Government report warns of security risks posed by Huawei hardware

Huawei hardware embedded in BT's 21st Century Network a risk to UK national infrastructure

Huawei networking hardware embedded in the UK's communications backbone poses a risk to national security, the Oversight Board of the Huawei Cyber Security Evaluation Centre (HCSEC) has warned in its annual report.

"Technical issues have been identified in Huawei's engineering processes, leading to new risks in the UK telecommunications networks," warns the report, adding: "The evaluation process continues to find a significant number of point vulnerabilities and more strategic architectural and process issues."

It concluded: "Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the [HCSEC] Oversight Board can provide only limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated," warned the report.

The HCSEC Oversight Board doesn't appear to be sure that the code embedded in Huawei networking hardware is the same as the code that Huawei is showing it

The HCSEC Oversight Board claims that it started or conducted examinations of Huawei kit used by four telecoms operators in the UK during 2017, giving an indication of how deeply embedded the company's networking hardware has become in the UK's communications infrastructure. The HCSEC aims to evaluate "every relevant [Huawei] product in the UK at least every two years".

But this isn't the first time that the Oversight Board has issued warnings over Huawei hardware. Previous reports have warned of Huawei's inability to "repeatably build a product to a consistent binary". This means that "any assurance provided by the overall risk management strategy, and therefore the Oversight Board, is currently limited".

In other words, the HCSEC Oversight Board doesn't appear to be sure that the code embedded in Huawei networking hardware is the same as the code that Huawei is showing it. The Oversight Board also pointed out that "security critical third-party software used in a variety of products" are not "subject to sufficient control".

Cyber-security remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems

It added that Huawei hardware contains third-party software, including security-critical components, that will cease long-term support in 2020, even though the Huawei products in question will continue in service for much longer.

In a statement to the BBC, Huawei admitted that there were "some areas for improvement", continuing: "We are grateful for this feedback and are committed to addressing these issues. Cyber-security remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems."

Huawei is now deeply embedded in BT Openreach's backbone network after beating the UK's Marconi to key 21^st Century Network contracts with BT in 2005. Deprived of even a single contract from what had been its biggest customer, Marconi was broken up soon after with the bulk of it being acquired by Ericsson, although Huawei was also a bidder.

The HCSEC was set-up by Huawei in December 2010 to address rising concerns over the risks posed to national infrastructure by nation-state threat actors, especially given Huawei's close links to China's government. While funded and run by Huawei, its Oversight Board is run by the NCSC.

This came two years after it is claimed that miner Rio Tinto was compromised, not just by cyber attackers linked to the Chinese state, but also by five other national governments. That hacking incident, it is claimed, cost Rio Tinto more than $1 billion.

Last year, the HCSEC Oversight Board voiced concerns over security risks around the Huawei Mobile Virtual Network Operator (MVNO) solution in the UK.