British security officials have said Huawei’s telecoms kit in the country’s critical infrastructure poses a risk of “national significance” and does not believe it can be safely managed.
That is according to a government annual report (pdf) covering 2019 published on Thursday.
After initially granting Huawei a limited role in the UK’s 5G infrastructure, Prime Minister Boris Johnson reversed that decision in July, ordering all of the company’s equipment to be purged from national networks by the end of 2027.
The reason given for the about-turn was the impact of new U.S. sanctions on chip technology, which Britain’s National Cyber Security Centre (NCSC) told ministers meant Huawei was no longer a reliable equipment supplier.
Officials said this latest report on Huawei did not relate to the subsequent impact of those sanctions.
The annual report, the sixth from the Huawei Cyber Security Evaluation Centre Oversight Board (HCSEC), found Huawei had made “limited progress” on security issues raised last year.
The report said therefore it could not reassure the government any more than it had then on “concerning issues” in Huawei’s software development, which brought “significantly increased risk to UK operators,” it said.
The report added that the increased risks require “ongoing management and mitigation.”
It also said that until Huawei fixed the “defects” identified last year in its “software engineering and cybersecurity processes” a proper risk assessment could not be done of any future Huawei gear.
The Oversight Board said it had not “seen anything to give it confidence” that Huawei could address the “underlying defects.”
It added that it would require “sustained evidence” before it could say all risks to Britain’s national security could be mitigated.
Hackers with sufficient know-how could potentially exploit the “increasing number and severity of vulnerabilities,” to cause the network to “cease operating correctly,” the report said.
One of those vulnerabilities was an issue with the company’s broadband products that were deemed to be of “national significance.”
The HCSEC report said its findings were related to defects in “basic engineering competence and cybersecurity hygiene” that could be taken advantage of by a “range of actors.”
The findings will likely increase pressure on Huawei, which has been besieged by repeated rounds of U.S. sanctions and allegations that its products can be used by Beijing for spying.
Huawei has repeatedly denied the allegations and said on Thursday that the British assessment showed equipment vulnerabilities were not a result of “Chinese state interference.”
A spokesperson for Huawei told reporters that the Oversight Board report highlighted the company’s “commitment to a process that guarantees openness and transparency and demonstrates HCSEC has been an effective way to mitigate cybersecurity risks in the UK.”
HCSEC is a facility in Oxfordshire, southeast England, belonging to Huawei Technologies (UK) whose parent company is a Chinese headquartered company and one of the world’s largest telecommunications providers. HCSC was set up by the British government to try to mitigate risks posed by Huawei’s telecoms gear to the country’s critical infrastructure.
The HCSEC Oversight Board is chaired by Ciaran Martin, the CEO of the NCSC, and an executive board member of GCHQ, the government’s intelligence advisor. The Oversight Board also includes a senior executive from Huawei as Deputy Chair.
The publication of this year’s HCSEC Oversight Board report has been delayed relative to previous years due to the CCP (Chinese Communist Party) virus, commonly known as novel coronavirus, pandemic.
Reuters contributed to this report