Huawei has made "no overall improvement" in software engineering processes for its UK telecoms equipment's firmware, its GCHQ overseers have warned.
The Huawei Cyber Security Evaluation Cell (HCSEC) oversight board's annual report for 2020 was noticeably less critical than in previous years – but still says Huawei is dragging its feet in key areas.
The Chinese biz has made "considerable progress on the rectification of boards containing an old and out-of-mainstream-support component, and progress on binary equivalence, fixed access issue, and vulnerability management in line with expectations", the HCSEC Oversight Board (OB) said in today's report.
But on the flip side, the report also said Huawei had not met the "product software engineering and cyber security quality expected" by GCHQ offshoot the National Cyber Security Centre. Unlike 2018's detailed report, no further information was given in the latest HCSEC publication as to how or why Huawei had failed to deliver. One detail was included, however: the use of an unidentified (and no longer supported) realtime OS in some network equipment.
By the end of 2019, 17 per cent of the impacted equipment boards had been updated and replaced. During 2020, Huawei and the UK operators had remediated a further 35 per cent of the impacted equipment boards, with another 23 per cent of the equipment boards reaching the end of their supported life.
Going into 2021, of the very large number of boards originally impacted, Huawei and UK operators remain responsible for remediating the final 25 per cent, specifically the affected boards that continue to be used in UK networks and that remain in support. This is still in line with the 2019 remediation plan agreed between Huawei and the operators.
The NCSC did not acknowledge The Register's request for more information on other failures by Huawei.
The Cell, as it is known in British government circles, was established a decade ago to review the security of Huawei firmware when far-sighted civil servants realised the Chinese company's products posed a potential risk to British national security.
Chaired by National Cyber Security Centre chief exec Lindy Cameron, the OB produces annual reports on Huawei's security practices. When these became of intense political interest in 2019 and 2020 thanks to US pressure on its allies to cancel Huawei contracts, UK government appears to have responded by watering down criticism of the Chinese firm's practices in favour of soothing words about improvements.
- Australian government in talks to buy Pacific Islands' top telco
- FCC finalizes $1.9bn compo deal for telcos forced to rip'n'replace Huawei, ZTE gear
- Prime Minister says national security advisor will probe Chinese acquisition of UK's top chip maker
- Tencent to acquire Brit games developer Sumo Group
A Huawei spokesperson commented in a prepared statement: "The report concludes Huawei has made 'sustained progress' in addressing issues highlighted in previous reports and has made 'considerable progress' in third-party component support, which in the context of the global pandemic, the report describes as 'remarkable'. Rapidly evolving technologies present all innovators with security challenges and Huawei, as the only vendor to operate under a transparency centre (HCSEC), always strives to achieve the highest standards to keep our customers safe."
While some things have doubtless improved, the fact that the OB is confident enough to state that Huawei has made no overall progress while failing to explain how or why that is, perhaps suggests that political pressure has been brought.
Britain's National Security Adviser, currently Sir Stephen Lovegrove, formally receives the OB report and presents it to Parliament. Lovegrove is a former permanent secretary of the Ministry of Defence, having been promoted to NSA under the current Conservative government.
Instead of following the trend of previous years and stating openly what Huawei is getting wrong, the OB hopes Britain's upcoming Telecommunications Security Bill will "provide improved technical assurance in the security risk management of Huawei equipment in UK networks."
US sanctions (placing Huawei on the State [Foreign] Department's Entity List) had an effect on The Cell's own ability to operate. With HCSEC being, legally, part of Huawei UK, when that company was added to the US sanctions list it ran into difficulties. This forced the creation of a new corporate entity to run The Cell in January 2020 called Cyber Security Evaluations Ltd.
Sanctions imposed by the US banned most Western silicon suppliers from selling to Huawei, including Western-produced designs manufactured abroad. The ban prompted warnings from British ministers that homegrown Chinese chip designs which Huawei proposed using instead could be beyond HCSEC's ability to meaningfully vet.
Huawei has six years left before it will forcibly exit the UK telecoms market, following last year's ban on further purchases of Huawei 5G base stations and other kit intended to build the UK's next gen comms networks. That ban was delayed from the government's preferred 2023 date after mobile network operators raised the huge costs inherent in ripping and replacing one of their main vendors' gear in such a short space of time. ®