The U.K. cybersecurity authority slammed Chinese telecoms equipment maker Huawei in a report today, saying the company has failed to fix glitches in its software and poses “new risks” to U.K. telecoms networks.
The National Cyber Security Agency (NCSC), which scrutinized Huaweis cybersecurity over the past year, found the company has failed to deliver on promises to prioritize the security of its equipment and fix issues identified in previous audits.
In the annual oversight report, the agency said that “significant technical issues have been identified in Huaweis engineering processes, leading to new risks in the U.K. telecommunications networks.”
The agency said it can “only provide limited assurance that all risks to U.K. national security from Huaweis involvement in the U.K.s critical networks can be sufficiently mitigated long-term” — an assessment it also made in its previous annual report in July 2018.
The report, which is part of intelligence services ongoing scrutiny of Huawei equipment, forces the Chinese company to beef up its efforts on cybersecurity. Huawei in December pledged it would invest $2 billion (€1.8 billion) to update its equipment and fix the issues the agency identified in its July 2018 report.
Its also a signal to U.K. operators, who are negotiating with vendors on who to procure equipment from for the rollout of new, high-speed 5G internet networks, and to the U.K. government, which is conducting a security review that could amount to bans or restrictions on the use of Huawei equipment across parts of British networks.
A Huawei spokesperson said the report “again recognizes the effectiveness” of the U.K.s oversight mechanism. “As the report says, the oversight provided for in our mitigation strategy for Huaweis presence in the UK is arguably the toughest and most rigorous in the world.”
Software management issues
Since 2010, the companys gear has been under constant audit at a security center in Banbury, northwest of London, where it is being tested for the risk of hacking and espionage activities.
The Banbury center, known as “HCSEC,” is run by Huawei and its employees are on Huaweis payroll, but the work is overseen by the NCSC, part of the U.K. intelligence service GCHQ.
Two findings jumped out of the latest review.
The first is that software in Huawei equipment tested in Banbury doesnt always match software found in products on the market. This issue came up in the agencys last report in July 2018.
It dents the Chinese companys argument that its equipment is thoroughly checked by British and other European authorities.
Huawei has opened cybersecurity centers in Bonn, Germany and Brussels in the past months. Part of the companys pitch to governments, European operators and EU lawmakers is that it would allow for its source code to be checked at these centers, including the one near the EU institutions in Brussels.
The U.K. agencys findings cast doubt on the promise of source code disclosure — a remedy that experts have previously criticized.
“Evaluating code is an extremely difficult thing to do … and probably it is not really the way to go,” Steve Purser, head of core operations at the EUs cybersecurity agency ENISA, told POLITICO earlier.
The second crucial finding is that the cybersecurity agency considers its management of software engineering unsafe.
People involved in the reports drafting explained officials found a series of issues with how Huawei integrates third-party software in its equipment. Like others, Huawei uses popular open-source software libraries and parts in its gear. But officials found basic engineering issues with the ways the company integrates this code, the people said.
Critical timing
The British report comes amid pushback led by the U.S. administration to limit the Chinese vendors access to Western markets — as Europe rolls out 5G.
U.K. telecoms operators are in the process of planning their rollout of 5G in coming years. Operators are watching closely how the government reacts to security services concerns about Chinese telecom vendors.
The countrys largest operator BT said in a statement that “we will continue to work clRead More – Source
[contf] [contfnew]