Interpreting Huawei’s Failed UK Security Audit

Some people act as if the security of a system is established by an absence of evidence to the contrary. Serious professionals know otherwise. The risk of using Huawei’s 5G equipment was the most important talking point at Mobile World Congress in February. Now a UK body with national intelligence links has issued a damning report that should silence the more complacent factions who speculated Huawei must be a risk-free supplier until proven otherwise.

The purpose of the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) is evident from its name. Overseen by experts from the UK’s National Cyber Security Centre (NCSC) and Government Communications Headquarters (GCHQ), they have been reviewing Huawei security since 2010. Last year’s annual report identified security gaps for the first time in the HCSEC’s history. This year’s HCSEC report is more critical, reiterating the same issues that were identified in 2018 and listing more shortcomings than before.

The most important criticism is that Huawei has failed to address the issues identified by the HCSEC last year, with “no material progress” having been made. This seems inexplicable when Huawei is subject to an overt US government campaign encouraging allies to ban the use of Huawei 5G equipment. The company’s official response observes that USD2bn has been budgeted for necessary improvements in software engineering, but what is the value of a budget when no demonstrable benefits can be shown from one year to the next?

The key specific risks identified by the HCSEC can be summarized as follows.

  • Huawei’s build process does not ensure that the binaries installed in UK networks are equivalent to those which would be built using source code held by HCSEC.
  • Poor configuration management means the products that are shipped may rely on different versions of software libraries, some of which have known vulnerabilities.
  • Huawei is still reliant on an outdated real time operating system, and the HCSEC does not have “confidence” in Huawei’s ability to develop their own replacement operating system.

As a conclusion, the HCSEC…

…continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK [their emphasis]

Given the bureaucratic language used throughout their report, the HCSEC is especially scathing about the way Huawei has tackled the need to transform their processes.

…the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC… [their emphasis]

Huawei’s response cherry-picked the most favorable parts of the HCSEC report.

The 2019 OB report again recognises the effectiveness of the HCSEC. As the report says, “The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.”

The report states that “NCSC does not believe that the defects identified are a result of Chinese state interference.”

Huawei also repeated the theme they relied upon at Mobile World Congress, where they sought to shift the burden of dealing with their shortcomings to others.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Why does the industry need higher common standards when Huawei are falling so far short of existing standards? Edward Amoroso, founder of cyber security advisory TAG Cyber, and former Chief Security Officer of AT&T, cut through the dross by providing his personal review of the HCSEC findings.

On the one hand, we are led to believe that Huawei has super-expert developers who are cleverly embedding Trojans into their product to remotely enact world domination. But then we read from this UK report that Huawei developers not only can’t walk and chew gum, but that they can’t walk, and they can’t chew gum either. I don’t want to sound glib, but this whole thing seems spectacularly inconsistent.

Amoroso is right to demand that ‘carrier grade’ systems be designed to a higher standard than those being delivered by Huawei. However, telcos cannot simply rely on the hope that Huawei are well-intentioned doofuses. Perhaps Huawei’s developers are a lot less competent than they would like the world to believe, but that is not a good reason to be complacent about security. It would be naïve to conclude that if Huawei lacks the ability or desire to insert a backdoor then nobody else will have the opportunity to take advantage of flaws in their work. Huawei’s messy processes mean they cannot provide adequate assurance to HCSEC, and that kind of uncertainty would also obscure the work of anyone – whether paid by Huawei or government spies – seeking to use Huawei’s equipment for surveillance.

It is mind-bendingly difficult to confirm that a system is secure. That is why most people prefer talking about security – or finding flaws in security – to doing the hard work involved in realizing security in practice. Huawei may be spending USD2bn on improving their software engineering, but the issues identified in the HCSEC report highlight how difficult it really is to guarantee security. Too many industry players and governments have been passing the buck on security, although the sophistication of modern networks means the dangers are many times greater than they were just a few decades ago. Britain’s HCSEC is doing some of the hard but necessary work. Others need to step up and do more.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.