A review by the UK's National Security Adviser has called for tighter oversight of the unit charged with checking the security of Huawei equipment used in the UK's critical national infrastructure.
The task of the Huawei Cyber Security Evaluation Centre (HCSEC) is to analyse equipment supplied by the networking giant to identify potential security vulnerabilities, and the body has so far examined more than 30 types of product provided to UK customers, covering GSM, 3G, LTE, and FTTx networks.
The staff at the centre work for Huawei, and a report from the parliamentary Intelligence and Security Committee published in June questioned the ability of the team to operate with sufficient independence from Huawei headquarters.
It warned that its self-policing arrangement was "highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance," and said that as a matter of national interest the unit should be staffed by employees of GCHQ, the UK national intelligence agency.
Huawei has been involved in supplying networking equipment for Britain's critical national infrastructure since it was awarded a contract by BT in 2005, and the committee's anxieties about Huawei providing such equipment stem from what it described as the firm's perceived links to the Chinese state.
"China is suspected of being one of the main perpetrators of state-sponsored attacks, which are focused on espionage and the acquisition of information. In this context, the alleged links between Huawei and the Chinese State are concerning, as they generate suspicion as to whether Huawei's intentions are strictly commercial or are more political," the Foreign involvement in the Critical National Infrastructure report said.
The report recommended that the staff in centre should be GCHQ employees or that oversight should be strengthened, and the government should be more directly involved in the selection of HCSEC staff.
Following from this report, the UK's National Security Adviser Kim Darroch was asked to review HCSEC and report to the prime minister.
His report has now concluded that HCSEC staff should remain part of Huawei in order for them to get full access to the company's equipment, code, and design teams. But it also said oversight arrangements should be enhanced and GCHQ should have a leading role in senior-level HCSEC appointments.
Darroch's report said the "global reality" is that virtually every communications network in the world incorporates foreign technology, and said the HCSEC unit operates "effectively" and said that the vulnerabilities identified since HCSEC's establishment "could be explained as genuine design weaknesses or errors in coding practice." It also noted "Huawei's cooperation with HCSEC appeared exemplary."
Although the employment of HCSEC staff by Huawei appeared to create conflicts of interest, it was, the best way of ensuring continued complete access to Huawei products, codes and engineers, without which HCSEC could not do its job, the report said.
"Were HCSEC staff not to be Huawei employees, access arrangements would be complicated by Huawei's non-disclosure agreements with its hundreds of third party suppliers," it said.
The report said GCHQ's involvement in the future appointment of senior staff to HCSEC should be strengthened. At present, GCHQ has a power of veto over appointments through the security vetting process, but the review said GCHQ should lead and direct senior HCSEC appointments.
The review also called for the creation of an 'oversight board' chaired by GCHQ to monitor HCSEC's performance and "verify its continuing independence from Huawei headquarters".
The review also found a shortage of individuals in the UK employment market with the necessary technical expertise and skills to fill all the available posts in HCSEC, GCHQ and other parts of Whitehall, and said greater efforts were needed to "deepen the pool of individuals with the requisite cyber security skills".
Huawei said in a statement that it supported the review's recommendations to "optimise the management of the HCSEC" and said "it is only by working together internationally, as vendors, customers, policy and law makers, that the challenge of global cyber security can be met."