Huawei Technologies is facing another critical security review report from a U.K. auditing board.
The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, an independent agency set up by the government and Huawei 16 years ago to oversee the security of the telecom equipment maker’s gear, continued to raise questions about the quality of the company’s code.
The board, which reports to the U.K. national security advisor, said in a report released last week that:
- “Limited progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance;”
- “As highlighted in previous reports, HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to U.K. [network] operators, which requires ongoing management and mitigation. This is unchanged from last year;”
- “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the U.K. However, this does not suggest that UK networks are more vulnerable than last year”;
- “The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of U.K. deployments until the defects in Huawei’s software engineering and cybersecurity processes are remediated”;
- “At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its [software development] transformation program that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cybersecurity quality verified by HCSEC and the National Cyber Security Centre”;
- “Overall, the Oversight Board can only provide limited assurance that all risks to U.K. national security from Huawei’s involvement in the U.K.’s critical networks can be sufficiently mitigated long-term.”
As usual, the board didn’t deal with allegations that Huawei is susceptible to pressure from the Chinese government because of a national security law that obliges Chinese-based companies to work with its intelligence agencies.
The report covers the calendar year 2019 so it also doesn’t deal with July’s decision by the government of Prime Minister Boris Johnson preventing British carriers from buying new Huawei 5G equipment after December 31st, and ordering them to remove all Huawei equipment from their 5G networks by the end of 2027.
The Globe and Mail reported that the Canadian government and Huawei operate a similar independent lab for evaluating Huawei network gear.
Reacting to the report SC Magazine quoted Huawei saying it found no evidence of baked-in espionage. “As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” wrote the company in a statement.
The role of the Oversight Board is to oversee and ensure the independence, competence and overall effectiveness of the Evaluation Centre as part of the overall U.K. security risk mitigation strategy.
Many of the serious vulnerabilities found by analysts included unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials “and many other basic vulnerability types.”
The Canadian government still hasn’t made a decision on whether to allow carriers here to install Huawei gear in their new 5G wireless networks. Bell and Telus, which have Huawei equipment in their 4G networks, have decided not to wait and have chosen other suppliers.
The federal government’s decision is complicated by the detention of two Canadians in China while a Vancouver hearing on an extradition request from the U.S. for Huawei chief financial officer Meng Wanahou continues.