UK spy agency GCHQ has warned that continued concerns over Huawei’s approach to software development mean national security may be at risk.
Operatives from the Cheltenham-based signals intelligence body staff a Huawei Cyber Security Evaluation Centre (HCSEC), which monitors the Chinese firm’s products and processes as a pre-requisite for it doing business in the UK.
However, having already discovered and flagged major concerns in the last report, it claimed “limited progress” has been made in addressing them.
These unnamed issues bring “significantly increased risk to operators” and require “ongoing management and mitigation,” it said.
Although Huawei-built UK networks are no more vulnerable than last year, the fact that progress hasn’t been made by the Chinese giant in addressing HCSEC’s concerns means its recommendations to government haven’t changed.
“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cybersecurity processes are remediated,” the report noted.
“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”
As a result, the HCSEC said it can only provide “limited assurance” that risks to national security from Huawei’s involvement in UK networks can be effectively mitigated going forward.
The report claimed the number of reported bugs and issues rose “significantly” over the past year, including the discovery of a vulnerability of “national significance” in 2019, although it’s not thought to have been exploited before being fixed.
While there’s no suggestion any of the above issues were deliberately engineered by the company, the findings reflect poorly on its general competence in cybersecurity.
In July, the UK government told operators to stop buying from Huawei by the end of the year and remove the firm’s products from their 5G networks by 2027—delaying rollouts for around a year.