U.K. spy agency criticizes vulnerabilities in Huawei devices

Huawei can’t be counted on to make equipment without bugs and security gaps, the U.K.’s National Cyber Security Center said

The new Huawei Mate X mobile phone is shown on display at the Huawei booth on day 2 of the GSMA Mobile World Congress 2019 on February 26, 2019 in Barcelona, Spain. (David Ramos/Getty Images)

Huawei Technologies, one of the world’s largest telecom companies, cannot be counted on to make equipment without bugs and security gaps, the U.K.’s National Cyber Security Center said last week. The assessment comes as several countries are considering whether to buy the company’s gear to build 5G networks.

“There remains no end-to-end integrity of the products as delivered by Huawei,” the assessment said. The company didn’t often understand what was inside its equipment and software, nor was it very good at doing analysis to find the root cause of problems, it said. Over the long term the systems could be vulnerable, according to the British agency.

“Huawei’s software component management is defective, leading to higher vulnerability rates and significant risk of unsupportable software,” it concluded.

Huawei has not demonstrated that it can adhere to its own internal guidelines on secure software coding processes, the report said. The company continued to use versions of a software code, used to encrypt data flowing between web servers, that had publicly disclosed vulnerabilities identified as far back as 2006, it said.

Britain’s assessment of Huawei’s technologies comes as the United States is pressing allies to ban Huawei equipment from their telecom networks because of the company’s close ties to Beijing and concerns that it could serve as a backdoor allowing China to snoop. Huawei denies that it’s building such backdoor access.

The Justice Department has accused Huawei of stealing intellectual property from American companies and violating sanctions against selling equipment to Iran. Congress has banned government contractors from using equipment made by Huawei and another large Chinese telecommunications company, ZTE. U.S. telecom providers have said they will not use Huawei equipment in their 5G networks.

5G networks promise high-speed data transfers with minimal delays compared with current mobile networks.

Australia has banned Huawei from building the country’s 5G networks, while other close U.S. intelligence partners including Canada and New Zealand have yet to reach a conclusion. British officials have previously said risks posed by Huawei equipment may be manageable. Germany has said it would not ban Huawei.

The U.K. Cyber Security Center said it “does not believe” that software defects and weaknesses identified were the result of “Chinese state interference.”

Information-sharing between the United States and its top allies could be jeopardized if they build their 5G networks using equipment from Huawei, the Chairman of the Joint Chiefs of Staff Gen. Joseph F. Dunford Jr. told lawmakers earlier this month.

The report from the Huawei Cybersecurity Evaluation Center Oversight Board is the fifth annual report of its kind since the British government began assessing Huawei’s equipment in 2010. The U.K.’s National Cyber Security Center, which is part of the country’s signals intelligence agency, oversees work done by the center and performs technical assessment of Huawei’s gear that is used in some of Britain’s 4G telecom networks.

The report noted that while no progress had been made by Huawei in addressing issues raised in 2018, “further issues have come to light in this year’s report.”

Huawei said in a statement that “we understand these concerns and take them very seriously.” The company is in the midst of a “transformation program aimed at enhancing our software engineering capabilities with an initial budget of $2 billion,” the statement said.

Having the U.K. assess Huawei’s software code and processes “is a good thing for us because it helps us focus on what we need to do to provide greater assurances and transparency,” Andy Purdy, the chief security officer for Huawei USA, told CQ in an interview. The British government’s evaluation is the “toughest and the most rigorous in the world,” Purdy said, an assessment that the report echoes.

Other telecom providers should be subjected to similar evaluations, Purdy said.

While the transformation program could be successful in bringing Huawei’s software and engineering practices up to accepted global standards, the effort might take three to five years, the U.K. report said. And even then the U.K.’s Cyber Security Center would have to see sustained changes, not just improvements in one version of software or a product, the report said.

The so-called transformation program launched late last year is a four-year effort and its goal is to develop “consistent practices across the board, so that way all the coders meet the same requirements in all processes,” Purdy said.

Although Huawei has operations around the world, the software development addressed by the British report is “done primarily in China,” Purdy said.

The U.K. government is expected to make a decision on its 5G strategy later this year, taking into account assessments from the National Cyber Security Center.

Get breaking news alerts and more from Roll Call on your iPhone or your Android.