Gov Report Warns UK Telecoms May Face Security Risk from Huawei UPDATE2

The fourth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has identified “shortcomings” in Huawei’s engineering processes, which they say have “exposed new risks in the UK telecommunication networks.” A number of operators, such as Openreach (BT), make use of kit from the Chinese firm.

The HCSEC has been running for seven years. It opened in November 2010 under a set of arrangements between Huawei and the Government to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. HCSEC provides security evaluation for a range of products used in the UK market.

Sadly the latest report is likely to cause concern among those who are deploying hardware or related systems from the company and warns of “long-term challenges in mitigation and management.” As usual the public version of this report is somewhat light on detail.

Report Statement

NCSC still believes that the assurance model including HCSEC is the best way to manage the risk of Huawei’s involvement in the UK telecommunications sector. However, the model is predicated on industry good practice security and engineering in Huawei.

Overall, given this account, the NCSC has advised the Oversight Board that it is less confident that NCSC and HCSEC can provide long term technical assurance of sufficient scope and quality around Huawei in the UK. This is due to the repeated discovery of critical shortfalls, including but not limited to BEP and the third party component support issue, in the Huawei engineering practices and processes that will cause long term increased risk in the UK.

These risks are not due to any issue with HCSEC’s staffing and capabilities. Obviously, significant work will be required in managing these risks both short term and long term. The Oversight Board will be looking to HCSEC to continue to ensure that Huawei are making appropriate remediations and to advise the Oversight Board, the UK operators and the NCSC of any issues arising.

The report comes only a few months after the National Cyber Security Centre (NCSC) warned UK telecoms operators against using hardware and services provided by ZTE – another Chinese state-owned enterprise – because of the “potential risks to the UK’s national security” (here).

Back in 2013 a report from the government’s Intelligence and Security Committee (ISC) similarly warned that Openreach’s deployment of broadband ISP and telecoms equipment supplied by Huawei could have “implications for national security” (here), which is despite GCHQ establishing the joint Cyber Security Evaluation Centre (The Cell) with Huawei to examine their kit.

At the time GCHQ acknowledged that the “risk of unauthorised access cannot be entirely eliminated“, which is arguably true of any telecoms equipment no matter what its source. “It is just impossible to go through that much code and be absolutely confident you have found everything,” said GCHQ. As state earlier, many operators have kit from Huawei inside their networks.

We should point out that BT, which also uses kit from ZTE, has previously claimed to have “a robust testing regime in place to ensure that the equipment from all suppliers used in our network remains secure.” It’s unclear if the same could be said about other UK operators in a similar position.

UPDATE 20th July @ 7:19am

We now have a comment from Huawei.

A Spokesman for Huawei said:

“We are grateful for this feedback and are committed to addressing these issues. Cyber-security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”

UPDATE 26th July 2018

Apparently the first issue of “binary equivalence” suggests that the code created by Huawei’s engineers has been producing very different outcomes when installed in UK telecoms networks vs the tests run by HCSEC. Meanwhile the second issue centres on the fact that some of the third party software suppliers used by Huawei have not been subject to sufficient control and scrutiny.