Oversight Board Again Flags Huawei Security Concerns

Huawei is once again facing questions over the security of its equipment after the British government published an official report that alleged the Chinese vendor had failed to adequately tackle previously flagged security flaws.

The report was published by the UK’s Huawei Cyber Security Evaluation Centre (HCSEC), which is an Huawei oversight board, chaired by a member of the GCHQ. Its job is to oversee the use of foreign products.

In March 2019, the HCSEC issued a report was that scathing about Huawei’s security failings, and at the same time also expressed a lack of confidence in its ability to fix long-standing security flaws, some of which date back years.

HCSEC report

It pointed to flaws discovered in 2018 when HCSEC officials said they had found problems in telecoms network equipment from Huawei that could expose security risks.

It should be remembered that since 2010 Huawei maintains a security centre in the UK where British national security officials can review its equipment for any possible issues.

And now two years later, the latest HCSEC report continued to express its concern at Hauwei’s ability to fix flaws and vulnerabilities.

It said that it had “taken further evidence around the root causes of the significant software engineering and cyber security issues that came to light last year.”

“For specific products used in the UK, Huawei have simplified and made significant improvements to the build process, although issues remain,” stated the report. “While a positive outcome, we do not yet have evidence that this is a holistic shift in Huawei’s approach, rather than a point-fix for these products. Correspondingly, we do not yet have confidence that this improvement will be sustained.”

Major deficiencies

“Major quality deficiencies still exist in the products analysed by HCSEC. Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines,” the report said. “This is despite some minor improvements over previous years.”

“Limited progress has been made on certain issues raised in the 2018 report and further issues have been identified in this year’s report,” it added. “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.”

“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated,” it said.

“As noted in last year’s report, the Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC,” it concluded.

The report comes after the British government in July officially ordered British mobile operators to remove all Huawei equipment from 5G networks within seven years.

Huawei response

Huawei however has said the report does acknowledge the progress it has made in software engineering.

“The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” a spokesman was quoted as saying by the BBC.

Huawei of course is still hoping to sell its 5G equipment to other countries in Europe.

Germany this week however indicated it will toughen scrutiny of Huawei equipment – with one source alleging to Reuters the move would strangle Huawei in red tape.

Reuters also reported that France will informally exclude the Chinese vendor.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • There must be manufacturers besides Huawei that can provide 5G equipment that don't have existential national security risks.

Recent Posts

BT Eagle-i Seeks To Predict, Prevent Cyberattacks

Proactive security approach. New security platform from BT Security, dubbed 'Eagle-i', seeks to predict and…

3 days ago

Apple Risks South Korean Clash After Investigation Warning

South Korean government official warns of possible investigation into Apple's compliance with new App Store…

3 days ago

Moscow Metro Facial Recognition System For Speedy Payments

Privacy concern. Moscow's Metro system has launched 'Face Pay', a mass facial recognition system for…

3 days ago

US Army Delays $22 Billion Microsoft Augmented Reality Headsets

United States Army pushes back deployment date of Microsoft's augmented reality headsets, but insists it…

3 days ago

TSMC Confirms Chip Plant For Japan

Taiwanese chip giant TSMC confirms it will build a chip factory in Japan, that will…

3 days ago

GitLab Raises $800m In Successful Initial Public Offering

After a successful public debut that raised hundreds of millions of dollars, coding platform GitLab…

3 days ago