Huawei poses ‘significantly increased risk’ to UK network operators

The NCSC says concerns with devices and software are not linked to Chinese state interference

Huawei logo on building

The National Cyber Security Centre (NCSC) has identified a "significantly increased risk" to UK network operators based on fresh concerns with Huawei's approach to devices and software development.

The Huawei Cyber Security Evaluation Centre (HCSEC) oversight board has outlined further significant technical issues in Huawei's engineering process in its fifth annual audit of the Chinese company. The report identified new risks to the UK telecommunications network, adding that no meaningful progress has been made on the issues identified in the oversight board's previous report.

"HCSEC's work continues to identify significant, concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation," the report said.

"Operators will need to take into account the mitigations required as a result of the extensive vulnerability and software engineering and cyber security quality information provided by the work of HCSEC."

Advertisement - Article continues below
Advertisement - Article continues below

Moreover, the oversight board "currently has not seen anything to give it confidence in Huawei's ability to bring about change", despite Huawei committing to a long-term plan to address ongoing concerns.

This five-year transformational programme, the NCSC says, could be successful in principle, but would need evidence of sustained change across multiple versions of multiple products.

The criticisms come at a critical moment for both Huawei and UK mobile network operators as they gear up to roll out 5G across the nation.

Operators have taken a mixed approach to the swirling issues, with BT towards the end of last year extracting Huawei technology from its 4G infrastructure over security concerns. But in contrast, Vodafone has warned against a blanket ban of the Chinese firm's technology, suggesting it would lead to delays in 5G rollout.

HCSEC was established in 2010 under arrangements between the networking giant and the government as a means to mitigate any risks from the company's involvement in critical UK infrastructure. This organisation is owned by Huawei, but is independent of the company.

The oversight board, chaired by the NCSC's CEO Ciaran Martin, was created five years ago to audit HCSEC's work, and identify any risks posed to the UK's networking infrastructure.

Advertisement - Article continues below

Crucially, while lambasting weaknesses in Huawei's engineering and software development, the NCSC also maintained it "does not believe that the defects identified are a result of Chinese state interference".

Instead, the report says the concerns raised are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that can then be exploited by a whole swathe of attackers.

Huawei said, despite the concerns raised, that the report does not suggest UK networks are more vulnerable than last year.

"We understand these concerns and take them very seriously. The issues identified in the OB report provides vital input for the ongoing transformation of our software engineering capabilities," a spokesperson said.

Advertisement - Article continues below

"A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent."

The HCSEC assessment regarded evaluations of the products and architectures of five UK network operators. Work to validate a sample of products had already exposed wider flaws in the underlying build process which need to be rectified.

Advertisement - Article continues below

Experts were testing for equivalence between binary installed on UK networks, and the binary that can be built from HCSEC source code. Due to various build-related issues, meanwhile, the oversight board said it is hard to be confident that different deployments of similar Huawei equipment are equivalently secure.

Another issue centred on the use of an old third party-supplied operating system that is soon-to-be out of support. Although Huawei has purchased a premium long-term support agreement from the vendor, there are underlying security risks the NCSC believes must be addressed with a credible plan.

Analysis of Huawei's wider software component lifecycle management, meanwhile, revealed flaws that could cause significant cyber security risks. This was a major finding, according to the oversight board, and will need significant rectification to mitigate.

The NCSC, moreover, is not confident that Huawei is able to remediate the "significant problems" it faces with regards to cyber security issues and software engineering flaws in software for its LTE eNodeB networking hardware.

The Chinese company has found itself embroiled in several battles with nation states and security services, both over allegations of fallibilities in its core technology, and in the case of the US, charges of fraud.

The US has even deemed Huawei high-risk enough to ban its equipment from use in all government departments. This has led to the Chinese company filing a lawsuit against the administration, claiming there is no evidence to support these restrictions.

Advertisement - Article continues below

But the EU has instead recommended that all member states conduct their own cyber security assessments independently, particularly with respect to risks presented by 5G technology as a whole. The EU, meanwhile, aims to conduct its own bloc-wide assessment, with results due by 1 October.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



What is cyber warfare?

20 Sep 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020