UK cybersecurity agency finds new low-risk concerns with Huawei's security centre

While finding several low-priority issues in its annual evaluation of Huawei's Cyber Security Evaluation Centre, the UK's NCSC overall found Huawei to be providing 'unique, world-class cybersecurity expertise'.

Two low-priority national security findings and two advisory issues have popped up in the evaluation of the Huawei Cyber Security Evaluation Centre (HCSEC) in the United Kingdom, according to the annual report.

The HCSEC, located in Oxfordshire, was launched in November 2010 to help mitigate any potential risks in using Huawei technology in the UK's critical national infrastructure, and has been subject to annual evaluations for the last four years.

In the most recent report, the HCSEC oversight board identified "technical issues" in Huawei's engineering processes, which it said could cause "new risks in the UK telecommunications networks".

According to the HCSEC Oversight Board Annual Report 2018: A report to the National Security Adviser of the United Kingdom July 2018 [PDF], four products were found by the UK government's National Cyber Security Centre (NCSC) to be lacking binary equivalence, with Huawei working to "correct the deficiencies in the underlying build and compilation process".

"It is the NCSC intent that all products deployed in the UK will have repeatable builds and that HCSEC will be able to routinely show equivalence between the binary installed in UK networks and the binary that can be built from the source code held by HCSEC," the report, first reported on by Reuters, said.

Work on this had completed, but the engineering changes had yet to be integrated into the wider development process, the report said, with this work to be completed by mid-2020.

An additional issue was found in Huawei's use of commercial and open-source third-party components, with not all being managed through the agreed process.

"NCSC has determined how the issue directly affects the security and reliability of deployed products, and has provided the oversight board its opinion that this issue limits the ability of HCSEC's efforts to contribute to the overall assurance strategy in a sustainable manner," the report said.

"There have been a number of detailed technical discussions between Huawei R&D and HCSEC, some including NCSC. These discussions are working towards a full understanding of the problem, a short-term mitigation plan, and a more strategic fix for the underlying cause of the problem.

"However, there is a significant risk in the UK telecoms infrastructure if Huawei and the operators are unable to support these boards long-term."

Read more: Paranoia will destroy us: Why Chinese tech isn't spying on us

The oversight board additionally pointed out medium-term concerns for incoming technologies that will be adopted, including software-defined networking, network virtualisation, edge computing, and 5G.

"Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the oversight board can provide only limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated. We are advising the National Security Adviser on this basis," the report said.

"Until this work is completed, the oversight board can offer only limited assurance due to the lack of the required end-to-end traceability from source code examined by HCSEC through to executables use by the UK operators."

Despite these issues, the oversight board found Huawei to be performing its overall mitigation strategy "at scale and with high quality", with no high- or medium-priority findings.

"It is evident that HCSEC continues to provide unique, world-class cybersecurity expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UK," the report said.

An independent evaluation from Ernst & Young also concluded that there are no major concerns.

In response, Huawei said the report emphasised the company's "openness, transparency, and responsiveness in its approach to cybersecurity", as well as the centre's independence from Huawei HQ in Shenzhen, China.

The Chinese networking giant added that it is "disappointed" to discover its engineering process shortfall, but "welcomes the opportunity to address the concerns and ensure our products continue to deliver safe and secure infrastructure across the UK and around the world".

"We are grateful for this feedback. As with previous years, Huawei will work with our partners to develop the necessary risk management and mitigation mechanisms to deliver practical improvement to our CSEC infrastructure," Huawei's global head of Cyber Security John Suffolk said.

"We will not waver in our commitment to cybersecurity. Working closely with our operator customers and partners, we will continue to innovate openly, enhance our approach, and address cybersecurity challenges together.

"We all want the same thing: Secure and reliable networks."

The use of Huawei technology in telecommunications infrastructure has been facing national security concerns in both the United States and in Australia.

Huawei's Australia CEO George Huang last month told ZDNet that the company handles no personal data, when asked about recent calls for the technology giant to be barred from taking part in 5G rollouts due to concerns over sharing data with the Chinese government.

"Huawei doesn't own, doesn't manage, doesn't operate any data," Huang told ZDNet.

"Huawei is just a network equipment vendor to the operators. Operators, they manage, they operate the network. The application of Huawei is to support our customers -- that means operators -- to build the system to manage those things.

"Huawei is just a vendor of the pipeline."

RELATED COVERAGE