NCSC sees no ‘significant improvement’ in Huawei’s overall security practices

Annual report investigating perceived risks of Huawei’s involvement in parts of UK critical national infrastructure finds vulnerabilities and slow progress in remediation, but concludes that all perceived risks are manageable

The National Cyber Security Centre (NCSC)’s annual Huawei Cyber Security Evaluation Centre (HCSEC) oversight board report has concluded that limited progress has been made in the remediation of security issues identified a year ago, making it inappropriate to change the Chinese firm’s current level of security assurance.

In the background to the latest report investigating perceived risks arising from Huawei’s involvement in parts of the UK’s critical national infrastructure is the July 2020 decision by the UK government to commit to a timetable for the removal of Huawei equipment from the 5G network by 2027.

That decision was taken after the NCSC reviewed the consequences of the decision by the US government on 15 May to extend its restrictions on the sale of hardware and software to so-called “high-risk” suppliers such as Huawei, leading to the Chinese comms tech giant not being able to purchase equipment from longstanding suppliers.

The NCSC regarded the US move as creating uncertainty around the Huawei supply chain, and that the UK could no longer be confident that it would be able to guarantee the security of future Huawei 5G equipment. In addition to the ban on its 5G technology from mobile networks, the UK government also investigated Huawei’s place in the country’s growing fixed broadband infrastructure.

Before it revealed the full details of the latest HCSEC oversight board report, the NCSC noted that HCSEC had been running for nine years and that its relationship with the tech supplier through the HCSEC oversight board was a unique way of managing risk, which could not simply be “transplanted” to another country.

It stressed that the timeframe of the report covered the calendar year of 2019, before the imposition of US sanctions. In addition to what the NCSC called ongoing significant analytic effort around the effects of US sanctions, the report’s publication has also been delayed relative to previous years because of the Covid-19 pandemic.

Although the report’s authors noted that there had not been many significant changes in the overall security assessment compared with previous years, they indicated that they had seen no significant improvement in Huawei’s overall engineering and security practices over the 12 months since it last investigated the company. The report added that the NCSC was still to see any evidence around Huawei’s transformation programme having any sort of long-term effect.

Yet the NCSC did point out that when it talked last year about a particular piece of equipment, it found that Huawei had carried out engineering on that product and made its next release better, showing that it had the capability for improvement. But the NCSC stressed that such demonstrations did not necessarily lead to indications of the long term, so it stuck to a low assurance rating for the future.

The report also highlighted a particular vulnerability found in Huawei broadband technology. This related to legacy software components in the product, plus some vulnerabilities linked to a set of risks that needed to be managed. The vulnerability discovered over the last year required extraordinary measures to be taken on behalf of operators using the kit.

Huawei has since fixed the specific vulnerabilities in the UK, but in doing so, said the NCSC, had introduced an additional major issue into the product. This, it said, was further evidence that deficiencies in Huawei’s engineering processes remain.

Read more about Huawei

The NCSC said it had seen no evidence of any exploitation attempts regarding the vulnerability highlighted and that, as it stands, the NCSC was still happy that it could maintain and manage the risk of the extensive amount of Huawei kit that was in the UK, used by operators such as Vodafone and BT, subject to government policy.

There was, it said, no basis to advise the UK government to accelerate the process of removing Huawei kit from the UK’s communications infrastructure as per the timetable announced in July.

The NCSC emphasised that removing Huawei 5G technology from the UK’s networks was fundamentally not because of an ability to manage the security risk, but because of the US sanctions, and the fact that this decision had altered equipment supply chains and what was likely to be installed in communications systems in future. It added that, as regards the infrastructure, everything was entirely manageable.

Commenting on the report, Huawei said it had highlighted the fact that the HCSEC has been an effective way to mitigate cyber security risks in the UK. “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” it said.

Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector. We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone.”

Read more on Network hardware