UK politicians are calling for an urgent review of checks on networking equipment supplied by Chinese telecoms giant Huawei's for Britain's Critical National Infrastructure (CNI).
"High risk" hardware and software components provided by Huawei are checked for security vulnerabilities before they are deployed on UK networks, but MPs have raised concerns these checks effectively leave the Chinese firm to police itself.
The UK government is being urged by the Intelligence and Security Committee to review the "Cell", a body that risk-checks Huawei equipment used by government or in CNI. The committee is concerned that the Cell is funded entirely by Huawei and staffed mainly by security cleared Huawei personnel.
"The Cell is nevertheless under Huawei's control, rather than the government's. We remain concerned that a Huawei-run Cell is responsible for providing assurance about the security of Huawei products and the Chinese government," says the report Foreign involvement in the Critical National Infrastructure.
"A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance."
The report recommends the Cell is instead staffed by employees of GCHQ, the UK national intelligence agency, saying: "We believe that such a change is not only in both Huawei's and government's interests, but that it is in the national interest."
Concerns are raised that the Cell is "only now approaching full functionality", seven years after the contract was awarded to set it up.
"Given these delays and the lack of evidence so far that it will be able to provide the level of security assurance required, we recommend that the National Security Adviser conducts a substantive review of the effectiveness of the Cell as a matter of urgency," it says.
Responding to the committee's concerns about the Cell, Huawei said: "Over the past two-and-a-half years, the centre has examined more than 30 types of product which we provide to UK customers, covering GSM, 3G, LTE, IMS, FTTX and others. This rigorous testing system is one of the most advanced in the cyber security field globally and ensures that Huawei can provide advanced telecommunication technology to its customers in the UK."
It cites reassurances given by GCHQ to the committee that "we are confident that the UK network has not been at risk … at any stage" as proof that UK safeguards are protecting national telecoms infrastructure.
The committee's anxieties about Huawei providing equipment for CNI stem from what it describes as the firm's perceived links to the Chinese State.
"China is suspected of being one of the main perpetrators of State-sponsored attacks, which are focused on espionage and the acquisition of information. In this context, the alleged links between Huawei and the Chinese State are concerning, as they generate suspicion as to whether Huawei’s intentions are strictly commercial or are more political," it says.
Huawei has been involved in supplying networking equipment for Britain's CNI since it was awarded a contract by BT in 2005, following a two-year audit process. The committee report says that at the time the contract was awarded, government checks on national security issues were "insufficiently robust", leading to ministers not being aware of any potential security considerations relating to Huawei until 2006.
"The Government must be clear about the sequence of events that led to Ministers being unsighted on an issue of national importance, and take immediate action to ensure that this cannot happen again," it says.
Addressing the concerns about Huawei's role as a BT supplier, a BT spokesman said: "BT has done that from the outset, working with a wide range of suppliers, and we are pleased the report recognises this. The experts at GCHQ say BT is an 'exemplar' and that the UK network has not been at risk due to the measures we have taken. Security is at the heart of BT and it will continue to be so in the future."
Elsewhere in the world, the Huawei's involvement in providing equipment for critical infrastructure has also come under scrutiny. In the US, the House Permanent Select Committee on Intelligence (HPSCI) recently published a critical assessment of Huawei's reliability in a report that concluded: "The risks associated with Huawei and ZTE's provision of equipment to US critical infrastructure could undermine core US national-security interests."
Meanwhile, the Australian government has decided, reportedly on national security grounds, to exclude Huawei from involvement in their National Broadband Network.
The UK parliamentary report concludes blocking Chinese companies from any future contracts relating to CNI projects in Britain "is not only impractical but, crucially, given the predominance of Chinese-manufactured and -developed equipment, is unlikely to result in the national security protection envisaged".