Britain’s Huawei Cyber Security Evaluation Centre (HCSEC) has said the Chinese tech giant is a threat to the country’s national security. Going so far as to suggest that some existing mobile network equipment will have to be ripped out and replaced to get rid of the threat.
The HCSEC, known in the industry as ‘The Cell’ allows technicians from Britain’s spy centre GCHQ access to Huawei’s software code to investigate it for potential vulnerabilities and any backdoors. And what they found was worrying.
The work of HCSEC reveals serious and systematic defects in Huawei’s software engineering and cybersecurity competence.
Work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation.- Annual Report: HCSEC
While the report failed to identify specific backdoors, which the Americans are particularly obsessed about, the HCSEC was perturbed by the development processes and attitudes to security for its mobile network equipment.
The report found there were questions around basic engineering competence and security hygiene exposing vulnerabilities that could be capable of being exploited by cybercriminals and state sponsored attacks.
Following the damning report, Huawei said it understood the concerns and assured the HCSEC that they took the criticisms seriously.
A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitisation and software-defined everything become more prevalent.- Press statement: Huawei
Huawei has promised it will spend $2 billion on software development, which would include security fixes. But HCSEC was not impressed, describing the sum as ‘no more than a proposed budget for as yet unspecified activities.’
Instead, HCSEC demanded Huawei produce, ‘details of the transformation plan and evidence of its impact on products being used in UK networks before it can be confident it will drive change,’ before it gives the Chinese tech giant the green light.
Huawei has long been the bogeyman for the Americans who have banned the company’s involvement of the country’s cyber infrastructure. And in the UK the government has set itself against the company.
And despite the real shortcomings found there is no reference in the HCSEC’s report concerning threats from the Chinese state apparatus. And, as some have commented, while it is good to expose Huawei’s vulnerabilities other vendors have not had the same level of scrutiny.