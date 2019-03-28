The Huawei Cyber Security Evaluation Centre (HCSEC) has criticised Huawei over its failure to fix identified security flaws in its communications hardware.

It has also warned that the company's communications hardware has build and configuration issues undermining security, and added that customers cannot be sure that the company is supplying uniform products to all its customers - lending weight to security fears over the company's products, stoked by the US government.

"Further significant technical issues have been identified in Huawei's engineering processes, leading to new risks in the UK telecommunications networks," concluded the HCSEC Oversight Board in its latest annual report, released today [PDF].

Without good configuration management, there can be no end-to-end integrity in the products as delivered by Huawei

It added: "No material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance."

In particular, the report claimed that HCSEC "has continued to identify concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation" and added that the Oversight Board can therefore "provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK".

Perhaps most damning of all, though, in view of the coming roll-outs of 5G equipment by mobile operators, the Oversight Board claimed that "it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei's software engineering and cyber security processes are remediated".

The Oversight Board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated

On top of that, the Oversight Board claimed that it has yet to see any improvements arising from Huawei's transformation programme that is supposed to address some of the criticisms that have been levied at Huawei, particularly in last year's report from the Oversight Board.

"Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long-term," the report concluded.

The US government has put allies under pressure to bar Huawei from supplying hardware for national 5G roll-outs, claiming that the company's hardware could be compromised by China's government in order to eavesdrop on communications. Huawei has rejected such claims.

The NCSC requires the HCSEC to perform an evaluation of every relevant product in the UK at least every two years, a requirement that the Oversight Board say is being met "on average".

Due to various build-related issues, it is hard to be confident that different deployments of similar Huawei equipment are broadly equivalently secure

The report continues: "The evaluation process continues to uncover both point vulnerabilities and more strategic architectural and process issues."

These include flaws in the "underlying build process", which the Oversight Board claims need to be rectified as part of Huawei's transformation plan.

"Unless and until this is done it is not possible to be confident that the source code examined by HCSEC is precisely that used to build the binaries running in the UK networks.

"Due to various build-related issues, it is hard to be confident that different deployments of similar Huawei equipment are broadly equivalently secure.

"For example, it is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process," the report continues.

Curiously, perhaps, the report also claims that the configuration management improvements that have been made in the UK have not been applied across Huawei, which means that countries overseas cannot necessarily be assured that if hardware is approved in the UK it will be equally suitable elsewhere.

"Without good configuration management, there can be no end-to-end integrity in the products as delivered by Huawei, and limited confidence in Huawei's ability to understand the content of any given build or in their ability to perform true root cause analysis of identified issues," warns the report.

The HCSEC was set-up almost ten years ago to examine Huawei hardware after the Shenzhen, Guangdong-based company unexpectedly won key contracts in BT's 21st Century Network roll-out.

Although Huawei got its big break in the UK with that contract, BT recently revealed that it would be removing Huawei hardware from both 4G networks and would bar the company from bidding for 5G contracts.

While the HCSEC is financed and staffed by Huawei employees, the oversight board also includes security specialists from GCHQ and the UK's National Cyber Security Centre (NCSC).

