Huawei hasn't yet fixed its security vulns, says UK's NCSC overseers
Not secure enough for UK.gov use either
Huawei has not showed British government overseers a "credible plan" for dealing with security shortcomings flagged in a report issued last year, the technical director of the National Cyber Security Centre (NCSC) has said.
Dr Ian Levy of GCHQ's cyber arm told the world’s press at a briefing that the Chinese network equipment maker had shown UK supervisors "worrying engineering issues" last year. He added: "As of today we've not seen a credible plan. That's the reality of the situation, unfortunately."
Levy was speaking after a speech delivered by NCSC chief exec Ciaran Martin in Brussels today. Martin said that Huawei equipment is subject to "strict controls" on where it is deployed, highlighting that it "is not in any sensitive networks – including those of the government." He elaborated on this by saying Huawei had "allocated money to fix these problems" but warned:
We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case.
The NCSC chief exec continued: "At high level we've known about those issues, engineering issues, for a while because our mitigation model works... a lot of the UK [mobile] operators have known that. They have done whatever they feel was appropriate to mitigate it for the last few years."
British Telecom began removing Huawei equipment from the core of its mobile networks in late 2018, insisting at the time that this was a pre-planned move to do with its 2016 purchase of EE, whose 3G and 4G network still uses Huawei equipment in its Enhanced Packet Core.
The speech and Levy's comments come hot on the heels of generally positive stories in the British media about Huawei's security practices, tending to show that while there are official concerns, their tech is deemed good enough for the general public to use.
Today's comments see a reversal of the position government press officers took in a briefing to the Financial Times earlier this week where one said (£): "Other nations can make the argument that if the British are confident of mitigation against national security threats then they can also reassure their public and the US administration that they are acting in a prudent manner."
With the British government now admitting that it does not right now allow Huawei equipment to be used on its own secure networks, how does its position compare to those held by its fellow Five Eyes spy alliance nations? Glad you asked. The US and Australia have, to one degree or another, put a kibosh on the use of Huawei 5G mobile equipment in their countries' national networks. In New Zealand, telco Spark was warned by the NZ government against deploying Huawei's kit for its 5G rollout. Meanwhile, Canada arrested Huawei chief financial officer, and founder's daughter, Meng Wanzhou on behalf of America, though it has not banned use of the company's equipment on its core 5G networks.
Last year the Huawei Cyber Security Evaluation Centre said it had found problems with "third party software, including security critical components, on various component boards [which] will come out of existing long-term support in 2020." The Register understands that these problems will take years, rather than months, to resolve.
Martin added, to the press, that the UK has "arguably got the toughest oversight regime for any country where Huawei operates". He emphasised that with GCHQ's "15-16 years of experience in dealing with Huawei" gives it a unique insight into what the company does and how it does it.
The Royal United Services Institute, a military-themed think tank with close links to the government, described the use of Huawei network equipment in the UK as "at best naive, at worst irresponsible" in a paper it issued today. It based this conclusion on new Chinese laws that allow the Communist state to compel its citizens to co-operate with its spies.
Huawei's press office had acknowledged The Register's enquiries but had not responded substantively by the time of writing. ®
Updated to add, 10:00 UTC, 21/02/19
A Huawei spokesperson said: "We have undertaken to present a plan to the UK authorities for a US$2 billion global software transformation programme. We remain committed to designing and producing technology to the highest standards of security and safety for customers in 170 countries around the world."