The UK’s dedicated Huawei Cyber Security Evaluation Centre (HCSEC) has issued its first report since the US increased pressure to ban the firm.
HCSEC is based in Banbury, Oxfordshire and its oversight board issues annual reports raising any concerns about the company’s practices.
Last year’s report was noted as the first where HCSEC could no longer assure that risks had been mitigated due to concerns around Huawei’s engineering processes. Security officials were said to be frustrated at the slow progress by Huawei in addressing the problems.
The report notes that “no material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance.”
More concerningly, however, is the report highlights that further significant technical issues have been identified which pose new risks to UK telecoms networks.
“CSEC's work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation,” the report states.
Operators such as Vodafone and Three have lobbied against banning Huawei due to existing use of the vendor’s equipment. They argue it would be costly to replace Huawei equipment while also causing a significant delay in the rollout of 5G services.
"We've already started to deploy equipment for when we launch 5G in the second half of the year," said Three CEO David Dyson. "So if we had to change vendor now, we would take a big step backwards and probably cause a delay of 12 to 18 months."
"Huawei met all of the standards that the other operators met, and we felt at the end of that process that Huawei was the right choice for our customers and for our business."
Commenting on the centre’s report, a Huawei spokesperson said:
“The 2019 report again recognises the effectiveness of the HCSEC. As the report says, ‘The oversight provided for in our mitigation strategy for Huawei's presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.’
The report details some concerns about Huawei's software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year, Huawei's Board of Directors issued a resolution to carry out a company-wide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.
A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cybersecurity assurance and evaluation.”
Until Huawei addresses the problems with its engineering processes, the HCSEC oversight board advises it will be difficult to manage the risk in the context of UK deployments. Given the firm’s slow response, the oversight board expresses doubt it will feel able to change its advice.
“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects.”
While the centre hasn’t found any evidence of state-backed espionage, which is the main concern of the US, it has reported ‘several hundred vulnerabilities and issues’ to UK operators.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam to learn more.
