The report, from an oversight board specially set up to evaluate Huawei equipment due to be used in UK networks, says there are “shortcomings in Huawei’s engineering processes” that “have exposed new risks” and that provide “long-term challenges”.
However, the report stops short of recommending that UK telcos stop using equipment from Huawei. Instead it says it is working on “what mechanisms may be appropriate” to ensure the security of Huawei equipment in UK networks.
Huawei immediately reacted by welcoming the report, saying: “The oversight board has identified some areas for improvement in our engineering processes. We are grateful for this feedback and committed to addressing these issues. Cyber security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”
The report comes from the UK-based Huawei Cyber Security Evaluation Centre (HCSEC), which is funded by Huawei but staffed by security experts independent of the Chinese company. The HCSEC has an oversight board that is chaired by Ciaran Martin, head of the UK government’s National Cyber Security Centre (NCSC).
The annual report identifies a number of challenges in the four products that the security centre has studied in depth. First, reproducibility and “the failure to reproduce builds”, because code changes during and after development.
Now, the HCSEC working with Huawei’s own R&D on one of the four, have developed “a single product that can be built repeatedly from source to the general availability version as distributed”. The other three should follow and the HCSEC has selected a further batch of products for examination.
“It is the NCSC intent that all products deployed in the UK will have repeatable builds”. The HCSEC should be able “to routinely show equivalence between the binary installed in UK networks and the binary that can be built from source code held by the HCSEC”.
One of the other issues that the centre identified was over “Huawei’s management of third party components”. The NCSC found that “security critical third party software used in a variety of products was not subject to sufficient control”.
The HCSEC report also points out that some third-party software “will come out of existing long-term support in 2020” and the NCSC is considering how that affects the security and reliability of products. It has told the oversight board that “this issue limits the ability of HCSEC’s efforts to contribute to the overall assurance in a sustainable manner”.
The oversight board says that the security centre provides “unique, world-class cyber security expertise and technical assurance”, and says an audit report by Ernst & Young (EY) has provided “important, external reassurance”.
But the report warns of further challenges ahead, coming from “software defined networking [SDN], virtualisation, MVNO proliferation and edge compute architectures such as 5G, along with changes in the operational models of many telecommunications operators”.
It worries that “Huawei’s processes continue to fall short of industry good practice and make it difficult to provide long term assurance”. The board says the lack of progress on these issues is “disappointing”.
“NCSC and Huawei are working with the network operators to develop a long-term solution, regarding the lack of lifecycle management around third-party components”, which it says is “a new strategic risk to the UK telecommunications networks”.
The HCSEC notes that it does not look at products “that are not relevant to UK national risk”, though it does not define its terms. It does not look at products that are due to be deployed outside the UK, even by UK-based companies.
Only two of the members of the oversight board are identified by name: Martin plus Ryan Ding, an executive director on Huawei’s main board.
Others identified by function include the managing director of Huawei UK – currently Jerry Wang – plus a number of government cyber security officials and the security specialists of BT and Vodafone. Up to four telco representatives can be on the oversight board at any time, but the report does not say why current membership is just two.
Huawei’s statement says the company “welcomes the oversight board report” and adds: “It confirms the collaborative approach adopted by Huawei, the UK government and operators is working as designed, meeting obligations and providing unique, world class network integrity assurance through ongoing risk management. The report concludes that HCSEC’s operational independence is both robust and effective.”
The report can be downloaded as a PDF from this UK government site.