Huawei Poses Security Threat, Says UK Watchdog

Cybersecurity experts have warned the British government in a new report that China's Huawei poses a threat to the security of UK telecom networks and described its lack of progress on addressing security concerns as "disappointing."

The Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 to monitor the Chinese equipment vendor and report back to government authorities, said it could provide "only limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated."

In one of its key findings, HCSEC said the "identification of shortcomings in Huawei's engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management."

The language used implies the security threat has grown in the last year, with earlier reports concluding any risks "had been mitigated."

Huawei Technologies Co. Ltd. is the world's largest supplier of network equipment and services to communications service providers. It sells products to most of Europe's biggest operators, several of which are active in the UK, and is currently helping BT-owned Openreach to build an all-fiber broadband network. (See Eurobites: Openreach Turns to Nokia, Huawei for 'Fibre First' Aid.)

Huawei's critics have expressed concern about its close ties to Chinese state authorities and say they are worried its products may be used for surveillance purposes by the Chinese government.

Such concern has effectively locked Huawei out of the US market since 2012, when a US government report warned the country's biggest telcos off using the Chinese vendor's equipment and services. A simmering trade dispute between the US and China has heightened tensions, with US critics also accusing the Chinese of intellectual property theft.

Huawei has also encountered a backlash in Australia, where political opponents want it blocked from selling next-generation 5G products to Australian operators. Huawei is already banned from dealing with Australia's National Broadband Network, a government-backed wholesale business, and Australian authorities recently took steps to prevent it from building a subsea cable to the Solomon Islands. (See Huawei Is Main Sponsor of Trips by Australian Politicians, Says Report.)

Responding to the findings in this week's HCSEC report, a Huawei spokesperson said: "The oversight board has identified some areas for improvement in our engineering processes. We are grateful for this feedback and are committed to addressing these issues. Cybersecurity remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems."

Shedding more light on its work, HCSEC said it had examined Huawei products and "solutions" used by four UK operators during its reporting period and uncovered "a significant number of point vulnerabilities and more strategic architectural and process issues."

Huawei was also criticized for its use of third-party software that is "not subject to sufficient control" and its failure to manage third-party components, including open source code, used in its products.

In particular, HCSEC notes that support for some third-party software will end in 2020, even though products using this software may remain in deployment. While security authorities are currently in discussions with Huawei about this issue, HCSEC said "there is a significant risk in the UK telecoms infrastructure if Huawei and the operators are unable to support these boards long-term."

Delivering its concluding assessment, HCSEC said: "Huawei's processes continue to fall short of industry good practice and make it difficult to provide long-term assurance. The lack of progress in remediating these is disappointing."

For all the latest news from the wireless networking and services sector, check out our dedicated mobile content channel here on Light Reading.

Huawei's opponents in other jurisdictions are likely to seize on those findings as they push for tougher sanctions against Huawei and smaller Chinese rival ZTE Corp. (Shenzhen: 000063; Hong Kong: 0763).

US authorities have only just lifted a ban that stopped ZTE from buying any US components and had threatened the company's survival. ZTE was previously charged with selling equipment including US components to Iran and North Korea, in breach of US sanctions, and then of lying about the steps it had taken to make amends. (See ZTE Stock Rises After US Lifts Ban.)

The HCSEC report comes several months after the UK's National Cyber Security Centre, which collaborates with HCSEC, warned UK operators off using ZTE's products. (See ZTE Labeled Security Risk by UK Government.)

"NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated," said Ian Levy, the NCSC's technical director, in a statement issued at the time.

The government backlash against China's vendors could drive service providers to consider using alternative suppliers such as Ericsson AB (Nasdaq: ERIC) and Nokia Corp. (NYSE: NOK), both of which compete in international markets against Huawei and ZTE.

Italy's Wind Tre has already replaced ZTE with Ericsson on one of its network projects and other operators are understood to be weighing their options.

Börje Ekholm, Ericsson's CEO, said it was hard to speculate about the impact of sanctions against Chinese companies. "Of course the uncertainty that some of the operators have faced following sanctions raises the topic of how to deal it," he told analysts during an earnings call this week. "How that plays out is way too early to discuss. Yes, we did win a deal in Italy, but I think we did that based on our competitive product offering." (See Ericsson's R&D Workout Piles 5G Pressure Onto Rivals and Ericsson Back in Profit After Fierce Cuts & 5G Action.)

— Iain Morris, International Editor, Light Reading

sj0350 7/20/2018 | 1:53:42 PM
Re: Open sourcery The "many eyes makes bugs shallow" and the "large scale of deployment implies safety" arguments are not automatically safe, which is something that many adopters of FOSS fail to appreciate.  Your typical complex piece of software is going to have, for example, a few dozen FOSS packages.  Some of them are popular projects and have a lot of eyeballs.  Some of them are not fashionable and have only a few.  Moreover, its quite possible for packages in the latter set to be very widely deployed, so then you have something that is all over the place but that has not really been vetted very much.  The issues with OpenSSL are an excellent example - once the OpenBSD team started really looking at OpenSSL in the aftermath of Heartbleed, they were horrfied by what they found.

That doesn't make FOSS bad.  It just means that using it is not a substitute for doing due diligence on the code.
brooks7 7/20/2018 | 12:34:59 PM
Re: Open sourcery I think the challenge in Open Source is that there are multiple contributors and it is not always clear what they did.  Depending on the Open Source project, you can have various levels of review prior to release.  

For example, we brought in a new version of openSUSE and our product would no longer boot up.  This was caused because somebody thought it would be cute to have Penguins march across the screen during the startup sequence.  However, we were a server without a monitor attached and this caused the systems to hang.

I am using this as a simple and obvious example of what can happen.  It means whenever you bring in a new revision of OS that you need to treat it with the same skepticism as that from your own team.  There are tools that will auto-update OS on a platform and help deploy it.  I would argue that nobody should use them.  For a networking product, you need to fully vet and test every version that you get.

Now saying all that, it has nothing specific to Huawei.  I have no idea what their internal OS processes are like.


James_B_Crawshaw 7/20/2018 | 7:54:54 AM
Open sourcery Is Huawei alone in failing to "manage third-party components, including open source code"? Open source is supposed to be safer than closed code because there is more transparency and more good guys looking out for vulnerabilities. I think the problem comes when you stay with an old version of an open source project that isn't patched.

There are plenty of cyber vulnerability tools out there to help mitigate these risks. Checkmarx and WhiteHat stood out for me. Others worth considering include Fortify, Grammatech, Insignary, Rapid7, Synopsys and Veracode (soon to be part of Broacade bizarrely).
Sign In