UK cybersecurity officials have said Huawei has made only “limited progress” in addressing issues raised about its cybersecurity practices, and has only been able to provide “limited assurances” that the risks of using its kit in British telecommunications networks can be adequately managed.
A report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has previously expressed concerns about the Chinese vendor’s engineering practices, claiming they have allowed vulnerabilities to creep into its products.
Huawei has promised to improve and is in the first year of a $2 billion five-year programme but HCSEC has doubts about whether it can remedy the situation.
Huawei UK
“It will be difficult to appropriately risk manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated,” the report said.
“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”
The report added that a vulnerability of “national significance” had been identified in Huawei’s equipment during the review period. The company has since fixed the issue and there is no evidence that the vulnerability had been exploited.
The HCSEC said the existence of the vulnerability was due to “basic engineering competence and cybersecurity hygiene” and not the result of Chinese state interference. A Huawei spokesperson reiterated that fact in its statement, adding the process highlighted its commitment to transparency and the effectiveness of the HCSEC.
“The report again concludes that the ‘NCSC does not believe that the defects identified are a result of Chinese state interference’ and “this does not suggest that UK networks are more vulnerable than last year,” said a spokesperson.
“As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.”
Nonetheless, the conclusion is far form helpful for Huawei as it continues to convince regulators and governments around the world that its kit does not constitute a national security risk – as has been claimed by the US government.
The UK was a breakthrough market for Huawei, which secured a major contract with BT in 2005. Since then it has expanded significantly across Europe and beyond, becoming a major partner for some of the biggest broadband and mobile operators in the world.
The HCSEC was established in 2010 to mitigate any potential threats, with an oversight board formed four years later. This is the sixth annual report published by the board, which covered the period between January and December 2019 and therefore did not take into account government policy changes.
In January, the government ruled that Huawei gear could be used in UK 5G networks but would be subject to a 35% cap. In July It reversed this policy, banning operators from buying Huawei equipment from the end of this year and ordering them to strip out existing 5G kit by 2027.