British Report Reveals More Risk, More Trouble for Huawei

Britain has just publicly chastised China’s Huawei Technologies for failing to fix long-standing security flaws in its mobile network equipment and revealed new “significant technical issues,” increasing pressure on the company as it battles Western allegations that Beijing could use its gear for spying.  In a report published last week, the government-led board that oversees vetting of Huawei gear in Britain said continued problems with the company’s software development had brought “significantly increased risk to UK operators.”  British security officials previously said they believed any risks posed by Huawei could be managed.

 

The board – which includes officials from Britain’s GCHQ communications intelligence agency – said in the report that the company had made “no material progress” addressing security flaws and it didn’t have confidence in Huawei’s capacity to deliver on proposed measures to address “underlying defects.” The unusually direct criticism is a fresh blow to the world’s largest maker of mobile network equipment, which has been under intense scrutiny in recent months.

 

Officials in the United States and elsewhere have been increasingly public in voicing concerns that Huawei’s equipment could be used by Beijing for spying or sabotage, particularly as operators move to the next “5G” generation of mobile networks.

 

Shenzhen-based Huawei said in a statement it took the oversight board’s concerns “very seriously” and that the issues identified in the report “provide vital input for the ongoing transformation of our software engineering capabilities.”  While Huawei pledged last year to spend more than $2 billion as part of efforts to address problems previously identified by Britain, the company also warned it could take up to five years to see results.

 

In the report, the government-led board said: “These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors,” adding, “NCSC (National Cyber Security Centre) does not believe that the defects identified are a result of state interference.”

 

The work of the oversight board and its findings will help inform future government policy on network security, officials say, but the final decision lies with ministers, and British officials now need to see evidence of significant change. “The evidence of sustained change is especially important as similar strongly worded commitments from Huawei in the past have not brought about any discernible improvements,” the report stated, adding that Huawei had failed to follow through on security commitments made as far back as 2012.

 

The 40-plus-page report identified several new technical issues with Huawei equipment and revealed that the problems were at a greater scale than previously publicly acknowledged. These include concerns related to a product called eNodeB, which provides a connection between the network and a user’s mobile phone.

 

According to the report, the oversight board looked at updated versions of software that were intended to incorporate security improvements but found “the general software engineering and cyber security quality of the product continues to demonstrate a significant number of major defects.”  The report also revealed that in 2018, the lab had reported to UK operators “several hundred vulnerabilities and issues.”

 

The board concluded that overall, the problems reveal “serious and systematic defects in Huawei’s software engineering and cyber security competence”. And, as a result, the board could still only provide limited assurances that the security risks posed by Huawei equipment could be managed long term, adding, “The oversight board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.”


Photo Credit: Ink Drop / Shutterstock.com