A leading UK cyber security expert has slammed Huawei’s software engineering as “very, very shoddy”.

The comments comes from the Technical Director of the National Cyber Security Centre Dr Ian Levy in an interview with the BBC. It was part of a documentary that will be broadcast this evening called Can We Trust Huawei? In it Levy says “The security in Huawei is like nothing else – it’s engineering like it’s back in the year 2000 – it’s very, very shoddy. We’ve seen nothing to give us any confidence that the transformation programme is going to do what they say it’s going to do.”

While it might seem like a bit of a bombshell, Levy is mainly reiterating the sentiments of the recent annual audit published by the Huawei Cyber Security Evaluation Centre. We asked the NCSC if it had further comment on the matter and it pointed us towards the following official statement it made following the publication of the audit.

“Huawei’s presence in the UK is subject to detailed, formal oversight. This provides us with a unique understanding of the company’s software engineering and cyber security processes. We can and have been managing the security risk and have set out the improvements we expect the company to make.

“We will not compromise on the progress we need to see: sustained evidence of better software engineering and cyber security, verified by HCSEC. This report illustrates above all the need for improved cyber security in the UK telco networks which is being addressed more widely by the Digital Secretary’s review.”

The HCSEC is chaired by the CEO of the NCSC so it’s not surprising to see a fair bit of unanimity in their public statements. Huawei is fairly contrite about its software and knows it’s something that needs sorting out. But since the HCSEC has been flagging it up for a while you have to wonder why Huawei hasn’t done a better job of it so far.

This contrition is somewhat undermined by increasingly petulant public comments from senior Huawei execs, presumably encouraged by the Chinese state. Carrier BG boss Ryan Ding is quoted in the BBC piece questioning the validity of US security concerns when it barely uses Huawei gear, which seems to miss the point somewhat, before disingenuously concluding he’s got better things to than talk about this stuff anyway.

Huawei does seem to have an ally in the form of ITU Secretary General Houlin Zhao, however, who apparently told reporters he’s not happy with the absence of evidence that Huawei poses a security threat. “I would encourage Huawei to be given equal opportunities to bid for business, and during the operational process, if you find anything wrong, then you can charge them and accuse them,” he said. “But if we don’t have anything then to put them on the blacklist – I think this is not fair.”

So while there probably isn’t anything especially new in this BBC investigation, the fact that it has been given such prominence by the UK’s national broadcaster means Huawei is likely to come under even more pressure to get its software house in order. Since we’re talking about bespoke code, some of which has been kicking about for decades, that represents a substantial undertaking.