The fourth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has identified “shortcomings” in Huawei’s engineering processes, which they say have “exposed new risks in the UK telecommunication networks.” A number of operators, such as Openreach (BT), make use of kit from the Chinese firm.
The HCSEC has been running for seven years. It opened in November 2010 under a set of arrangements between Huawei and the Government to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. HCSEC provides security evaluation for a range of products used in the UK market.
Sadly the latest report is likely to cause concern among those who are deploying hardware or related systems from the company and warns of “long-term challenges in mitigation and management.” As usual the public version of this report is somewhat light on detail.
Report Statement
NCSC still believes that the assurance model including HCSEC is the best way to manage the risk of Huawei’s involvement in the UK telecommunications sector. However, the model is predicated on industry good practice security and engineering in Huawei.
Overall, given this account, the NCSC has advised the Oversight Board that it is less confident that NCSC and HCSEC can provide long term technical assurance of sufficient scope and quality around Huawei in the UK. This is due to the repeated discovery of critical shortfalls, including but not limited to BEP and the third party component support issue, in the Huawei engineering practices and processes that will cause long term increased risk in the UK.
These risks are not due to any issue with HCSEC’s staffing and capabilities. Obviously, significant work will be required in managing these risks both short term and long term. The Oversight Board will be looking to HCSEC to continue to ensure that Huawei are making appropriate remediations and to advise the Oversight Board, the UK operators and the NCSC of any issues arising.
The report comes only a few months after the National Cyber Security Centre (NCSC) warned UK telecoms operators against using hardware and services provided by ZTE – another Chinese state-owned enterprise – because of the “potential risks to the UK’s national security” (here).
Back in 2013 a report from the government’s Intelligence and Security Committee (ISC) similarly warned that Openreach’s deployment of broadband ISP and telecoms equipment supplied by Huawei could have “implications for national security” (here), which is despite GCHQ establishing the joint Cyber Security Evaluation Centre (The Cell) with Huawei to examine their kit.
At the time GCHQ acknowledged that the “risk of unauthorised access cannot be entirely eliminated“, which is arguably true of any telecoms equipment no matter what its source. “It is just impossible to go through that much code and be absolutely confident you have found everything,” said GCHQ. As state earlier, many operators have kit from Huawei inside their networks.
We should point out that BT, which also uses kit from ZTE, has previously claimed to have “a robust testing regime in place to ensure that the equipment from all suppliers used in our network remains secure.” It’s unclear if the same could be said about other UK operators in a similar position.
UPDATE 20th July @ 7:19am
We now have a comment from Huawei.
A Spokesman for Huawei said:
“We are grateful for this feedback and are committed to addressing these issues. Cyber-security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”
UPDATE 26th July 2018
Apparently the first issue of “binary equivalence” suggests that the code created by Huawei’s engineers has been producing very different outcomes when installed in UK telecoms networks vs the tests run by HCSEC. Meanwhile the second issue centres on the fact that some of the third party software suppliers used by Huawei have not been subject to sufficient control and scrutiny.
“We should point out that BT, which also uses kit from ZTE, has previously claimed to have “a robust testing regime in place to ensure that the equipment from all suppliers used in our network remains secure.”
The same organisation that tested ECI kit and now dunno what to do with its constant refusal to have GINP working properly. Robust testing, obviously!
Very true! And look at the background to ECI — Electronic Corporation of Israel.
ECI was a spin-off from the Israeli security and intelligence apparatus (Mossad / IDF). With many “former” Israeli spooks and army brass still on the ECI payroll. Ultimately which national interest do they answer to?
We find prominent examples of Israeli telecoms kit being used for foreign espionage. E.g. the “Agent Mega” scandal. This saw Israeli CDRM telco kit from Comverse Infosys used to eavesdrop the telecommunications of the Clinton White House. Securing the Mossad ‘the goods’ on the President’s indiscretions with White House intern Monica Lewinsky et al. A valuable bargaining chip for blackmailing concessions in US foreign policy towards the Zionist state.
Here’s betting the British security services daren’t even look into the software code embedded in the telco kit supplied by ECI to British Telecom plc
Does BT test every single item before the install in the open world then? Or just samples of a batch?
we aint got much hope for security then since almost everything electrical has something from china in it and what about the processers in these devices?
I seem to remember a recent report that intel, amd and even some mobile processers have had major security flaws for the last 10 odd years. Even android and ios isnt 100%
The only safe machine is one that has no internet connection, just wait for the first time a autonamus bus/car gets hacked.
Don’t worry, your smart TV is not listening to everything you say.
RIP Marconi.
Ha ha. A few weeks after {insert name here} lambasts NATO members for not spending enough cash on military gear, and a few days after witnessing a demo of UK military capabilities, the UK starts to make funny noises about Huawei equipment.
Interesting that the UK is the first member to follow Uncle Sam’s lead in the case of telecom infrastructure.
With GCHQ spying on us does it really matter if the PRC join them?
..and not one of them had to agree to cookies or GDPR before doing so 🙂 .
+1 MJ!
Totally concur with this. Only the NSA are allowed to backdoor network vendors’ equipment.