Committee worried about how the UK checks Huawei kit and how an old BT deal was initially cleared
The UK has not done enough to ensure IT equipment made by foreign firms, in particular Chinese company Huawei, does not pose a threat to critical national infrastructure, according to the Intelligence and Security Committee.
It raised serious concerns over the management of a centre that probes Huawei kit for security holes and over government checks on foreign investment in critical infrastructure.
Huawei has repeatedly rebuffed claims its gear helps China carry out cyber attacks on foreign enemies or that is is influenced by the Chinese government whatsoever. Yet it can’t seem to shake off negative assumptions, especially in the US, where it has gained little traction thanks to security fears.
Concerns stem from the fact the founder of Huawei is Ren Zhengfei, a former officer of the People’s Liberation Army
The UK has embraced Huawei, however. BT uses Huawei kit to run the backbone of its telecoms infrastructure, whilst EE, O2 and TalkTalk have deals with the world’s second largest networking company.
But the Intelligence and Security Committee issued a report today raising concerns about how the UK checks Huawei kit and how the BT deal was initially cleared.
It was particularly worried about the management of the Cyber Security Evaluations Centre, otherwise known as the “Cell”, which tests Huawei equipment for vulnerabilities, which would allow the exploitation of backdoors.
The Committee was befuddled by the manning of the Cell, which is run entirely by Huawei employees, although they have been given government security clearance and many of them are ex-GCHQ.
“While we recognise that there are some benefits associated with the current staffing arrangements for the Cell, these do not, in our opinion, outweigh the risks of Huawei effectively policing themselves,” the report read.
It also noted the Cell was operating at reduced capacity, “both in terms of staffing and remit, and witnesses have conceded that it is too soon to tell how effective it is”.
Huawei only began to release the code of its products to the centre in March 2012, according to the report.
Whilst the report recognised BT and GCHQ continued to carry out plenty of security tests, the process for considering national security issues at the time of the BT-Huawei deal “was insufficiently robust”.
The report criticised government for not taking extra precautions when the contract was signed in 2005
“There was no justification for failing to consult Ministers about the situation when BT first notified officials of Huawei’s interest. Such a sensitive decision, with potentially damaging ramifications, should have been put in the hands of ministers. “
The Committee expressed concern at the “apparent absence of any strategy to monitor or react to potential breaches” if they did occur.
“While we note GCHQ’s confidence in BT’s management of its network, the software that is embedded in telecommunications equipment consists of ‘over a million lines of code’ and GCHQ has been clear from the outset that ‘it is just impossible to go through that much code and be absolutely confident you have found everything’,” the report read.
“There will therefore always be a risk in any telecommunications system, worldwide. What is important is how it is managed, or contained.”
The Committee urge the government to be aware of the inherent dangers of a globalised market. “As the Cabinet Office told the Committee: the commoditised communications marketplace, where products can be manufactured anywhere in the world, contains inherent risks.”
Onlookers believe the Committee is right to worry about foreign investment in critical infrastructure, but special attention should not be given to Huawei. “Governments need to apply the same level of scrutiny to all suppliers and not just Huawei,” Brian Honan, founder of the Irish Reporting and Information Security Service, Ireland’s first CERT, told TechWeekEurope.
Nevertheless, the management of the Cell is something government should address, according to experts. “It is questionable what value, if any at all, could be taken from security research and reports undertaken by Huawei employees,” Adrian Culley, former Scotland Yard detective and global security consultant for Damballa, told TechWeek.
“Differentiating between commercial entities (such Huawei) and state bodies (such as the People’s Liberation Army – PLA) is not straightforward when it comes to the People’s Republic of China (PRC).”
As a business, Huawei may struggle to improve its image, Honan added. “Huawei will find it a major challenge to overcome concerns like this, especially with the perceived link to the Chinese government.”
Huawei said a two-year audit was carried out before the BT contract was signed, claiming it has the “full support” of its customers and the UK government. It pointed to a section of the report, in which GCHQ said it was “confident that the UK network has not been at risk…at any stage”.
“Huawei is willing to work with all governments in a completely open and transparent manner to jointly reduce the risk of cyber security,” it added.
BT said it had a healthy relationship with Huawei, saying its “testing regime enables us to enjoy constructive relationships with many suppliers across the globe”.
The UK government, meanwhile, has reiterated its desire to encourage investment from Chinese companies, noting Huawei’s pledge to pump £1.3 billion into its UK business over the next five years.
Chancellor George Osborne said: “The message is simple. Inward investment is critical to generating UK jobs and growth. It is a personal priority of mine to increase trade links between the UK and China and I cannot emphasise enough that the UK is open to Chinese investment.”
What do you know about China and its tech? Try our quiz!