New Gov Report Finds Rising UK Telecoms Security Risk from Huawei

Chinese-based IT company Huawei, which supplies a good chunk of the broadband ISP and mobile network kit being used by UK providers (routers, cabinets etc.), is under increased pressure after the fifth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board found “new risks” and limited progress.

The HCSEC’s oversight board was originally setup in 2010, largely as part of an agreement between the Government and Huawei to mitigate any perceived risks arising from their involvement in parts of the UK’s critical national infrastructure. The board provides security evaluations for a range of related products.

However last year’s annual HCSEC report (here) caused concern after it identified “shortcomings” in Huawei’s engineering processes, which it said had “exposed new risks in the UK telecommunication networks” and warned of “long-term challenges in mitigation and management.”

Unfortunately this year’s report similarly noted that “further significant technical issues” had been identified in Huawei’s engineering processes, leading to “new risks in the UK telecommunications networks.” At the same time it also said that “no material progress has been made by Huawei in the remediation of the issues reported last year.” No doubt adding fuel to the fire for those who would like to see the company banned.

HCSEC Report Summary

As reported in 2018, HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation;

The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.

The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.

At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.

Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.

In reality it’s virtually impossible for ordinary folk to judge such things as the crucial detail is a secret matter for the intelligence agencies and we wouldn’t be so bold as to assume we know better. Furthermore it seems unlikely that so many countries would be creating such a fuss if there wasn’t a serious concern.

Naturally the company has already strongly denied many of the accusations and in a public letter posted earlier this year said, “Huawei has never and will never use UK-based hardware, software, or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country.”

On the other hand critics of the company often point toward China’s new National Intelligence Law, which was passed in 2017 and demands that organisations “support, co-operate with and collaborate in national intelligence work.” The absence of true democracy in China might thus, they argue, make it very difficult for any company to refuse such a request.

Furthermore the US Secretary of State, Mike Pompeo, has previously warned that the USA may cease to exchange secret intelligence info. with countries that allow kit from Huawei into their core networks, which is a significant consideration for the UK. A separate report from the Royal United Services Institute (RUSI) warned that “allowing Huawei’s participation [in such networks] is at best naive, at worst irresponsible.”

The challenge for telecoms operators is that Huawei makes very good kit and they do so at a more affordable price than many of their competitors. A lot of operators had already planned to work closely with the Chinese firm in order to deploy new networks (e.g. 5G and fibre broadband) and any new restrictions would thus impact their plans (i.e. the potential for much higher costs, worse performance and significantly slower roll-out).

A few major operators have already taken some action. For example, BT (EE) are removing related kit from their core mobile network (here) and Vodafone are “pausing” deployments into their core network (here). Mind you this won’t affect more benign parts of their infrastructure outside of the core, such as masts. But other operators are continuing to use the company’s kit.

On the other hand it’s not like the operators didn’t have any forewarning. Back in 2013 a report from the government’s Intelligence and Security Committee (ISC) noted that Openreach’s deployment of broadband ISP and telecoms equipment supplied by Huawei could have “implications for national security” (here).

At the time GCHQ acknowledged that the “risk of unauthorised access cannot be entirely eliminated“, but this is arguably true of any telecoms equipment no matter what its source. “It is just impossible to go through that much code and be absolutely confident you have found everything,” said GCHQ.

So far the Government has seen plenty of smoke, thus ruling out the presence of fire may be unwise. Nevertheless it remains to be seen whether they will take the leap toward banning the company, particularly with future trade and Brexit issues currently being the biggest concerns. Lest we forget that operators can’t do 4G without 5G and any impact on the supply chain would thus have far reaching consequences.