Huawei poses ‘significantly increased risk’ to UK network operators
The NCSC says concerns with devices and software are not linked to Chinese state interference
The National Cyber Security Centre (NCSC) has identified a "significantly increased risk" to UK network operators based on fresh concerns with Huawei's approach to devices and software development.
The Huawei Cyber Security Evaluation Centre (HCSEC) oversight board has outlined further significant technical issues in Huawei's engineering process in its fifth annual audit of the Chinese company. The report identified new risks to the UK telecommunications network, adding that no meaningful progress has been made on the issues identified in the oversight board's previous report.
"HCSEC's work continues to identify significant, concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation," the report said.
"Operators will need to take into account the mitigations required as a result of the extensive vulnerability and software engineering and cyber security quality information provided by the work of HCSEC."
Moreover, the oversight board "currently has not seen anything to give it confidence in Huawei's ability to bring about change", despite Huawei committing to a long-term plan to address ongoing concerns.
This five-year transformational programme, the NCSC says, could be successful in principle, but would need evidence of sustained change across multiple versions of multiple products.
The criticisms come at a critical moment for both Huawei and UK mobile network operators as they gear up to roll out 5G across the nation.
Operators have taken a mixed approach to the swirling issues, with BT towards the end of last year extracting Huawei technology from its 4G infrastructure over security concerns. But in contrast, Vodafone has warned against a blanket ban of the Chinese firm's technology, suggesting it would lead to delays in 5G rollout.
HCSEC was established in 2010 under arrangements between the networking giant and the government as a means to mitigate any risks from the company's involvement in critical UK infrastructure. This organisation is owned by Huawei, but is independent of the company.
The oversight board, chaired by the NCSC's CEO Ciaran Martin, was created five years ago to audit HCSEC's work, and identify any risks posed to the UK's networking infrastructure.
Crucially, while lambasting weaknesses in Huawei's engineering and software development, the NCSC also maintained it "does not believe that the defects identified are a result of Chinese state interference".
Instead, the report says the concerns raised are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that can then be exploited by a whole swathe of attackers.
Huawei said, despite the concerns raised, that the report does not suggest UK networks are more vulnerable than last year.
"We understand these concerns and take them very seriously. The issues identified in the OB report provides vital input for the ongoing transformation of our software engineering capabilities," a spokesperson said.
"A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent."
The HCSEC assessment regarded evaluations of the products and architectures of five UK network operators. Work to validate a sample of products had already exposed wider flaws in the underlying build process which need to be rectified.
Experts were testing for equivalence between binary installed on UK networks, and the binary that can be built from HCSEC source code. Due to various build-related issues, meanwhile, the oversight board said it is hard to be confident that different deployments of similar Huawei equipment are equivalently secure.
Another issue centred on the use of an old third party-supplied operating system that is soon-to-be out of support. Although Huawei has purchased a premium long-term support agreement from the vendor, there are underlying security risks the NCSC believes must be addressed with a credible plan.
Analysis of Huawei's wider software component lifecycle management, meanwhile, revealed flaws that could cause significant cyber security risks. This was a major finding, according to the oversight board, and will need significant rectification to mitigate.
The NCSC, moreover, is not confident that Huawei is able to remediate the "significant problems" it faces with regards to cyber security issues and software engineering flaws in software for its LTE eNodeB networking hardware.
The Chinese company has found itself embroiled in several battles with nation states and security services, both over allegations of fallibilities in its core technology, and in the case of the US, charges of fraud.
The US has even deemed Huawei high-risk enough to ban its equipment from use in all government departments. This has led to the Chinese company filing a lawsuit against the administration, claiming there is no evidence to support these restrictions.
But the EU has instead recommended that all member states conduct their own cyber security assessments independently, particularly with respect to risks presented by 5G technology as a whole. The EU, meanwhile, aims to conduct its own bloc-wide assessment, with results due by 1 October.