LONDON—Chinese telecom company Huawei has been strongly criticized in the United Kingdom for its security failings.
The board overseeing Huawei equipment in the UK, which is linked to the Government Communications Headquarters (GCHQ) security service, said Huawei had failed to fix long-standing security issues.
In a report released March 28, the National Cyber Security Center said it could give “only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.”
It follows a similar report from July 2018 in which the board said there was “significant risk in the UK telecoms infrastructure” due to its use of Huawei equipment.
Since that time, Huawei has made “no material progress” to correct security flaws in its equipment, which underpins the UK’s communications networks, according to the report.
Like many countries, the UK is currently deciding whether to allow Huawei to build its 5G networks. BT, one of the largest telecom companies in the country, has rejected Huawei equipment from its 5G network.
The board also said it no longer had confidence in Huawei’s ability to address “underlying defects,” despite the company’s pledge to spend more than $2 billion fixing them.
Previously, the board claimed any risks from the Chinese company could be “sufficiently mitigated.”
The report said that Huawei had not followed through on promises to rectify security problems going back as far as 2012.
“The evidence of sustained change is especially important as similar strongly worded commitments from Huawei in the past have not brought about any discernible improvements,” it said.
‘Serious and Systematic Defects’
However, the report stopped short of saying the company had deliberately introduced backdoors in its equipment or was spying for the Chinese regime.
Instead, it said the company had been negligent in the way it operated, leaving security holes in its products, revealing “serious and systematic defects in Huawei’s software engineering and cyber security competence.”
The report pointed out “significant technical issues in Huawei’s engineering processes,” including concerns about a product that enables a connection between someone’s cell phone and the network.
Huawei had updated its software in order to improve its security, but “the general software engineering and cyber security quality of the product continues to demonstrate a significant number of major defects,” the report noted.
Experts have pointed out that there is little that separates Huawei from the Chinese Communist Party.
Anthony Glees, professor of security at the University of Buckingham, said that the political risk of working with Huawei was too great.
“There’s a technical software risk which is that the security of Huawei stuff is not as good as it should be,” Glees said.
“It might be because they’re sloppy but it might be because you can’t get a cigarette paper between Huawei, Chinese government, the People’s Liberation Army, and the Chinese Communist Party.”
Author Gordon Chang, meanwhile, wrote in a tweet: “Who would have ever thought that a company formed, promoted, and controlled by a regime determined to steal secrets and intellectual property would have ‘security flaws’ permitting the theft of secrets and intellectual property?”
Who would have ever thought that a company formed, promoted, and controlled by a regime determined to steal secrets and intellectual property would have “security flaws” permitting the theft of secrets and intellectual property? https://t.co/nqxkqv3l5z
— Gordon G. Chang (@GordonGChang) March 28, 2019
The Huawei Cyber Security Evaluation Center was founded in 2010 in response to British government concerns about possible security threats to national infrastructure by Huawei. British security officials from agencies including GCHQ sit on its oversight board and report annually on its work.
The center is funded and ran by Huawei, with one of its staff members, David Francis, serving as managing director. However, it is monitored by an oversight board, which reports on its activities once a year.
The oversight board is chaired by Ciaran Martin, chief executive of the National Cyber Security Center, which is part of GCHQ, but there are four members from Huawei also on that board, as well as British government representatives.
Huawei has said it is a private company not under the control of the Chinese regime and not subject to Chinese security laws overseas.
However, it is well documented that Chinese companies are tightly linked to the communist regime. Many are required by law to establish Communist Party branches that can take part in decision-making to ensure the company’s activities are in line with the Communist Party’s goals.
The report said, “The oversight board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.”