The Huawei Cyber Security Evaluation Centre (HCSEC) was launched in 2010 and has since monitored the potential security hazards raised by a number of UK telecommunications companies, including BT.
“Shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks”, the report stated.
The Chinese telecoms manufacturer has come under intense scrutiny recently following similar security concerns in the US. In May, the Pentagon ordered retail outlets located on US military bases to stop selling Huawei and ZTE phones.
The Department of Defense said using the devices could compromise security, stating: “Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission.”
The report marks a significant escalation and change of language compared to the HCSEC’s statement last year and warns that risks may have increased; specifically focusing on the firm’s lack of end-to-end traceability. Additionally, it found serious issues in the company’s use of commercial and third-party components, which it says were poorly managed and monitored.
A technical visit to China’s fastest growing tech hub, Shenzhen, was scheduled for September 2017, the report says. This visit entailed National Cyber Security Centre (NCSC), HCSEC and UK operators monitoring progress around source code redelivery to HCSEC and binary equivalence.
According to the report, previous technical visits have discussed the firm’s management of third-party components and had found they are not subject to adequate control measures.
“During a review of the programmes of work being undetaken, NCSC identified that not all components are managed through this process”, the report said, adding that “security critical third-party software used in a variety of products was not subject to sufficient control.”
The report by the HCSEC also raised “medium-term concerns” over the use of incoming technologies, such as 5G, edge computing, network virtualisation and software-defined networking.
Speaking to the BBC, Huawei said it had taken on board UK security concerns but insisted that cybersecurity remained a “top priority”.
A spokesperson said: “We are grateful for this feedback and are committed to addressing these issues.
“Cyber-security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”
Can Britain Trust Chinese Products?
The HCSEC report highlighted that, despite growing concerns Huawei had been performing adequately in its mitigation strategy. The firm had addressed security concerns “at scale” and with “high quality” standards.
Huawei is not the only Chinese firm in the spotlight in the UK. Earlier in 2018, the NCSC issued a warning to British telecoms providers not to use ZTE equipment as it would have a “long-term negative effect on the security of the UK.”
In the US, ZTE was at the centre of a bizarre political scandal that saw the company banned from operating and then offered a reprieve by President Donald Trump.
The US Commerce Department excommunicated the telecommunications firm for seven years after it was found to have violated export restrictions to Iran and North Korea. This ban temporarily halted the company’s global smartphone sales as it was blocked from buying components from American companies.
However, the decision was quickly reversed after President Trump reached a confusing deal with Chinese premier, Xi Jinping. According to President Trump, it was within the interests of both parties to rescind the ban to protect Chinese jobs.