Oversight Board Again Flags Huawei Security Concerns

Huawei is once again facing questions over the security of its equipment after the British government published an official report that alleged the Chinese vendor had failed to adequately tackle previously flagged security flaws.

The report was published by the UK’s Huawei Cyber Security Evaluation Centre (HCSEC), which is an Huawei oversight board, chaired by a member of the GCHQ. Its job is to oversee the use of foreign products.

In March 2019, the HCSEC issued a report was that scathing about Huawei’s security failings, and at the same time also expressed a lack of confidence in its ability to fix long-standing security flaws, some of which date back years.

HCSEC report

It pointed to flaws discovered in 2018 when HCSEC officials said they had found problems in telecoms network equipment from Huawei that could expose security risks.

It should be remembered that since 2010 Huawei maintains a security centre in the UK where British national security officials can review its equipment for any possible issues.

And now two years later, the latest HCSEC report continued to express its concern at Hauwei’s ability to fix flaws and vulnerabilities.

It said that it had “taken further evidence around the root causes of the significant software engineering and cyber security issues that came to light last year.”

“For specific products used in the UK, Huawei have simplified and made significant improvements to the build process, although issues remain,” stated the report. “While a positive outcome, we do not yet have evidence that this is a holistic shift in Huawei’s approach, rather than a point-fix for these products. Correspondingly, we do not yet have confidence that this improvement will be sustained.”

Major deficiencies

“Major quality deficiencies still exist in the products analysed by HCSEC. Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines,” the report said. “This is despite some minor improvements over previous years.”

“Limited progress has been made on certain issues raised in the 2018 report and further issues have been identified in this year’s report,” it added. “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.”

“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated,” it said.

“As noted in last year’s report, the Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC,” it concluded.

The report comes after the British government in July officially ordered British mobile operators to remove all Huawei equipment from 5G networks within seven years.

Huawei response

Huawei however has said the report does acknowledge the progress it has made in software engineering.

“The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” a spokesman was quoted as saying by the BBC.

Huawei of course is still hoping to sell its 5G equipment to other countries in Europe.

Germany this week however indicated it will toughen scrutiny of Huawei equipment – with one source alleging to Reuters the move would strangle Huawei in red tape.

Reuters also reported that France will informally exclude the Chinese vendor.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • There must be manufacturers besides Huawei that can provide 5G equipment that don't have existential national security risks.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago