that “limited progress” has been made on the issues raised in the previous year’s report and it “has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects”.
The board can provide “only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK”.
In a statement to media, a Huawei spokesperson said: “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.”
Huawei has been at the centre of the US-China trade war, with US President Donald Trump accusing Huawei of acting as a tool for Chinese surveillance and being a national security risk. Huawei has repeatedly denied these accusations.
After initially permitting Huawei to play a limited role in supply equipment for the UK’s 5G radio access network, in July the government announced a U-turn. Now, Huawei will play no role in the UK’s 5G network, and all existing equipment must be removed by the end of 2027. The government cited as a large part of its reasoning the most recent US restrictions against Huawei, which essentially prevent it from using any technology with US origins. According to the NCSC, this meant that Huawei can no longer be assumed to be a reliable equipment vendor.
This recent report looks at events throughout 2019, and does not take into consideration more recent events, such as the most recent round of US sanctions against Huawei.
This week, it was reported that the German government is planning to tighten its 5G network security measures, potentially squeezing Huawei out of its 5G network.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.