Some of Huawei’s telecom equipment has again failed to meet the cybersecurity quality standards of a United Kingdom agency that examines potential risks of the company’s products in telecom networks.
There was “no overall improvement over the course of 2020 to meet the product software engineering and cybersecurity quality” expected by the U.K.’s National Cyber Security Centre (NCSC), according to the annual report released Tuesday by the Huawei Cyber Security Evaluation Centre’s Oversight Board.
The report doesn’t say whether backdoors have been found in the software code, but previous reports have said the problems are in code quality not malicious activity.
However, it also says the engineering and cybersecurity quality issues are part of long-term, systemic defects in Huawei’s software engineering and cybersecurity competence.
The proposed U.K. Telecommunications (Security) Bill, now close to Parliamentary approval, should provide a framework for addressing the strategic risks in Huawei and other manufacturers’ products differently, the report says. Briefly, the bill would give the government new powers to boost the security standards of the U.K.’s telecommunication networks, including banning risky equipment suppliers and setting technical standards to be met.
The NCSC anticipates that the new security obligations in the bill will result in improvements in the security of all vendor equipment, the report adds.
Last year the U.K. banned telecom companies there from installing Huawei equipment on their 5G wireless networks.
Meanwhile Canada still has made no decision on whether it will allow carriers here to use Huawei equipment in their 5G wireless networks. It is assumed Ottawa’s decision is complicated by the detention of two Canadians in China while a Vancouver hearing on an extradition request from the U.S. for Huawei chief financial officer Meng Wanzhou continues.
In the meantime, Canadian carriers have decided to buy wireless network gear from other vendors.
The U.K. report admits there was “sustained progress” last year on remediating problems found in previous reports. That includes considerable progress on rectification of motherboards with an old and out-of-mainstream-support component, and progress on binary equivalence, fixed access issues, and vulnerability management.
One problem is Huawei uses an old version of a third-party realtime operating system in some products, the report says. This component went out-of-mainstream support last year, although some products using those motherboards are still in U.K. telecom networks. They are steadily being remediated, but about 25 per cent of the Huawei gear in U.K. telecom networks still to be fixed.
All vulnerabilities in “particularly poor code” identified in fixed network wireless products in 2019 have been fixed. During 2020, Huawei effectively remediated all vulnerabilities discovered and reported by the centre in line with expectations, the report adds.
The Huawei Cyber Security Evaluation Centre was set up 10 years ago in the U.K., allowing government scrutiny of fixed and wireless networks products amid concerns about security. It is owned indirectly by Huawei Technologies. The oversight board’s job is to ensure it is independent from the company, and that the centre’s testing methodologies are sound. The NCSC chooses the equipment to be tested.
The oversight board is chaired by the NCSC’s chief executive. A senior Huawei executive is the deputy chair. Other members of the board include representatives from the U.K. government and the telecommunications sector.
According to the Globe and Mail, Canada has a similar centre here. However, the government doesn’t issue reports on its work.
The news site Light Reading notes that the U.K. doesn’t test network equipment from Ericsson or Nokia.
In its report for 2019, delivered last year, the oversight board said it “has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of the [software development] transformation program that it has proposed as a means of addressing these underlying defects.”
The U.S. and the U.K. have worried for years that Huawei is too close to the Chinese government to trust its equipment. In 2019 the U.S. consul in Toronto warned Canada against allowing wireless network carriers here to buy 5G equipment from Chinese manufacturers.