The Huawei Cybersecurity Evaluation Centre (HCSEC) is fulfilling its obligations in terms of handing over information to the UK’s National Cybersecurity Centre (NCSC), but its work continues to uncover problems and Huawei is making little progress on fixing previously identified problems, according to the HCSEC Oversight Board’s latest highly critical report.
“As reported in 2018, HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development, bringing significantly increased risk to UK operators,” wrote the report’s authors in their preamble.
“No material progress has been made on the issues raised in the previous 2018 report. The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.
“It will be difficult to appropriately risk-manage future products in the context of UK deployments until the underlying defects in Huawei’s software engineering and cybersecurity processes are remediated,” the report continued.
It said it had seen nothing to give it any confidence in Huawei’s capacity to complete the transformation programme it has proposed, and will need to see sustained evidence of better software engineering and cybersecurity quality.
“The Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term,” it said.
The HCSEC opened at the end of 2010, as part of an agreement between Huawei and the government and evaluates a wide range of Huawei products used by UK telecoms operators to mitigate any perceived security risks arising from their use.
The HCSEC Oversight Board was established in 2014 to examine and guarantee its work – it is chaired by the NCSC’s CEO Ciaran Martin and also includes a senior Huawei executive as deputy chair.
“Huawei’s presence in the UK is subject to detailed, formal oversight. This provides us with a unique understanding of the company’s software engineering and cyber security processes,” said an NCSC spokesperson.
“We can and have been managing the security risk and have set out the improvements we expect the company to make. We will not compromise on the progress we need to see: sustained evidence of better software engineering and cyber security, verified by HCSEC.
“This report illustrates above all the need for improved cybersecurity in the UK telco networks which is being addressed more widely by the Digital Secretary’s review,” they said.
Huawei accentuates the positives
Huawei attempted to put a positive spin on the criticism, saying the report recognised the overall effectiveness of the HCSEC regime in helping address the national security concerns of the UK government.
It noted that the report itself said that the oversight provided for is arguably “the toughest and most rigorous in the world” and that it “does not, therefore, suggest that UK networks are more vulnerable that last year”.
“The 2019 OB report details some concerns about Huawei's software engineering capabilities,” said a Huawei spokesperson. “We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities.”
“In November last year, Huawei’s board of directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.
“A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitisation, and software-defined everything become more prevalent.
“To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.”
Huawei also noted that the report states the NCSC “does not believe that the defects identified are a result of Chinese state interference”.
EU charts Huawei forward
Earlier this week the European Commission ruled that individual European Union (EU) member states, including the UK for the time being, could make their own decisions on whether or not to ban Huawei outright from their national fixed and mobile telecoms networks.
However, member states will now be required to produce and share data on the cyber security risks faced by their critical national networks – particularly with regard to new 5G mobile networks, the source of the wider Huawei controversy – and update their cyber security practices accordingly.
Vice-president Andrus Ansip, in charge of the Digital Single Market, said: “5G technology will transform our economy and society and open massive opportunities for people and businesses. But we cannot accept this happening without full security built in. It is therefore essential that 5G infrastructures in the EU are resilient and fully secure from technical or legal backdoors.”
This flies in the face of the US government’s position, which has been to enact bans on the use of Huawei equipment by any federal body, and to exclude those that use Huawei from bidding for federal contracts, which has had the effect of essentially banning any of the US mobile operators, such as AT&T, Sprint and Verizon, from using Huawei at all.
US secretary of state Mike Pompeo has gone further still, issuing thinly-veiled threats against US allies – which could be taken to mean the EU and the UK, and saying their use of Huawei risked ending ongoing military and intelligence co-operation with the US.
Huawei is currently suing the US government in a Texas court, claiming that the federal ban violates key parts of the US Constitution, laid out over 200 years ago in the early days of American independence.