UK alerted to potential cyber risks of Huawei equipment

The latest annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has identified “shortcomings” in Huawei’s engineering processes.

Despite finding that the capability of HCSEC had improved in 2017 and that technical work relevant to overall mitigation strategy can be performed at scale and with high quality, the report said the Oversight Board can provide “only limited assurance” that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated. “We are advising the National Security Adviser on this basis,” the report said.

The report comes just three months after the National Cyber Security Centre (NCSC) advised the UK telecommunications sector to avoid the use of equipment and services from ZTE in China.

“NCSC assess that the national security risks arising from the use of ZTE equipment or services in the context of the existing UK telecommunications infrastructure cannot be mitigated,” said Ian Levy, technical director at the NCSC.

HCSEC was set in November 2010 under a set of arrangements between Huawei and the UK government to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. The centre is overseen by UK security officials, including representatives of GCHQ, but the use of Huawei equipment has always been controversial because of security concerns.

The HCSEC Oversight Board, set up in 2014, is chaired by Ciaran Martin, the CEO of the National Cyber Security Centre (NCSC) and an executive member of GCHQ’s Board with responsibility for cyber security.

The report highlights shortcomings in Huawei’s engineering processes, which it said “have exposed new risks in UK telecoms networks” adding that “significant work” is required to tackle the issues.

The report said Huawei is failing to follow agreed security processes around the use of third-party components. “In particular, security critical third-party software used in a variety of products was not subject to sufficient control.”

Huawei, which is a major supplier of broadband and mobile network equipment in the UK, responded to the report by acknowledging that there are “some areas for improvement”.

A company spokesman said: “We are grateful for this feedback and are committed to addressing these issues. Cyber-security remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems.”

The report said the National Security Adviser Mark Sedwill had been alerted to the issues in February and that work continues to remediate the engineering process issues in other products that are deployed in the UK, prioritised based on risk profiles and deployment volumes.

“This work should give us the ability to provide end-to-end assurance that the code analysed by HCSEC is the constituent code used to build the binary packages executed on the network elements in the UK,” the report said, adding that until this work is completed, the Oversight Board can offer only limited assurance due to the lack of the required end-to-end traceability from source code examined by HCSEC through to executables use by the UK operators.