WANG ZHAO/AFP/Getty Images
show image

Huawei has made “no material progress” on security, says NCSC

The integrity of the UK’s telecoms infrastructure may have been compromised by “significant issues” with Huawei’s software processes, government security experts have warned.

In what will be seen as a thinly veiled reference to the Chinese tech giant’s 5G equipment, a government review concluded it will be “difficult to appropriately risk-manage future [Huawei] products in the context of UK deployments”.

The report comes at a critical moment in Huawei’s relationship with the UK, which is reviewing whether the company should be subject to fresh restrictions in the roll out of Britain’s 5G telecoms infrastructure.

The firm, which has quickly emerged as one of the most significant players in global tech, has been battling claims spearheaded by the US that its technology is at risk of Chinese government interference.

While Chinese cyber security legislation compels domestic firms to assist with intelligence operations, Ren Zhengfei, the company’s founder, has said he would defy requests which compromise users’ privacy. But it is not clear if there is a legal mechanism in place for him to do so.

The National Cyber Security Centre (NCSC), which oversees the annual security report, said it “does not believe that the defects identified are a result of Chinese state interference”. But the report warns that they are “capable of being exploited by a range of actors”.

The publication comes just over eight months after the NCSC downgraded the level of assurance it said it could provide for managing risks posed by Huawei’s equipment. It states that “no material progress has been made by Huawei in the remediation of the issues reported last year”.

In both reports, NCSC’s concerns about Huawei’s equipment focus on disparities between the code it was able to evaluate and the actual software which is embedded into the UK’s telecoms networks. “It is not possible to be confident that the source code examined by HCSEC is precisely that used to build the binaries running in the UK networks,” it said.

Alan Woodward, a professor of cyber security at the University of Surrey, said the report could hurt Huawei’s efforts to improve its reputation, because “we still can’t be certain that what we’re putting into our critical national infrastructure has been evaluated”.

“They seem to be showing their processes aren’t competent enough that they can prove to the UK they can guarantee end-to-end security,” he added. “With the Chinese cyber law, you have to be able to do that.”

The report identified two further issues with Huawei’s security processes. The first centres on a move from a soon-to-be unsupported operating system to one Huawei has developed itself. The NCSC’s experts reviewed the operating system at one of Huawei’s offices in Shanghai, but said they did not have enough evidence “to be confident in the long-term sustained engineering of Huawei’s own real time operating system”, presenting an “extremely difficult position for operators”.

The second major issue focused on Huawei’s software lifecycle management. Having assessed the presence of the OpenSSL library in Huawei’s code, NCSC found there were an “unmanageable number of versions of OpenSSL”, including those with known vulnerabilities that are no longer supported.

After the publication of last year’s oversight report, Huawei pledged to spend in excess of $2bn (£1.5bn) on rewriting its code base and improving its cyber security processes. The project could take three to five years to complete.

In recent months, Huawei has been forced to contend with fresh restrictions in a number of countries following a fierce lobbying campaign by the US, where it is also facing a protracted legal battle over fraud allegations.

But the US’s campaign has largely fallen flat in the European Union, which earlier this week rejected calls to impose a ban on the company’s 5G equipment.

Huawei did not immediately respond to a request for comment.