Cybersecurity experts have warned the British government in a new report that China's Huawei poses a threat to the security of UK telecom networks and described its lack of progress on addressing security concerns as "disappointing."
The Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 to monitor the Chinese equipment vendor and report back to government authorities, said it could provide "only limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated."
In one of its key findings, HCSEC said the "identification of shortcomings in Huawei's engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management."
The language used implies the security threat has grown in the last year, with earlier reports concluding any risks "had been mitigated."
Huawei Technologies Co. Ltd. is the world's largest supplier of network equipment and services to communications service providers. It sells products to most of Europe's biggest operators, several of which are active in the UK, and is currently helping BT-owned Openreach to build an all-fiber broadband network. (See Eurobites: Openreach Turns to Nokia, Huawei for 'Fibre First' Aid.)
Huawei's critics have expressed concern about its close ties to Chinese state authorities and say they are worried its products may be used for surveillance purposes by the Chinese government.
Such concern has effectively locked Huawei out of the US market since 2012, when a US government report warned the country's biggest telcos off using the Chinese vendor's equipment and services. A simmering trade dispute between the US and China has heightened tensions, with US critics also accusing the Chinese of intellectual property theft.
Huawei has also encountered a backlash in Australia, where political opponents want it blocked from selling next-generation 5G products to Australian operators. Huawei is already banned from dealing with Australia's National Broadband Network, a government-backed wholesale business, and Australian authorities recently took steps to prevent it from building a subsea cable to the Solomon Islands. (See Huawei Is Main Sponsor of Trips by Australian Politicians, Says Report.)
Responding to the findings in this week's HCSEC report, a Huawei spokesperson said: "The oversight board has identified some areas for improvement in our engineering processes. We are grateful for this feedback and are committed to addressing these issues. Cybersecurity remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems."
Shedding more light on its work, HCSEC said it had examined Huawei products and "solutions" used by four UK operators during its reporting period and uncovered "a significant number of point vulnerabilities and more strategic architectural and process issues."
Huawei was also criticized for its use of third-party software that is "not subject to sufficient control" and its failure to manage third-party components, including open source code, used in its products.
In particular, HCSEC notes that support for some third-party software will end in 2020, even though products using this software may remain in deployment. While security authorities are currently in discussions with Huawei about this issue, HCSEC said "there is a significant risk in the UK telecoms infrastructure if Huawei and the operators are unable to support these boards long-term."
Delivering its concluding assessment, HCSEC said: "Huawei's processes continue to fall short of industry good practice and make it difficult to provide long-term assurance. The lack of progress in remediating these is disappointing."
Huawei's opponents in other jurisdictions are likely to seize on those findings as they push for tougher sanctions against Huawei and smaller Chinese rival ZTE Corp. (Shenzhen: 000063; Hong Kong: 0763).
US authorities have only just lifted a ban that stopped ZTE from buying any US components and had threatened the company's survival. ZTE was previously charged with selling equipment including US components to Iran and North Korea, in breach of US sanctions, and then of lying about the steps it had taken to make amends. (See ZTE Stock Rises After US Lifts Ban.)
The HCSEC report comes several months after the UK's National Cyber Security Centre, which collaborates with HCSEC, warned UK operators off using ZTE's products. (See ZTE Labeled Security Risk by UK Government.)
"NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated," said Ian Levy, the NCSC's technical director, in a statement issued at the time.
The government backlash against China's vendors could drive service providers to consider using alternative suppliers such as Ericsson AB (Nasdaq: ERIC) and Nokia Corp. (NYSE: NOK), both of which compete in international markets against Huawei and ZTE.
Italy's Wind Tre has already replaced ZTE with Ericsson on one of its network projects and other operators are understood to be weighing their options.
Börje Ekholm, Ericsson's CEO, said it was hard to speculate about the impact of sanctions against Chinese companies. "Of course the uncertainty that some of the operators have faced following sanctions raises the topic of how to deal it," he told analysts during an earnings call this week. "How that plays out is way too early to discuss. Yes, we did win a deal in Italy, but I think we did that based on our competitive product offering." (See Ericsson's R&D Workout Piles 5G Pressure Onto Rivals and Ericsson Back in Profit After Fierce Cuts & 5G Action.)
— Iain Morris, International Editor, Light Reading