The Huawei Cyber Security Evaluation Centre (HCSEC), a UK body that answers to national intelligence officials, has issued its third damning annual report in a row. The HCSEC Oversight Board unanimously agreed that the Chinese manufacturer had not adequately addressed security concerns raised in previous reports, and they also advised that HCSEC investigators had found a vulnerability with ‘national significance’ which forced UK telcos to take ‘extraordinary action’ before it caused a network outage or cyber attack.
The HCSEC report covers the 2019 calendar year, with publication delayed as a result of the pandemic. Their work was further complicated by US government restrictions on Huawei, which also cover entities like HCSEC which are funded by the Chinese manufacturer. Its findings were familiar, despite the new difficulties.
The character of vulnerabilities has not changed significantly between years, with many vulnerabilities being of high impact… including unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials and many other basic vulnerability types.
Improvements were noted in several areas, but other failings persisted.
Major quality deficiencies still exist in the products analysed by HCSEC. Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines.
Poor Huawei engineering practices put UK networks at real risk.
During 2019, HCSEC identified critical, user-facing vulnerabilities in fixed access products. The vulnerabilities were caused by particularly poor code quality in user facing protocol handlers and the use of an old operating system. The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei’s engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk. Huawei have since fixed the specific vulnerabilities in the UK, but in doing so, introduced an additional major issue into the product, adding further evidence that deficiencies in Huawei’s engineering processes remain today.
In this example, the code quality in these user-facing protocol handlers was sufficiently poor that NCSC [the UK’s National Cyber Security Centre] has required Huawei to fully rewrite the code, and rearchitect the product’s security.
Pro-Huawei commenters often talk as if the firm is the victim of raging, irrational, emotional prejudice. This is nonsense. Consider the understated choice of words used by the HCSEC when discussing real threats to the security and privacy of millions of ordinary people.
…where the impact of the vulnerability is of national significance, the release of full details of the vulnerability to Huawei may be delayed to allow the UK community to assess and mitigate the impact. This occurred during 2019.
Huawei has promised many of its flaws would be resolved through a USD2bn program to improve legacy code and strengthen the firm’s engineering practices. However…
…the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality…
The HCSEC report will add to the pressure on Huawei. The Chinese manufacturer already faces limits on what they can sell to UK telcos for national security reasons, but their foothold in older networks and their established presence, which includes a major office investment in Reading (pictured), would lead them to hope for a turnaround in their political fortunes. A positive report from a respected UK body would have weighed in Huawei’s favor when dealing with telcos in other countries. Whilst many countries lacked foresight on how to handle the security implications of telcos depending on a Chinese manufacturer for vital infrastructure, HCSEC was established nine years ago and represents the gold standard for the independent and transparent assessment of the security of Huawei’s equipment. This latest report will further reduce the chances of Huawei making sales to other Western countries whose governments have tried to maintain a more open stance towards the Chinese state despite its crackdown on Hong Kong democracy activists and the incarceration of a million people belonging to the Uyghur ethnic minority.
None of the problems that HCSEC found with Huawei’s equipment were thought to be a deliberate attempt to create backdoors for Chinese state surveillance. Nevertheless, the repeated failure to address serious shortcomings begs the question of why so many in this industry argue that Huawei is treated unfairly. HCSEC was founded with Huawei’s money but is subject to rigorous oversight; Huawei accepted the arrangement because of the profits they hoped to enjoy by becoming a dominant infrastructure supplier to rich countries like the UK. Many others who benefit financially from their relationship with Huawei keep arguing for a ‘consensus’ on security that seemingly guarantees Huawei will never be rejected as a supplier, although the Chinese manufacturer already has an established history of broken promises.
The HCSEC Oversight Board Annual Report 2020 can be found here.