Huawei's ongoing software engineering shortcomings are a major cause for concern and are highlighting new risks for the UK's communications network operators, according to the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, which has released its latest annual report.
The report lists a number of significant concerns in its conclusions (listed below) and those concerns are likely to be seized upon by Huawei's critics, particularly the representatives of the US administration that have been urging other countries to curb the Chinese vendor's involvement in critical and communications network infrastructure projects.
The report is one that will be taken very seriously by all companies, organizations and individuals with an interest in network security and the key decisions to be taken by mobile and fixed network operators as they deploy next-generation networks (including 5G). That's because the HCSEC has been undertaking independent analysis and testing of Huawei technology for almost a decade and is trusted to deliver objective findings.
The HCSEC was set up in 2010 to test and monitor Huawei technology and provide guidelines for the UK government and the country's telecom operator community about the suitability of the Chinese vendor's technology for deployment in the UK.
The security watchdog warned last July that various shortcomings in Huawei's engineering processes had exposed new security risks and the vendor subsequently pledged to spend US$2 billion during the next five years on making improvements to its software engineering capabilities to address those wide-ranging security concerns. (See Huawei Poses Security Threat, Says UK Watchdog and Huawei Pledges $2B to Address Security Concerns, Appease the Brits.)
Now the pressure is on Huawei to make speedy improvements because, among its conclusions, the HCSEC has highlighted a lack of progress in that regard.
The main takeaways from the report are as follows:
- "Further significant technical issues have been identified in Huawei's engineering processes, leading to new risks in the UK telecommunications networks"
- "No material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance."
- "HCSEC's work has continued to identify concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation"
- "The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK"
- "The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei's software engineering and cyber security processes are remediated"
- "At present, the Oversight Board has not yet seen anything to give it confidence in Huawei's capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC [National Cyber Security Centre]"
- "Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long-term"
So, there's plenty of work to be done by Huawei before the HCSEC is going to change its tune.
The Chinese vendor is, once again, taking the report's findings very seriously and says it is working on fixing the issues identified.
In an emailed comment to Light Reading, a Huawei spokesman noted: "The 2019 OB [Oversight Board] report details some concerns about Huawei's software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei's Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn. A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation."
At the same time, Huawei is also trying to play down any concerns. "The 2019 OB report again recognises the effectiveness of the HCSEC. As the report says, 'The oversight provided for in our mitigation strategy for Huawei's presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.'"
Indeed, the report does say that, and even adds that the insights the HCSEC provides to UK operators "allows them to plan more effective mitigations." But it then adds that the report "states only that Huawei's development and support processes are not currently conducive to long-term security risk management and, at present, the Oversight Board has seen nothing to give confidence in Huawei's capacity to fix this."
While Huawei attempts to allay the concerns of the HCSEC, it awaits another important report from the UK government's Department for Culture, Media and Sport (DCMS), which last July initiated a Future Telecoms Infrastructure Review of the UK's communications networks, which includes an analysis of the supply chain that, according to a comment sent to Light Reading by the DCMS late last year, aims to "ensure a healthy, diverse and secure supply chain base, now and into the future." The findings of that report might make uncomfortable reading for some technology suppliers.
Given recent developments in the US, Australia, Canada and elsewhere, the Chinese vendors Huawei and ZTE will likely be the most apprehensive about that report.
But that raises an important consideration in regard to vendor developments and their impact on network security considerations: Huawei, in part due to its own operational and strategic shortcomings over the years, is under intense scrutiny and the UK operators will at least have the reports from the HCSEC to refer to when deciding how to proceed with their procurement processes. But wouldn't the operators feel happier if all major vendors were subject to the same scrutiny? What might the findings be if other major network equipment companies had their technology subjected to the same rigorous testing procedures? We can only guess, at least for now.
But that might change: The European Commission has initiated efforts to develop a regional, coordinated approach to 5G network security and it's possible that a new, broader testing regime might result from that process. That would not be a popular outcome with the broader vendor community, though. (See Eurobites: EU Sets Out Its 5G Security Stall and Ericsson CEO Slams 5G Test Plans as 'Tax Burden,' Economic Threat.)
For more on this topic, see:
- Huawei Seeks European Allies for 'Long' Fight With US
- Huawei Calls for GDPR-Like Security Regime, Denies Spying (Again)
- China Says International Bodies Should Work Together on 5G Security
- UK Govt Warns Telcos on Choice of 5G Vendors
- US Senators Urge Canada to Ban Huawei – Report
- Huawei, ZTE Charm Offensive Just Got Harder
- Australia Excludes Huawei, ZTE From 5G Rollouts
- Huawei Poses Security Threat, Says UK Watchdog
— Ray Le Maistre, Editor-in-Chief, Light Reading