Advertisement

Huawei failed to tackle national security fears raised by GCHQ, new report shows, as spies warn of ‘no confidence’ in the firm

The Huawei logo, seen at the IFA consumer technology fair, in Berlin. Sept 3, 2020.  - MICHELE TANTUSSI/REUTERS
The Huawei logo, seen at the IFA consumer technology fair, in Berlin. Sept 3, 2020. - MICHELE TANTUSSI/REUTERS

Huawei failed to tackle national security fears raised by GCHQ, a new report has revealed.

Britain's cyber spies have warned they can have ‘no confidence’ in the Chinese firm until significant shortcomings have been addressed.

The latest annual report from the Huawei Cyber Security Evaluation Centre says it is not possible to offer any degree of confidence that the problems identified in the past have been addressed by the technology firm.

The report makes clear there has been no significant improvement in the firm’s engineering practices and overall cyber security.

'Unless and until a detailed and satisfactory plan has been provided, it is not possible to offer any degree of confidence that the identified problems can be addressed by Huawei,' the report states.

The UK’s National Cyber Security Centre (NCSC), the public-facing arm of Britain’s cyber spy agency GCHQ, advises the government on national security risks associated with having Huawei equipment embedded throughout the country’s telecoms networks.

The NCSC is responsible for dealing with Huawei on technical security matters.

Earlier this year the government decided to remove Huawei kit from Britain’s 5G infrastructure by 2027 citing security fears. Some equipment manufactured by the Chinese firm still sits in existing 3G and 4G networks.

The Oversight Board that produced the report was established in 2010 following concerns around the use of Huawei’s technology in British phone networks and critical infrastructure.

One vulnerability in the technology was caused by ‘particularly poor code quality...and the use of an old operating system’ the report states.

‘UK operators needed to take extraordinary action to mitigate the risk. Huawei have since fixed the specific vulnerabilities in the UK, but in doing so, introduced an additional major issue into the product, adding further evidence that deficiencies in Huawei’s engineering processes remain today.’

Despite promising to fix vulnerabilities and improve overall cyber security, the report made clear there had been little action from the Chinese firm. As such it says ‘it will be difficult to appropriately risk-manage future products...until the underlying defects in Huawei’s software engineering and cyber security processes are remediated’.

‘Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.’

The NCSC warned an attacker with knowledge of Huawei’s vulnerabilities ‘may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly’.

However, the report stated the NCSC does not believe the defects identified were a result of Chinese state interference.

Bob Seely, Conservative MP for the Isle of Wight and a long-time critic of Huawei, said: "The report clearly shows that the concerns raised by the Centre remain, and that Huawei have done little to either reassure or rectify.

"This is a poor state of affairs, especially as Huawei kit will remain in the network and even add to it, despite the ban."

A Huawei Spokesperson said: “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.”