UK discovers Huawei UK staff auditing Huawei kit: Govt orders probe

Sir Kim'll fix it

High performance access to file storage

Huawei will be probed by a top Whitehall official after the Chinese tech giant's staff in Oxfordshire were given the job of auditing Huawei's telecoms gear for Blighty's communications networks.

The review was ordered following the publication of a report by an influential committee of MPs which warned of a conflict of interest and a threat to national security. Specifically, the panel had assumed GCHQ brains were scrutinising Huawei's products rather than Huawei employees. The review will be carried out by Britain's national security adviser, Sir Kim Darroch.

Telecoms equipment kingpin Huawei, separately accused of spying on nations for the Chinese government, supplies crucial hardware for the UK's communications arteries. The tech giant denies any wrongdoing.

It was encouraged in 2010 to establish a Cyber-Security Evaluation Centre, dubbed the Cell, in Banbury to weed out security vulnerabilities in its technology - ultimately so that British businesses and politicians could trust its hardware was secure against hackers and spies.

A report [PDF] titled Foreign Involvement in the Critical National Infrastructure, written by Parliament's Intelligence and Security Committee, highlighted the fact that the Cell was staffed by Huawei rather than run by GCHQ.

"While we recognise that the Government does not expect the Cell to find every vulnerability, and that there are other mitigations in place, we remain concerned that a Huawei-run Cell is responsible for providing assurance about the security of Huawei products," the ISC said in its dossier.

"Before seeking clarification, we assumed that Huawei funded the Cell but that it was run by GCHQ.

"A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance. We therefore strongly recommend that the staff in the Cell are GCHQ employees. We believe that such a change is not only in both Huawei’s and Government’s interests, but that it is in the national interest."

Government officials responded to the report on Thursday by agreeing to review the role of Huawei staff in the Oxfordshire centre, as a statement by the Cabinet Office explains:

The Government has carefully considered the ISC’s report on Foreign Investment in the Critical National Infrastructure and its particular focus on managing new threats to the UK’s telecommunications systems and networks. We take threats to our Critical National Infrastructure very seriously and need to be responsive to changes in a fast-moving and complex, globalised telecommunications marketplace. We have robust procedures in place to ensure confidence in the security of UK telecommunications networks.

However, we are not complacent and as such we have agreed to the main recommendation of the report to conduct a review of Huawei’s Cyber Security Evaluation Centre (the ‘Banbury Cell’) to give assurance that we have the right measures and processes in place to protect UK telecommunications.

Cell out

The Cyber Security Evaluation Centre was established after Huawei - said to have close links to the Chinese administration - gained more and more contracts with UK communication providers, years after its breakthrough deals with BT.

Prior to 2010, BT - with support from GCHQ - had undertaken its own security reviews of the equipment. Then as Huawei’s presence in the UK increased, the Cell was supposed to audit the equipment to reassure other telcos and ISPs that the gear could not be tapped into by foreign powers-that-be or private miscreants.

MPs on the ISC also raised wider concerns about the lack of "effective procedure for considering foreign investment in critical national infrastructure" systems. The government accepted that in retrospect national security issues went largely overlooked at the time BT began sourcing kit from Huawei in 2003. However, more recently, procedures have been tightened up and adequate controls are already in place.

"The Government does not agree with the Committee’s statement that there have been no improvements since then or that national security issues are overlooked. Indeed the National Security Council (NSC), which was not in existence at the time of the BT-Huawei contract, can and does consider similar issues today in order to ensure that HMG’s approach balances economic prosperity and commercial competitiveness with national security," the government said in its official response.

"Boosting trade and investment is a key part of the Government’s plan for growth and we are working hard to develop our economic relationships with key trading partners, including China. At the same time, the Government works with major Communication Service Providers (CSPs) in the UK to ensure that their networks and the services they provide are appropriately secure. Our work with Huawei and their UK customers gives us confidence that the networks in the UK that use Huawei equipment are operated to a high standard of security and integrity."

It was generally agreed that it was impractical to build the UK's telecoms infrastructure from kit sourced from UK firms alone and that obtaining equipment from overseas suppliers, answerable to shareholders, is always going to pose national security concerns. Even sourcing from UK suppliers alone wouldn't wholly answer these concerns, given the global nature of supply chains.

Nonetheless, concerns about Huawei's role in supplying telecoms infrastructure kit have been raised by politicians on both sides of the Atlantic for years now.

A Huawei spokeswoman welcomed the review.

"Huawei shares the same goal as the UK government and the ISC in raising the standards of cybersecurity in the UK and ensuring that network technology benefits UK consumers," she told the BBC. The firm issued a fuller defence of its approach to security evaluation in the UK days after the ISC's report came out last month:

Prior to BT's selection of Huawei in 2005, Huawei was subject to a comprehensive audit across 11 different areas, including strategic development, management systems, corporate social responsibility and security management. This detailed audit took two years and only when it had been completed did BT sign its first contract with Huawei. Since then, BT has continued to conduct a thorough annual evaluation of Huawei and after eight years of partnership, we have built a strong and mutually beneficial relationship with them.

In 2010, the British Government, Huawei and telecom operators, including BT, collaboratively agreed to establish a cyber-security evaluation centre. Over the past two and a half years, the centre has examined more than 30 types of product which we provide to UK customers, covering GSM, 3G, LTE, IMS, FTTX and others. This rigorous testing system is one of the most advanced in the cyber security field globally and ensures that Huawei can provide advanced telecommunication technology to its customers in the UK.

The review by Sir Kim is due to be completed and presented to the Prime Minister at an unspecified time later this year. Findings of the review will then be passed onto MPs on the ISC. ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.