» ISP News » 

Gov Report Warns UK Telecoms May Face Security Risk from Huawei UPDATE2

Thursday, July 19th, 2018 (5:42 pm) - Score 1,669

The fourth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has identified “shortcomings” in Huawei’s engineering processes, which they say have “exposed new risks in the UK telecommunication networks.” A number of operators, such as Openreach (BT), make use of kit from the Chinese firm.

The HCSEC has been running for seven years. It opened in November 2010 under a set of arrangements between Huawei and the Government to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. HCSEC provides security evaluation for a range of products used in the UK market.

Sadly the latest report is likely to cause concern among those who are deploying hardware or related systems from the company and warns of “long-term challenges in mitigation and management.” As usual the public version of this report is somewhat light on detail.

Report Statement

NCSC still believes that the assurance model including HCSEC is the best way to manage the risk of Huawei’s involvement in the UK telecommunications sector. However, the model is predicated on industry good practice security and engineering in Huawei.

Overall, given this account, the NCSC has advised the Oversight Board that it is less confident that NCSC and HCSEC can provide long term technical assurance of sufficient scope and quality around Huawei in the UK. This is due to the repeated discovery of critical shortfalls, including but not limited to BEP and the third party component support issue, in the Huawei engineering practices and processes that will cause long term increased risk in the UK.

These risks are not due to any issue with HCSEC’s staffing and capabilities. Obviously, significant work will be required in managing these risks both short term and long term. The Oversight Board will be looking to HCSEC to continue to ensure that Huawei are making appropriate remediations and to advise the Oversight Board, the UK operators and the NCSC of any issues arising.

The report comes only a few months after the National Cyber Security Centre (NCSC) warned UK telecoms operators against using hardware and services provided by ZTE – another Chinese state-owned enterprise – because of the “potential risks to the UK’s national security” (here).

Back in 2013 a report from the government’s Intelligence and Security Committee (ISC) similarly warned that Openreach’s deployment of broadband ISP and telecoms equipment supplied by Huawei could have “implications for national security” (here), which is despite GCHQ establishing the joint Cyber Security Evaluation Centre (The Cell) with Huawei to examine their kit.

At the time GCHQ acknowledged that the “risk of unauthorised access cannot be entirely eliminated“, which is arguably true of any telecoms equipment no matter what its source. “It is just impossible to go through that much code and be absolutely confident you have found everything,” said GCHQ. As state earlier, many operators have kit from Huawei inside their networks.

We should point out that BT, which also uses kit from ZTE, has previously claimed to have “a robust testing regime in place to ensure that the equipment from all suppliers used in our network remains secure.” It’s unclear if the same could be said about other UK operators in a similar position.

UPDATE 20th July @ 7:19am

We now have a comment from Huawei.

A Spokesman for Huawei said:

“We are grateful for this feedback and are committed to addressing these issues. Cyber-security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”

UPDATE 26th July 2018

Apparently the first issue of “binary equivalence” suggests that the code created by Huawei’s engineers has been producing very different outcomes when installed in UK telecoms networks vs the tests run by HCSEC. Meanwhile the second issue centres on the fact that some of the third party software suppliers used by Huawei have not been subject to sufficient control and scrutiny.

Leave a Comment
11 Responses
  1. Avatar un4h731x0rp3r0m says:

    “We should point out that BT, which also uses kit from ZTE, has previously claimed to have “a robust testing regime in place to ensure that the equipment from all suppliers used in our network remains secure.”

    The same organisation that tested ECI kit and now dunno what to do with its constant refusal to have GINP working properly. Robust testing, obviously!

    1. Avatar NeilH says:

      Very true! And look at the background to ECI — Electronic Corporation of Israel.

      ECI was a spin-off from the Israeli security and intelligence apparatus (Mossad / IDF). With many “former” Israeli spooks and army brass still on the ECI payroll. Ultimately which national interest do they answer to?

      We find prominent examples of Israeli telecoms kit being used for foreign espionage. E.g. the “Agent Mega” scandal. This saw Israeli CDRM telco kit from Comverse Infosys used to eavesdrop the telecommunications of the Clinton White House. Securing the Mossad ‘the goods’ on the President’s indiscretions with White House intern Monica Lewinsky et al. A valuable bargaining chip for blackmailing concessions in US foreign policy towards the Zionist state.

      Here’s betting the British security services daren’t even look into the software code embedded in the telco kit supplied by ECI to British Telecom plc

  2. Avatar Neb says:

    Does BT test every single item before the install in the open world then? Or just samples of a batch?

  3. Avatar AndyC says:

    we aint got much hope for security then since almost everything electrical has something from china in it and what about the processers in these devices?

    I seem to remember a recent report that intel, amd and even some mobile processers have had major security flaws for the last 10 odd years. Even android and ios isnt 100%

    The only safe machine is one that has no internet connection, just wait for the first time a autonamus bus/car gets hacked.

    1. Avatar TheFacts says:

      Don’t worry, your smart TV is not listening to everything you say.

  4. Avatar Chris P says:

    RIP Marconi.

  5. Avatar spurple says:

    Ha ha. A few weeks after {insert name here} lambasts NATO members for not spending enough cash on military gear, and a few days after witnessing a demo of UK military capabilities, the UK starts to make funny noises about Huawei equipment.

    Interesting that the UK is the first member to follow Uncle Sam’s lead in the case of telecom infrastructure.

  6. Avatar Mike says:

    With GCHQ spying on us does it really matter if the PRC join them?

    1. Mark Jackson Mark Jackson says:

      ..and not one of them had to agree to cookies or GDPR before doing so 🙂 .

  7. Avatar CarlT says:

    Totally concur with this. Only the NSA are allowed to backdoor network vendors’ equipment.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Onestream £22.49 (*29.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*36.52)
    Avg. Speed 36Mbps, Unlimited
    Gift: £55 Reward Card
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. FTTP (2817)
  2. BT (2793)
  3. FTTC (1792)
  4. Building Digital UK (1760)
  5. Politics (1689)
  6. Openreach (1642)
  7. Business (1456)
  8. FTTH (1341)
  9. Mobile Broadband (1253)
  10. Statistics (1252)
  11. 4G (1079)
  12. Fibre Optic (1072)
  13. Wireless Internet (1036)
  14. Ofcom Regulation (1028)
  15. Virgin Media (1019)
  16. EE (710)
  17. Vodafone (681)
  18. Sky Broadband (675)
  19. TalkTalk (673)
  20. 5G (536)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact