UK authorities release report detailing Huawei security risks

20 Jul 2018

Huawei logo on a Moscow shop front. Image: Arsenie Krasnevsky/Shutterstock

A UK government panel has issued a report into the security status of Huawei products, with fairly inconclusive results.

Chinese tech firm Huawei has had a rough 2018 so far in terms of international expansion, with the US government effectively freezing the company out due to spying concerns raised by authorities earlier this year.

While the company itself downplayed these risks and experiences popularity elsewhere in the world, it was still a major blow. And Huawei is also currently under the microscope in the UK.

Some issues flagged

Recently, an evaluation of the Huawei Cyber Security Evaluation Centre (HCSEC) in Oxfordshire identified two low-priority national security findings and two advisory issues.

The HCSEC has been around since 2010 and has been subject to annual evaluations over the last four years. Huawei is a major supplier of broadband gear and mobile networks in the UK, meaning its products are used in important infrastructure, which could be exploited.

The National Cyber Security Centre (NCSC) found four Huawei products to be lacking binary equivalence and the company is working to “correct the deficiencies in the underlying build and compilation process”.

The report read: “It is the NCSC intent that all products deployed in the UK will have repeatable builds and that HCSEC will be able to routinely show equivalence between the binary installed in UK networks and the binary that can be built from the source code held by HCSEC.”

The engineering changes have to be integrated into the wider development process which will be completed by mid-2020.

The report continued: “There have been a number of detailed technical discussions between Huawei R&D and HCSEC, some including NCSC. These discussions are working towards a full understanding of the problem, a short-term mitigation plan and a more strategic fix for the underlying cause of the problem.”

The report warned that there is “a significant risk in the UK telecoms infrastructure if Huawei and the operators are unable to support these boards long-term”.

Concerns over modern technologies

Other medium-term concerns for incoming technologies that will be adopted, such as network virtualisation, edge computing and 5G.

It said: “Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the oversight board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.”

Despite the issues flagged in the report, the oversight board praised Huawei’s overall mitigation strategy for its scale and quality, with no high or medium-priority issues found.

It said: “It is evident that HCSEC continues to provide unique, world-class cybersecurity expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UK.”

The company told Reuters: “We are grateful for this feedback and are committed to addressing these issues. Cybersecurity remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”

Huawei and the NCSC will be collaborating to address the issues.

Huawei logo on a Moscow shop front. Image: Arsenie Krasnevsky/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects