In its seventh annual report the spooks say “the work of HCSEC [Huawei Cyber Security Evaluation Centre] continues to uncover issues that indicate there has been no overall improvement over the course of 2020 to meet the product software engineering and cyber security quality expected by the NCSC [National Cyber Security Centre]”.
Though the words in the report (PDF here) are written in measured terms by civil servants, the dismay is clear.
Capacity asked Huawei to comment. It said: “The report concludes Huawei has made ‘sustained progress’ in addressing issues highlighted in previous reports and has made ‘considerable progress’ in third-party component support, which, in the context of the global pandemic, the report describes as ‘remarkable'.
“Rapidly evolving technologies present all innovators with security challenges and Huawei, as the only vendor to operate under a transparency centre (HCSEC), always strives to achieve the highest standards to keep our customers safe.”
HCSEC’s purpose is to evaluate the software and hardware used in the UK by fixed and mobile operators. It is owned and paid for by Huawei, but now through an intermediary called Cyber Security Evaluations to circumvent the US embargo on Huawei, but staffed by 40 cyber security staff who are vetted by the UK’s intelligence community.
The unit, nicknamed “The Cell”, is on a business estate (pictured, Google Streetview) in Banbury, Oxfordshire, 2km outside the town centre, close to an Amazon distribution centre.
Ernst & Young has vetted HCSEC’s ability to operate independently of Huawei, submitting a report to an independent oversight board.
The oversight board said it wants “to reemphasise that it is vital that the NCSC be able to decide freely, in its sole discretion, which products are analysed by HCSEC”.
However that has been impacted by the Telecommunications (Security) bill now going through the UK parliament, which “had the effect of practically limiting that discretion”.
Another problem is that in May 2019 the US put Huawei – including HCSEC – on its entity list, forbidding US companies and citizens doing business with the Chinese vendor.
“Being added to the entity list had an impact on HCSEC’s productivity during 2020. On agreement between Huawei and the NCSC and as the only option to sustain HCSEC’s operation, on 1 November 2020, the HCSEC business unit was transferred to a new entity.”
Cyber Security Evaluations is not on the US list. A search through UK companies registration shows that it has one British director, Andrew Cahn, a former senior civil servant who is a director of Huawei UK, and two Chinese directors.
The new report, covering the 2020 calendar year, says “the work of HCSEC continues to uncover issues.” It notes that, if enacted, the Telecommunications (Security) bill “should provide a framework within which to address these strategic risks differently”. The bill “is intended to raise the bar of security in telecoms networks, including for all telecoms network equipment.”
One of the issues uncovered by HCSEC is that Huawei uses “an old version of a third-party real-time operating system in products. This component went out-of-mainstream support during 2020. … Using old and out-of-mainstream-support components within a product leaves those products more vulnerable to exploitation.”
It is three years since the oversight board “and UK operators made it clear that long-term reliance on this operating system in the UK is unacceptable and an upgrade path must be created”.
Progress has been made. By the end of 2019, the beginning of the period of the latest report, “17% of the impacted equipment boards had been updated and replaced”, it says. “During 2020, Huawei and the UK operators had remediated a further 35% of the impacted equipment boards, with another 23% of the equipment boards reaching the end of their supported life.”
The report says “Huawei and UK operators remain responsible for remediating the final 25%, specifically the affected boards that continue to be used in UK networks and that remain in support”.
It adds: “Based on Huawei’s agreed plans with UK operators, further remediation work during 2021 will successfully bring this risk down to a manageable level.”
But there remain issues to sort out. One of them is build versions, with users and the security experts finding it hard to identify changes in code. Huawei has “committed to delivery of binary equivalence across officially released versions of all carrier products sold into UK from December 2020”, says the report.
Writing like a disappointed school principal in their introduction to an under-performing student’s report, the report says: “The NCSC expects to be able to provide improved technical assurance in the security risk management of Huawei equipment in UK networks.” Try harder in 2021, in other words.