Oversight Board Again Flags Huawei Security Concerns

Huawei is once again facing questions over the security of its equipment after the British government published an official report that alleged the Chinese vendor had failed to adequately tackle previously flagged security flaws.

The report was published by the UK’s Huawei Cyber Security Evaluation Centre (HCSEC), which is an Huawei oversight board, chaired by a member of the GCHQ. Its job is to oversee the use of foreign products.

In March 2019, the HCSEC issued a report was that scathing about Huawei’s security failings, and at the same time also expressed a lack of confidence in its ability to fix long-standing security flaws, some of which date back years.

HCSEC report

It pointed to flaws discovered in 2018 when HCSEC officials said they had found problems in telecoms network equipment from Huawei that could expose security risks.

It should be remembered that since 2010 Huawei maintains a security centre in the UK where British national security officials can review its equipment for any possible issues.

And now two years later, the latest HCSEC report continued to express its concern at Hauwei’s ability to fix flaws and vulnerabilities.

It said that it had “taken further evidence around the root causes of the significant software engineering and cyber security issues that came to light last year.”

“For specific products used in the UK, Huawei have simplified and made significant improvements to the build process, although issues remain,” stated the report. “While a positive outcome, we do not yet have evidence that this is a holistic shift in Huawei’s approach, rather than a point-fix for these products. Correspondingly, we do not yet have confidence that this improvement will be sustained.”

Major deficiencies

“Major quality deficiencies still exist in the products analysed by HCSEC. Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines,” the report said. “This is despite some minor improvements over previous years.”

“Limited progress has been made on certain issues raised in the 2018 report and further issues have been identified in this year’s report,” it added. “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.”

“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated,” it said.

“As noted in last year’s report, the Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC,” it concluded.

The report comes after the British government in July officially ordered British mobile operators to remove all Huawei equipment from 5G networks within seven years.

Huawei response

Huawei however has said the report does acknowledge the progress it has made in software engineering.

“The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” a spokesman was quoted as saying by the BBC.

Huawei of course is still hoping to sell its 5G equipment to other countries in Europe.

Germany this week however indicated it will toughen scrutiny of Huawei equipment – with one source alleging to Reuters the move would strangle Huawei in red tape.

Reuters also reported that France will informally exclude the Chinese vendor.