UK Gov raises questions about Huawei security competence

Huawei has had a turbulent couple of months in the US, and it doesn’t look like it going to be any easier in the UK as a new government reports points the finger at technical inadequacies.

The rather straightforwardly named Huawei Cyber Security Evaluation Centre (HCSEC), a group reporting into the National Cyber Security Centre (NCSC), has unveiled a new report which criticises the vendor on various fronts, despite pointing out Huawei has been improving its position and technical expertise. This is the fourth evaluation from the group, which is funded by Huawei in partnership with the UK Government.

“Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the oversight board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated,” the report states.

While the report is largely positive about the work Huawei is doing in the UK, it does raise a couple of issues which could lead to “new risks in the UK telecommunications networks”. The issues here primarily focus on a lack of the required end-to-end traceability from source code examined by the group, as well as the way Huawei uses commercial and open source third-party components. The latter, although theoretically sound, is the not the agreed upon process between Huawei and the UK government, raising questions over the life-cycle management process of the products.

“It is now apparent that third party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer,” the report reads.

None of the points are damning enough to cause a ruckus in government or the operators, but elements of doubt are being raised around the Huawei business. Sometimes that is all needed to make the difference during the procurement process.

Security oversights and technical improvements are nothing which we should be surprised about, the telco has industry has never been the most security conscious. These are not necessarily major problems in the grand-scheme of things, but there is a risk of issues being compounded. Communications networks are about to become much more complex brought about by things like software defined networking, virtualisation, MVNO proliferation and edge compute architectures such as 5G, along with changes in the operational models of many telecommunications operators. The base issues will have to be addressed before layers of complexity are built on top.

Although this is certainly a light-scalding in comparison to the attention Huawei has been receiving in other countries around the world, the door has been left ajar for further criticism. Some might suggest this is exactly how larger concerns over the in the US started, a thread in the jumper which was pulled. Whether the paranoid politicians in the US are overly sensitive to the nationalistic prejudices depends on your attitude, though there is a risk Huawei could be heading into choppy waters in the UK.

The risk of Huawei heading down the same route as ZTE is minimal. Aside from the US and a few others, many networks around the world are reliant on Huawei technology and support staff, simply cutting off the vendor would be detrimental to operations. That said, Huawei with more evidence being built against the vendor, Huawei might certainly find it more difficult to do business in the 5G world than the 4G one, which it comprehensively dominated.

  • BIG 5G Event

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.