Huawei Security Shortcomings Cited by British IntelligenceMore 'Defects' Found in Software Engineering and Cybersecurity Processes
Britain's intelligence establishment has concluded that Chinese networking giant Huawei's "software engineering and cybersecurity processes" continue to be beset by unresolved "defects." In addition, engineering and risk management improvements that the U.K. government has demanded of Huawei, which it has promised to make, have yet to be put in place.
So says a report published Thursday by the National Cyber Security Center, which is the public-facing arm of Britain's GCHQ intelligence agency.
NCSC says that it has downgraded its assessment of the security of Huawei's products and that it can "provide only limited assurance that ... long-term security risks can be managed in the Huawei equipment currently deployed in the U.K."
The intelligence agency regularly reports on the networking giant's strategy and technology. "Huawei's presence in the U.K. is subject to detailed, formal oversight. This provides us with a unique understanding of the company's software engineering and cybersecurity processes," an NCSC spokeswoman tells Information Security Media Group.
The NCSC's findings and recommendations are not binding. Rather, it issues technical guidance to U.K. policymakers (see: Report: UK Believes Risk of Using Huawei Is Manageable).
But its latest guidance could spell problems for Huawei. For starters, the manufacturer wants to be part of Britain's massive 5G rollout. Huawei is also working to shore up its image in the face of the Trump administration's attempt to convince allies that Chinese-built networking equipment shouldn't be trusted. Many countries have responded by saying that they will conduct their own tests and make their own decisions (see: US Intensifies Pressure on Allies to Avoid Huawei, ZTE).
The NCSC says it does not believe that the problems identified with Huawei are part of any attempted nation-state espionage or interference campaign. But it warns that the identified defects could create vulnerabilities that might be exploited by cybercriminals, nation-states or others.
"We ... have strict controls for how Huawei is deployed. It is not in any sensitive networks - including those of the government. Its kit is part of a balanced supply chain with other suppliers," Ciaran Martin, CEO of the NCSC, said in a speech at last month's CyberSec conference in Brussels.
"Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei. And it is proving its worth. Last July, our annual Oversight Board downgraded the assurance we could provide to the U.K. government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes," Martin said.
"As we said then, and repeat today, these problems are about standard of cybersecurity; they are not indicators of hostile activity by China. The company has accepted these findings and has pledged to address them, acknowledging that this will be a process of some years."
Huawei Cyber Security Evaluation Center
The latest findings are contained in the fifth annual report to be issued by the NCSC's Huawei Cyber Security Evaluation Center, which the U.K. government launched in 2010 to review Huawei's business strategies and test all product ranges before they were potentially used in any setting that might have national security repercussions.
The new report emphasizes that the findings should not imply that U.K. telecommunications networks are at any greater risk now than they were before. Rather, the findings are part of a high-level review to ensure that Britain's telecommunications networks remain as secure as possible.
"We can and have been managing the security risk and have set out the improvements we expect the company to make. We will not compromise on the progress we need to see: sustained evidence of better software engineering and cybersecurity, verified by HCSEC," the NCSC spokeswoman says. "This report illustrates above all the need for improved cybersecurity in the U.K. telco networks, which is being addressed more widely by the digital secretary's review."
That review of Britain's ongoing 5G security and resiliency policies, including outlining a range of options the government might pursue, is due to be released in April by Conservative MP Margot James, Minister of State for the Department for Digital, Culture, Media and Sport.
'Processes Continue to Fall Short'
HCSEC is "staffed by 35 heavily vetted analysts," the Guardian has reported. NCSC says the center's research also helps British telecommunications firms put in place more effective mitigations for any potential vulnerabilities it finds.
As noted by Martin, in July 2018, the HCSEC issued a report warning of serious concerns with Huawei's technology and engineering processes. "Huawei's processes continue to fall short of industry good practice and make it difficult to provide long-term assurance," it said.
Based on HCSEC's "concerns around Huawei's engineering and security capabilities," an NCSC spokeswoman told ISMG last month that "we have set out the improvements we expect the company to make."
MP Norman Lamb, a Liberal Democrat who chairs the House of Commons science and technology committee, asked Huawei (PDF) how it planned to respond.
In response, Huawei defended itself against suggestions that it was a tool of Chinese state espionage agencies. It also pledged to spend $2 billion to improve its processes.
But the president of Huawei's carrier business group, Ryan Ding, warned Lamb that such efforts might take three to five years to come to fruition and said it would be "like replacing components on a high-speed train in motion."
More Problems Identified
Since the July 2018 report, however, HCSEC says it has found more problems.
"Further significant technical issues have been identified in Huawei's engineering processes, leading to new risks in the U.K. telecommunications networks," the new NCSC report says.
In addition, fixes that NCSC demanded Huawei put in place have yet to materialize.
"No material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance," the report says. "Huawei's development and support processes are not currently conducive to long-term security risk management and, at present, the Oversight Board has seen nothing to give confidence in Huawei's capacity to fix this."
But as Huawei communicated to the U.K. government, the changes might take up to five years.
'Sustained Change' Required
The HCSEC Oversight Board, chaired by NCSC's Martin, includes representatives from the government as well as British telecommunications operators and Huawei.
The board is charged with ensuring that the HCSEC's assessment is limited to "Huawei products that are deployed or are contracted to be deployed in the U.K. and are relevant to U.K. national security risk as well as ensuring that HCSEC is operating in an independent and competent manner.
The Oversight Board says it will need to see evidence of a sustained - and effective - transformation on Huawei's part before its guidance to U.K. policymakers changes.
"Huawei's transformation plan could in principle be successful, bringing Huawei's software engineering and cybersecurity processes up to current industry good practice," the report says. "The Oversight Board would require NCSC assessment of evidence of sustained change across multiple versions of multiple products in order to have confidence in success - a single version of a single product with better objective engineering quality and security does not guarantee a successful and sustainable change across the company, or even in that individual product group."
What these findings mean for the U.K. government's imminent 5G rollout remains to be seen.