The Huawei Cyber Security Evaluation Centre (HCSEC) has noted in its latest report that underlying defects continue to persist in Huawei’s software engineering and cyber security processes and the company has done little to remove the defects highlighted by the centre last year.
In late 2018, the National Cyber Security Centre announced that its Huawei Cyber Security Evaluation Centre (HCSEC), which was set up to monitor equipment deployed by Huawei in the UK and to ensure transparency between Huawei, the government and operators, had flagged a range of security issues in the company’s hardware.
“The National Cyber Security Centre is committed to the security of UK networks, and we have a regular dialogue with Huawei about the criteria expected of their products. As was made clear in July’s HCSEC oversight board, the NCSC has concerns around a range of technical issues and has set out improvements the company must make,” said a government spokesperson.
In response, Ryan Ding, President of Huawei’s Carrier Business Group, told the Commons Science and Technology Committee in a letter that his company would invest up to £1.54 billion over the next five years to “comprehensively improve” its software engineering capabilities and to prepare for a complex security environment in the future.
“Cyber security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems. At our most recent board meeting, we officially signed off on a companywide transformation programme for our software engineering capabilities.
“The company will initially invest US$2 billion over the next five years to comprehensively improve our software engineering capabilities. This will help ensure that our products are better prepared for a more complex security environment both now and in the future.
“This programme is part of a broader effort to redesign our Integrated Product Development process. Technology and networking environments are evolving. Customer and societal expectations for technology are evolving too, as are regulatory requirements. In recognition of these changes, we too are evolving our processes,” he wrote.
Risks to UK national security due to Huawei’s involvement cannot be mitigated long-term
However, as per the latest annual report from HCSEC, which covers the period January 2019 to December 2019, Huawei has done little to mitigate the defects highlighted in the previous report and therefore, HCSEC said it can provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.
“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC,” HCSEC said.
“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.
“Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term,” it added, providing much validation to the government’s decision to ban Huawei from participating in the setting up of 5G networks in the UK.
The HCSEC Oversight Board also cast doubts on Huawei’s strongly-worded commitment to “comprehensively improve” its software engineering capabilities, noting that “similar strongly-worded commitments from Huawei in the past have not brought about any discernible improvements” and significant and sustained evidence will be required to give HCSEC any confidence that Huawei’s transformation programme will bring about the required change.
Earlier this year, following the imposition of strict sanctions by the United States and the UK’s decision to ban and remove Huawei from the country’s 5G networks by 2027, Huawei decided to wind up the sales of networking switches, servers, and storage gear in the UK that are critical components of a 5G network infrastructure.
Without making any comments about the security of its equipment deployed in the UK, Huawei also cited a report to slam the government’s decision to ban and remove it from the UK’s 5G networks by 2027, stating that the ban will impose a cost of £18.2 billion on the UK economy and will significantly impact the UK’s current competitive advantage in 5G leadership.
The company said the decision to ban its participation in 5G rollout plans would lead to a further delay to roll-out and higher cost to the UK economy and will impact industrial efficiency, global competitiveness, and the associated economic benefits of being a global leader in 5G.