Only limited assurance can be provided that national security risks from Huawei’s involvement in UK networks can be mitigated long term, according to a watchdog.
In a report the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board – set up to oversee Huawei’s work to mitigate risks – said it would be “difficult to appropriately risk-manage future products in the context of UK deployments until the underlying defects in Huawei’s software engineering and cyber security processes are remediated”.
The report said in 2018 Huawei announced the investment of $2bn over five years to “transform its software engineering process” and improvements had been seen in some areas.
“However, the set of significant vulnerabilities in a product that had gone through the transformation programme means that we still cannot have any confidence that these represent a systematic change in Huawei’s approach,” said the report.
On Tuesday Nokia announced it had struck a deal to become BT’s largest equipment provider by supplying gear for 5G. In January BT said restricting Huawei's role in its 5G rollout would cost £500m.
The Nokia deal followed the UK government banning telcos from buying new 5G equipment from Huawei from the end of the 2020. The government has committed to removing all Huawei 5G equipment by 2027, at a cost of up to £2bn, following sanctions imposed by the US.
HCSEC was set up by Huawei under arrangements with the UK government in 2010 to “mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure”.
In 2014 the Oversight Board, chaired by the CEO of the National Cyber Security Centre (NCSC), was set up to oversee HCSEC’s work.
“The Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long term,” said the report.
“These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.”
But it added: “NCSC does not believe that the defects identified are a result of Chinese state interference.”
In September the US Federal Communications Commission said research showed it would cost an estimated $1.84bn to remove and replace telecoms equipment provided by Huawei and ZTE, another Chinese telco.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.