Huawei Technologies poses a major risk to the UK’s telecommunications networks because of the company’s failure to fix security flaws found in its equipment and software, according to a report on Thursday by a government-led watchdog, which ruled out Chinese state interference as the cause of those defects.
The fifth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, a body set up to monitor products supplied by the Shenzhen-based firm to UK carriers, said “further significant technical issues have been identified in Huawei’s engineering processes”, which could lead to new risks in the country’s telecoms networks.
“The oversight board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK,” the report said.
It described the findings as being “about basic engineering competence and cybersecurity hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors”.
The UK’s National Cyber Security Centre (NCSC), which leads the HCSEC oversight board, “does not believe that the defects identified are a result of Chinese state interference”, according to the 46-page report.
Huawei, the world’s largest telecoms equipment supplier, acknowledged the issues raised by the oversight body about its software engineering processes, according to a statement from the company on Thursday.
“We understand these concerns and take them very seriously,” the firm said. “The issues identified in the 2019 HCSEC Oversight Board Report provide vital input for the ongoing transformation of our software engineering capabilities.”
It said the report proved the effectiveness of the HCSEC, which was established eight years ago by Huawei under an arrangement with the UK government to mitigate any perceived risks from the use of its equipment in the country’s critical infrastructure. Huawei’s hardware and software are tested and reviewed before being installed anywhere in the UK.
“As the report says, ‘The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year’,” the company said.
The report has come at a time when Huawei is enjoying some relief in Europe from US pressure to block the use of its equipment in the global roll-out of next-generation 5G mobile networks.
The European Commission on Tuesday ignored US calls for a blanket ban on Huawei, as it announced a series of cybersecurity recommendations for 5G mobile networks. While acknowledging US concerns, the commission urged its member-states to assess cybersecurity threats to 5G infrastructure in their national markets.
The US has been pressuring its allies to boycott Huawei telecoms network equipment, citing security concerns because of the company’s close ties with the Chinese government. Huawei has repeatedly denied that accusation.
In February, the NCSC determined that it is possible to “limit the risks from using Huawei” in 5G networks, according to a Financial Times report that cited anonymous sources.
In November last year, Huawei’s board issued a resolution to carry out a companywide transformation programme aimed at enhancing its software engineering capabilities, with an initial budget of US$2 billion.
“A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements,” Huawei said in its statement.
Despite that commitment, the HCSEC oversight board’s report, in what may be its harshest criticism of Huawei to date, said it has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme. The board said it will need sustained evidence of better software engineering and cybersecurity quality verified by HCSEC and NCSC.
The board added that evidence of sustained change is especially important because similar commitments from Huawei in the past have not brought about any discernible improvements.
