GCHQ report says Huawei failed to tackle UK security flaws

Cyber security analysts tasked with investigating Huawei equipment used in the UK's telecommunications networks discovered a "nationally significant" vulnerability last year.

Investigators at the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) say that Huawei has failed to adequately tackle security flaws in equipment used in the UK’s telecoms networks, according to an oversight report published on Thursday.

Vulnerabilities are usually software design failures which could allow hostile actors (in particular the Chinese state when it comes to Huawei) to conduct a cyber attack. They are not necessarily intentional and can’t be seen as an indication of any hostile intent on the part of the developers themselves.

There is a hypothetical concern that Beijing could purposefully design some kind of deniable flaw in Huawei’s equipment which it would know how to exploit – or that it could have been alerted to a potential attack vector once the issue was reported to Huawei.

The report explicitly states that the UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – “does not believe that the defects identified are as a result of Chinese state interference”, and adds that there is no evidence the vulnerabilities were exploited.

Instead, the agency reported that “poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities” – and that “the increasing number and severity of vulnerabilities discovered” is of particular concern.

“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” the report warns.

“Other impacts could include being able to access user traffic or reconfiguration of the network elements.”

After the major vulnerability was assessed by the UK’s security services then it was reported to Huawei, in line with the HCSEC’s normal vulnerability disclosure process.

The report adds that HCSEC “continues to reveal serious and systematic defects in Huawei’s software engineering and cyber security competence” – and warns that despite fixing specific issues when directed to do so, the agency has “no confidence that Huawei will effectively maintain components within its products”.

A spokesperson for Huawei said the report highlighted the company’s “commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK”.

They stressed the NCSC’s conclusion that the defects were not believed to be a result of malicious interference from the Chinese state, and that the UK’s networks are not more vulnerable than last year.

“As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” said the spokesperson.

“Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector.”

Although similar vulnerabilities for rival companies which provide networking equipment – whether radio antennas or core switches and gateways – are often discovered, the company argues they do not get the same attention.

“We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone,” the spokesperson added.