Upcoming report from UK's Huawei handler will blast firm for unresolved security issues
GCHQ limb tight-lipped but we can read between the lines
Huawei is nursing bruises from a fresh round of bashing in the popular press, this time from a report stating that Britain is to criticise the embattled Chinese telco kit maker over ongoing security vulnerabilities.
This morning the Daily Telegraph reported (£), with notably little detail, that Britain's Huawei Cyber Security Evaluation Centre (HCSEC) is set to shame the company "over the security of its technology" because "issues raised from its previous findings... have not been fully addressed".
UK's Huawei handler dials back support for Chinese giant's kit in critical infrastructureREAD MORE
HCSEC publishes an annual report into its inspections of Huawei's wares. Last year's report stated: "Security critical third party software used in a variety of products was not subject to sufficient control... Third party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer."
However, El Reg understands that those vulns highlighted last July will, by their nature, take more than a year to fix.
Based in Banbury, Oxfordshire, HCSEC is owned by Huawei and staffed by a combination of Huawei employees and technical folk from British spy agency GCHQ's public-facing branch, the National Cyber Security Centre. HCSEC was set up in 2010 "to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK's critical national infrastructure" and its function is to review Huawei software and hardware before it is installed in Britain.
Responding to this morning's claims about impending criticism, Huawei said it would "continue to actively improve our engineering processes and risk management systems", pointing to a December 2018 promise from spinning rotating chairman Ken Hu that it would splurge $2bn on "software engineering capabilities", which happens to include security among other catch-all terms.
GCHQ - which will no doubt want more information on how that $2bn will be used - told us today it has "concerns around a range of technical issues" as it explained in last year's HCSEC report, adding that it "has set out improvements the company must make". While the spies said they have not seen any evidence of compromise so far, they were worried that what HCSEC is testing may not be the same software being deployed in Huawei products, limiting HCSEC's effectiveness as a review mechanism.
Other than that, GCHQ's fears from last year were largely industrial in nature rather than security-specific, consisting of verification of hardware and software elements supplied by third parties in Huawei's own supply chain and how to deal with those reaching end-of-life before the component or system they were installed inside.
We understand that the nature of those concerns has not changed significantly in this year's HCSEC report, a draft of which The Telegraph said it had been briefed about by people familiar with the report's content.
While Western attitudes to Huawei have edged towards outright hostility in recent months, nobody has, so far, made public any hard evidence of Huawei posing a direct threat to national security, whether in its own right or as an agent of the Chinese state. Even in America, where arguably the legal system and local politics are sometimes difficult to tell apart, recent criminal charges brought against Huawei CFO Meng Wanzhou and the company itself amount to allegations the firm ignored US trade sanctions and allegations of theft of details of a mobile handset-testing robot from T-Mobile.
Rob Pritchard, a Royal United Services Institute associate fellow for cybersecurity and founder of infosec biz The Cyber Security Expert, told The Register that while we've seen plenty of smoke, ruling out the presence of fire may be unwise.
"The current hardening of postures against Huawei suggests that there is classified evidence that the Chinese state is closer to Huawei than they claim," said Pritchard. "It's hard to know what this might mean in practice – whether it is just general concern about building critical infrastructure on the back of equipment tied to a strategic rival, or if there is specific evidence of espionage." ®
The GSMA mobile operators' trade association refused to comment on a Reuters report that later this month it will propose an emergency meeting to impose a de facto ban on the use of Huawei equipment by its members.
Sponsored: Becoming a Pragmatic Security Leader