A UK government-run oversight board has expressed misgivings about the security of telecoms kit from Chinese firm Huawei.
An annual report (PDF) from the Huawei Cyber Security Evaluation Centre (HCSEC) concluded that "shortcomings in Huawei's engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management".
Huawei kit is widely used on BT's network backbone so reduced confidence in equipment from the manufacturer has profound implications unless steps are taken to restore full confidence.
HCSEC – run by Huawei UK staff and overseen by GCHQ – warned: "Huawei's processes continue to fall short of industry good practice and make it difficult to provide long term assurance."
Concerns centre around two technical issues: the consistency of software builds of networking products from Huawei supplied to UK telecom network operators, and (more particularly) Huawei's management of third-party components imported as part of a product build, both commercial and open source. "Security critical third party software used in a variety of products was not subject to sufficient control," according to an evaluation by GCHQ that followed a technical visit to Shenzhen by NCSC, HCSEC, and the UK telecom operators.
"Third party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer," the report said.
"The lack of progress in remediating these is disappointing," the report continued. "NCSC [National Cyber Security Centre] and Huawei are working with the network operators to develop a long-term solution, regarding the lack of lifecycle management around third party components, a new strategic risk to the UK telecommunications networks. Significant work will be required to remediate this issue and provide interim risk management."
Doubts about Huawei's engineering process have prompted the advisory board to water down its endorsement of the Chinese equipment maker's technology. The panel reported:
Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the oversight board can provide only limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated. We are advising the National Security Adviser on this basis.
Huawei is yet to respond directly to a request to comment from El Reg but it told the BBC: "Cyber-security remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems."
Professor Alan Woodward, a computer scientist from the University of Surrey, told El Reg that Huawei needed to improve its procedures, particularly in assuring the security of its own supply chain.
"The authorities need to be totally convinced about the security of Huawei products before they are incorporated into our critical national infrastructure," Woodward said. "The onus appears to be on Huawei to improve their processes to enable the UK to feel confident in giving the required assurances.
"The supply chain is becoming a classic attack vector so the UK needs to be sure not just about test examples of equipment, but that the processes then used to manufacture the equipment at scale are secure from interference."
HCSEC was set up in November 2010 to "mitigate any perceived risks" associated by the use of Huawei's equipment in the British telecoms network and elsewhere in the UK's critical national infrastructure. The facility is run by techies from Huawei and the NCSC.
National security concerns meant that Chinese telecom giant ZTE was temporarily blocked from selling kit in the United States. US politicians have also expressed similar concerns about using kit from Huawei which has surfaced in Australia and elsewhere.
Woodward said: "It's not difficult to see why the US and Australian governments have decided to walk away from using Huawei products in critical areas."
Some security experts think that all major telecom equipment suppliers should face the same rigorous scrutiny.
SpyBlog commented: "There should also be an equivalent to the Huawei Cyber Security Evaluation Centre for other foreign government-influenced networking stuff on which the UK Critical National Infrastructure depends. e.g. Cisco." ®