Cyberagency assessment increases pressure on Chinese vendor as it seeks to fend off security concerns in the West.
By LAURENS CERULUS
The U.K. cybersecurity authority slammed Chinese telecoms equipment maker Huawei in a report today, saying the company has failed to fix glitches in its software and poses "new risks" to U.K. telecoms networks.
The National Cyber Security Agency (NCSC), which scrutinized Huawei's cybersecurity over the past year, found the company has failed to deliver on promises to prioritize the security of its equipment and fix issues identified in previous audits.
In the annual oversight report, the agency said that "significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the U.K. telecommunications networks."
The agency said it can "only provide limited assurance that all risks to U.K. national security from Huawei’s involvement in the U.K.’s critical networks can be sufficiently mitigated long-term" — an assessment it also made in its previous annual report in July 2018.
The report, which is part of intelligence services' ongoing scrutiny of Huawei equipment, forces the Chinese company to beef up its efforts on cybersecurity. Huawei in December pledged it would invest $2 billion (€1.8 billion) to update its equipment and fix the issues the agency identified in its July 2018 report.
It's also a signal to U.K. operators, who are negotiating with vendors on who to procure equipment from for the rollout of new, high-speed 5G internet networks, and to the U.K. government, which is conducting a security review that could amount to bans or restrictions on the use of Huawei equipment across parts of British networks.
A Huawei spokesperson said the report "again recognizes the effectiveness” of the U.K.’s oversight mechanism. “As the report says, ‘the oversight provided for in our mitigation strategy for Huawei's presence in the UK is arguably the toughest and most rigorous in the world.’”
Software management issues
Since 2010, the company's gear has been under constant audit at a security center in Banbury, northwest of London, where it is being tested for the risk of hacking and espionage activities.
The Banbury center, known as "HCSEC," is run by Huawei and its employees are on Huawei's payroll, but the work is overseen by the NCSC, part of the U.K. intelligence service GCHQ.
Two findings jumped out of the latest review.
The first is that software in Huawei equipment tested in Banbury doesn't always match software found in products on the market. This issue came up in the agency's last report in July 2018.
It dents the Chinese company's argument that its equipment is thoroughly checked by British and other European authorities.
Huawei has opened cybersecurity centers in Bonn, Germany and Brussels in the past months. Part of the company's pitch to governments, European operators and EU lawmakers is that it would allow for its source code to be checked at these centers, including the one near the EU institutions in Brussels.
The U.K. agency's findings cast doubt on the promise of source code disclosure — a remedy that experts have previously criticized.
"Evaluating code is an extremely difficult thing to do ... and probably it is not really the way to go," Steve Purser, head of core operations at the EU's cybersecurity agency ENISA, told POLITICO earlier.
The second crucial finding is that the cybersecurity agency considers its management of software engineering unsafe.
People involved in the report's drafting explained officials found a series of issues with how Huawei integrates third-party software in its equipment. Like others, Huawei uses popular open-source software libraries and parts in its gear. But officials found basic engineering issues with the ways the company integrates this code, the people said.
Critical timing
The British report comes amid pushback led by the U.S. administration to limit the Chinese vendor's access to Western markets — as Europe rolls out 5G.
U.K. telecoms operators are in the process of planning their rollout of 5G in coming years. Operators are watching closely how the government reacts to security services' concerns about Chinese telecom vendors.
Vodafone's chief executive officer, Nick Read, said at the end end of January that the company would "pause" its use of Huawei equipment in the operator's "core" network.
BT, another large operator in Britain, in December said it would swap out Huawei gear from its 3G and 4G networks and would not use its equipment in future "core" parts of the network.
Vodafone declined to answer POLITICO's questions. BT did not immediately respond to a request for comment.
The U.K. market is a key one in Europe for the Chinese equipment vendor, which has used it as a launching pad for its rapid expansion in Europe in the past decade.
The U.K. government is also conducting a telecoms supply chain security review, first reported by POLITICO in October. It's working closely with operators and vendors for this review.
At the European level, other governments have launched similar reviews of their national security checks on Huawei and other telecoms equipment vendors.
Several smaller countries have asked leading intelligence services like the U.K.'s for input. The European Commission earlier this week issued recommendations for EU countries to share their security assessments and come to a joint position on whether to allow Huawei into their networks.
Together with Germany and France, the U.K. is seen as a key country weighing heavily on how a European model of risk management would work.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.