New Gov Report Finds Rising UK Telecoms Security Risk from Huawei
Chinese-based IT company Huawei, which supplies a good chunk of the broadband ISP and mobile network kit being used by UK providers (routers, cabinets etc.), is under increased pressure after the fifth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board found “new risks” and limited progress.
The HCSEC’s oversight board was originally setup in 2010, largely as part of an agreement between the Government and Huawei to mitigate any perceived risks arising from their involvement in parts of the UK’s critical national infrastructure. The board provides security evaluations for a range of related products.
However last year’s annual HCSEC report (here) caused concern after it identified “shortcomings” in Huawei’s engineering processes, which it said had “exposed new risks in the UK telecommunication networks” and warned of “long-term challenges in mitigation and management.”
Unfortunately this year’s report similarly noted that “further significant technical issues” had been identified in Huawei’s engineering processes, leading to “new risks in the UK telecommunications networks.” At the same time it also said that “no material progress has been made by Huawei in the remediation of the issues reported last year.” No doubt adding fuel to the fire for those who would like to see the company banned.
As reported in 2018, HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation;
The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.
The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.
At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.
Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.
In reality it’s virtually impossible for ordinary folk to judge such things as the crucial detail is a secret matter for the intelligence agencies and we wouldn’t be so bold as to assume we know better. Furthermore it seems unlikely that so many countries would be creating such a fuss if there wasn’t a serious concern.
Naturally the company has already strongly denied many of the accusations and in a public letter posted earlier this year said, “Huawei has never and will never use UK-based hardware, software, or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country.”
On the other hand critics of the company often point toward China’s new National Intelligence Law, which was passed in 2017 and demands that organisations “support, co-operate with and collaborate in national intelligence work.” The absence of true democracy in China might thus, they argue, make it very difficult for any company to refuse such a request.
Furthermore the US Secretary of State, Mike Pompeo, has previously warned that the USA may cease to exchange secret intelligence info. with countries that allow kit from Huawei into their core networks, which is a significant consideration for the UK. A separate report from the Royal United Services Institute (RUSI) warned that “allowing Huawei’s participation [in such networks] is at best naive, at worst irresponsible.”
The challenge for telecoms operators is that Huawei makes very good kit and they do so at a more affordable price than many of their competitors. A lot of operators had already planned to work closely with the Chinese firm in order to deploy new networks (e.g. 5G and fibre broadband) and any new restrictions would thus impact their plans (i.e. the potential for much higher costs, worse performance and significantly slower roll-out).
A few major operators have already taken some action. For example, BT (EE) are removing related kit from their core mobile network (here) and Vodafone are “pausing” deployments into their core network (here). Mind you this won’t affect more benign parts of their infrastructure outside of the core, such as masts. But other operators are continuing to use the company’s kit.
On the other hand it’s not like the operators didn’t have any forewarning. Back in 2013 a report from the government’s Intelligence and Security Committee (ISC) noted that Openreach’s deployment of broadband ISP and telecoms equipment supplied by Huawei could have “implications for national security” (here).
At the time GCHQ acknowledged that the “risk of unauthorised access cannot be entirely eliminated“, but this is arguably true of any telecoms equipment no matter what its source. “It is just impossible to go through that much code and be absolutely confident you have found everything,” said GCHQ.
So far the Government has seen plenty of smoke, thus ruling out the presence of fire may be unwise. Nevertheless it remains to be seen whether they will take the leap toward banning the company, particularly with future trade and Brexit issues currently being the biggest concerns. Lest we forget that operators can’t do 4G without 5G and any impact on the supply chain would thus have far reaching consequences.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Llancarfan Hails Largest FTTP Community Fibre Partnership in Wales
Latest UK ISP News
- FTTP (5531)
- BT (3518)
- Politics (2542)
- Openreach (2298)
- Business (2266)
- Building Digital UK (2247)
- FTTC (2045)
- Mobile Broadband (1977)
- Statistics (1790)
- 4G (1668)
- Virgin Media (1621)
- Ofcom Regulation (1465)
- Fibre Optic (1396)
- Wireless Internet (1391)
- FTTH (1382)
Much as I don’t want to slow bb rollout down the precautionary principle here I think we’d be better to ban H products now. (I agree with Mark that many countries + intel agencies woulnd’t be as concerned as they are without some basis) Having reports that basically say there is problem then do nothing is farcical.
Either a ban makes H fix the problem (why bother atm as there are no consequences) or they still do nothing in which case you were right to ban as they were never serious in the first place.
Only reason why US doesn’t like Huawei is because they refused to put back doors in their firmware back in 2014, and that’s besides US bullying China over trade.
Oh don’t be so naive. China has been systematic state sponsored hackers for decades now. There’s not a major non state security organisation that hasn’t said as much let alone at one time or another most major western nations. The idea this is just the US ignores the reality on the ground.
What about NSA/GCHQ? They get a free spy pass?
Where exactly is the evidence of all these backdoors in Huawei gear?
For all the committees, departments and government agencies setup and/or instructed to look into them i have yet to see any demonstration or tangible evidence there is any nefarious way to gain access to their equipment.
In this day and age when the likes of NSA/GCHQ can basically break encryption to anything, i find it hard to believe they can not demonstrate anything as simply as backdoors to a device or spying occurring on a device, especially when the likes of NSA/GCHQ are masters at the spying game.
Also coming from governments of this world which have been spying on people and other countries for decades, then quite frankly any FOAD the UK or US government have to say about an organisation or government spying and how terrible it is, becomes an utter joke.
No, no, no i think its much more simple and nothing more than political sh1£ stiring from the US (and we follow like lapdogs as usual) over a Chinese business that is making lots of money.
And what will they replace the equipment with? Products make in the USA who started all this rubbish. Huawei would not risk thousands of jobs and trade.
(sighs) This rubbish was started by China’s state sponsored corporate hacking.
There are providers who are both non-chinese and non-American.
Oh no, state sponsored backdoors and chips in equipment date back well before the hoha over Huawei.
Oh and the USA and the UK are not the good guys as you seem to think. Go have a little google for “Clipper chip” to see what the NWO USA and its NSA had planned for us all back in the early 90s as just one of many examples from history.
And you are going to believe from their lips another country/organisation is evil?
Having some experience working in intelligence in a previous life, I think the question that needs to be asked with current and future UK digital infrastructure is who are you happiest with spying on you. All states are guilty of it whether they admit to it or not and will take any opportunity to do so if they believe they won’t get caught. There are thousands in this country employed to do just that. China will be spying on other countries through Huawei or by other means. Knowledge of security / trade secrets are incredibly valuable to rival states. To be fair China wouldn’t be my first in giving an easy opportunity to spy on us!
I would still buy a Huawei phone though, if China really want to spy on me that’s fine. I’m really not that interesting and they do make a good cheap phone!
Also if you know how you are being spied on and by who, you have the opportunity to have complete control of what information is fed to them…
I have a Huawei server, and I am aware of the trade-off here – it’s acceptable because I’m frankly more concerned about us being spied on by Five Eyes.
That said, you know it’s good when they emphasize in their security bulletins that they have “fixed *known* security issue CVE-XXX-XXX”. Almost like they have to defend their action to those higher up – or warn them that something’s about to break.
5E is only going to be interested if your a foreign intel asset or engaged in cross illegal intel activity. China on the other hand (aside from that above + dissidents etc) might well be interested if you hold any propriatory information or commercially advantageous data. A very large proportion of C hacking is biz data theft.
“5E is only going to be interested if your a foreign intel asset or engaged in cross illegal intel activity.”
Oh my god you are funny…. How do you think they are going to find out who is naughty and who is good unless they are monitoring EVERYTHING. Also how that makes them better or more trustworthy than the Chinese i dunno.
“China on the other hand (aside from that above + dissidents etc) might well be interested if you hold any propriatory information or commercially advantageous data. A very large proportion of C hacking is biz data theft.”
If the stealing of property and the funding by their government runs that deep they would not need to bother using Huawei as a puppet in the chain to get data. They would just take whatever it is that has a propitiatory design and reverse engineer it (pretty much how China knocks off anything you can think off already).
If they were that interested in just harvesting data via hacking, we would all be screwed already considering 90% of chipsets in comms devices (hardline, internet and mobile related) nowadays are either produced in China entirely or in part (you will be hard press i dare even say to find any electronic device nowadays without some chip or part made in china within it).
They would not be dicking around just using one company (Huawei) to rape the planet of data, you would have simple backdoor chips in nearly every device (then again maybe we have already).
You also if you are a world power with limitless funds not be dicking about just going after Mobile comms. You would just get your backdoor chip in virtually all equipment which all comms equipment uses regardless of initial communication method. You would also be doing it via more than just one company, see if one did get found out about you could still carry on regardless with none of the planets lemmings any the wiser.
As it is though that all sounds highly unlikely to me, and if it is likely then we (from your point of view anyway) are royally buggered regardless of what some political lapdogs do about Huawei.
Huawei is the perceived danger yet I don’t recall any special evaluation centre being set up in relation to Ericsson after their equipment actually was used to spy on the Greek government in the run up to and during the Olympic Games in Athens in 2004.
Could this be because the very same western governments who are paranoid about Huawei were behind that particular episode?
You may be pleased to note that all telecommunications equipment and networks are vulnerable to the technique deployed in the Greek hack. It is part of the standards mandated by the US.
Basically, traditional telephony is insecure and governments layer their own security on it for sensitive communications, sort of like how HTTPS makes “secure” comms possible over insecure Internet. The risk here is a backdoor built into the hardware responsible for transmitting the encrypted data could be secretly collecting and exfiltrating the data. You may not be able to decode it today but nobody knows what new flaws and technology may be developed in 5 years etc.
Presumably, the Swedish government cannot order Ericsson to do something that the Chinese government can order Huawei to do.
Mind you, Australia is very alike China in the recent laws they’ve made concerning encryption and you’d expect any comms gear coming from Australia to face the same suspicion if this is an honest and not merely political stance.
HMMM My Huawei Tablet (which I really like) vs GCHQ The states and our erstwhile security services. Oddly enough I( feel more at risk from our own that the chinese state! But then as a socialist I would be targetted by both!
For an individual, the risk from State actors is generally low. They’re not going to empty your bank account, and the government of the UK or US probably doesn’t care that you’re a socialist so long as you’re not engaging in any illegal activity that poses a risk to people or the state.
The way China’s surveillance works is I believe by mandating that network devices use crypto schemes that the government can intercept and inspect and also by using strong ID methods for the device ownership. Most devices meant for Western consumption would normally be less restricted unless by accident (E.g Nokia phones recently) or if you’re a high value person, like a major CEO or person with high security clearance, you could be targeted.
Using a Huawei tablet is probably fine if you bought it in the UK, provided you like the device. The risks being discussed here are infrastructure level risks.
If you were of interest to the Chinese government, they could make Huawei install a backdoor into your tablet or do it themselves, just like any sufficiently sophisticated or moneyed Nation can today, even if you use an iPad.
Whenever I leave my equipment unattended, like going into the town for a meal on Saturday, I imagine that this is the perfect opportunity for James Bond to break into my house, crack my password and install some spyware on my gadgets and plant some bugs. If only I were so important . It’s simply too expensive and beyond reach for a run-of-the-mill crook to do this.