A UK government report card on the security of Huawei's equipment would seem largely redundant. The Chinese vendor, after all, was hit with a 5G ban last year. All three operators that use Huawei – BT, Three and Vodafone – have identified alternative suppliers and are discarding their Chinese products like mouldy fortune cookies.
But the latest verdict from the Huawei Cyber Security Evaluation Centre (HCSEC) could have relevance simply because Huawei may be around in UK mobile until 2028, if operators work to the deadline set by the government. More importantly, a decision has still not been taken on Huawei's role in UK fixed. It remains one of the biggest suppliers of fiber access products to BT, the market incumbent.
Figure 1:
UK watchdogs continue to find vulnerabilities in Huawei products.
(Source: Pixabay)
The headline judgement, then, is a concern for both Huawei and BT. After carrying out its inspections last year, HCSEC determined there had been "no overall improvement over the course of 2020 to meet the product software engineering and cyber security quality expected by the NCSC [National Cyber Security Centre]." A government agency that reckons Huawei has not markedly improved is unlikely to recommend it be used in 5G, fiber or anywhere else.
Its finding comes after Huawei promised back in dim and distant 2018 to spend as much as $2 billion on rectifying the problems HCSEC had then identified. Earlier this year, the company made a big deal of its pivot to software, depicting a future in which Huawei is recognized more as a composer of code than a builder of boxes. "Overall software capabilities have seen remarkable progress and we will continue," said Eric Xu, one of Huawei's rotating bosses, during an analyst summit in April.
Some plus points
The HCSEC report is not entirely negative. It does, for instance, laud Huawei's efforts to address vulnerabilities caused by poor code quality in its fixed access portfolio – presumably including products sold to BT. After attention by Huawei, those vulnerabilities have now all been "remediated," said HCSEC.
One of its main issues previously was that Huawei had continued to use components the industry no longer supports, making them more vulnerable to exploitation. By the end of last year, Huawei and its customers had updated 52% of these equipment boards and another 17% had reached the end of their natural life. "Overall, Huawei and UK operators have made considerable progress at remediating the risk during 2020," said HCSEC, adding that any risks to the UK should fall to a manageable level this year.
Huawei, unsurprisingly, has seized on these more positive bullet points as evidence of progress. In a statement emailed to Light Reading, it noted that: "The report concludes Huawei has made 'sustained progress' in addressing issues highlighted in previous reports and has made 'considerable progress' in third-party component support."
Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.
The problem for Huawei is that – even if wins unconditional praise next time round – it is highly unlikely to be allowed back into UK mobile. For one thing, operators are already partway through a costly swap-out. For another, the UK government has unsurprisingly sided with the democratic US against one-party China in the latest geopolitical clash. Huawei and other Chinese firms, it reckons, are not to be trusted because they are ultimately answerable to the Chinese government. No gold star for cyber security is going to change that position.
In this context, there is still a risk the government moves to ban Huawei from the fixed access market, too. Wary of this possibility, BT recently introduced a third vendor in the shape of Adtran, a US firm, alongside Huawei and Nokia. But a government directive forcing it to replace Huawei could drive up its costs. It might also delay BT's rollout of full-fiber networks at a time when fixed broadband access is more economically important than ever.
Curiously, the wider world has no idea whether products designed by Huawei's rivals are any safer. There has never been an Ericsson or Nokia Cyber Security Evaluation Centre, proving the campaign against Huawei is about geopolitics rather than the nitty gritty of coding vulnerabilities. A Nordic identity does not guarantee that products are flawless.
Related posts:
— Iain Morris, International Editor, Light Reading