The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board said the Chinese tech giant’s involvement in critical infrastructure in the UK was a cause of “long-term increased risk” and that significant work would be required to manage this risk.

In its fourth annual report to the UK’s national security advisor, the body said that it had identified technical issues in Huawei’s engineering processes, exposing “new risks in UK telecommunication networks and long-term challenges in mitigation and management.”

Can’t make any promises

Huawei logo
– Sebastian Moss/DCD

The use of Huawei hardware is currently banned in the US’ communications networks (along with all Chinese equipment) on the grounds that it poses a threat to the country’s national security.

The report from HCSEC (nicknamed ‘the Cell’) stated that neither the organization itself, nor the National Cyber Security Centre (NCSC) are currently able to “provide long-term technical assurance of sufficient scope and quality around Huawei in the UK.”

“This is due to the repeated discovery of critical shortfalls, including but not limited to BEP and the third-party component support issue, in the Huawei engineering practices and processes that will cause long-term increased risk in the UK.”

The watchdog, was set up in 2010 in an agreement between the British government and Huawei to identify any national security risks posed by its equipment and dissipate any fears relating to the company’s involvement in the country’s critical infrastructure.

The HCSEC’s practices are reviewed by a private auditing firm - Ernst & Young - to ensure that it remains independent from Huawei and operates in line with the objectives agreed upon eight years ago.

The HCSEC said that in the past 12 months, it had identified four products with deficiencies in both build and programming, ”engendered by Huawei’s lifecycle management of critical components.”

The group said it was working on fixing the issues in collaboration with Huawei’s R&D arm, in order to assure that the binary code on deployed products matched that which it had approved.

The review confirmed that one of the four products in question had been corrected – but not deployed - and that the corrections have been integrated into its development. “Assuming the continued success of the initial trials,” the report reads, “it is the NCSC and Oversight Board expectation that this will be completed by mid-2020.”

But until then, it says it can “offer only limited assurance due to the lack of the required end-to-end traceability from source code examined by HCSEC through to executables use (sic) by the UK operators.”

What’s more, the review found that “security-critical third-party software used in a variety of products was not subject to sufficient control.” This, it says, coupled with the realities of testing and release cycles, “limits the ability of the HCSEC’s efforts to contribute to the overall assurance strategy in a sustainable manner.”

To address this, it says, a consortium including network operators, the NCSC, the HCSEC and Huawei R&D are exploring “a range of technical and contractual solutions.”