The body which assures the security of Huawei technology installed in UK telecoms networks has issued an annual report which has identified “risks” for the first time in its history. The Huawei Cyber Security Evaluation Centre (HCSEC) represents an unusual arrangement where a facility that answers to the UK’s National Cyber Security Centre (NCSC), but which is paid for by Huawei, is responsible for the supposedly independent assessment of the cybersecurity implications of using Huawei’s technology in UK networks. The fourth annual report of its Oversight Board, published recently, is the first not to have given a clean bill of health to Huawei’s technology. The report states that:
Technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks
As a result, the Oversight Board decided it…
…can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated
Two particular security issues were identified in the report. The first concerned Huawei technology using potentially different software in real life to that which had been scrutinized by the HCSEC.
It is the NCSC intent that all products deployed in the UK will have repeatable builds and that HCSEC will be able to routinely show equivalence between the binary installed in UK networks and the binary that can be built from the source code held by HCSEC. This verification should be completed for every product version deployed in the UK that has been assessed by HCSEC. It is important that all products can be built in this way to enable the risk-based approach to HCSEC’s prioritisation of work.
Until this work is completed, the Oversight Board can offer only limited assurance due to the lack of the required end-to-end traceability from source code examined by HCSEC through to executables use by the UK operators.
The other issue is that Huawei is using third party software which has not been subjected to the required controls.
A technical visit to Shenzhen was scheduled for September 2017 for NCSC, HCSEC and the UK Operators to discuss with Huawei HQ the progress around source code redelivery to HCSEC and binary equivalence. Previous technical visits have discussed Huawei’s management of third party components imported as part of a product build, both commercial and open source. During a review of the programmes of work being undertaken, NCSC identified that not all components are managed through this process and, in particular, security critical third party software used in a variety of products was not subject to sufficient control.
The Financial Times interpreted the report’s findings as a warning that Huawei must make more effort to address a history of shortcomings. Perhaps that is true, but the UK’s position is weak. Much of the UK’s telecommunications infrastructure is already supplied by Huawei, whose first deal with BT dates back to 2005. If strong language does not have the desired effect, it is difficult to imagine the UK’s cybersecurity mandarins being able to mandate a transition to alternative suppliers, even if the need was urgent. Furthermore, Huawei looks set to make more sales as UK network operators plan for 5G and the upgrade of broadband speeds.
The UK’s approach to handling Huawei contrasts with other countries that restrict Huawei sales on security grounds. The USA has effectively banned Huawei from supplying equipment to their telcos. The perceived threat from foreign states has risen since that ban was implemented, making it unlikely that US politicians will reverse their policy soon. Anxiety has been fueled by the belief that Russians interfered in the 2016 US election. The US Department of Justice recently issued a report on how they would counter cyber risks, and their main focus was on ‘malign foreign influences’. Meanwhile, UK politicians have started to ape their American peers by also making noises about Russian cybersecurity threats, even whilst they studiously avoid discussing the extent to which public policy objectives for improved communications infrastructure is now dependent on Chinese technology.
You can obtain a full copy of the HCSEC’s 2018 annual report from here.