Silver lining in damning Huawei security report, says former GCHQ officer

Article by Robert Scammell – Verdict
29 March 2019

Huawei is facing renewed criticism after a UK government-led report found “serious vulnerabilities” in its 5G technology – but it’s not all doom and gloom for the Chinese telecommunications giant, a former British intelligence officer has said.

Yesterday a report carried out by the UK’s National Cyber Security Centre (NCSC), which is part of GCHQ, warned of the challenges of managing long-term security risks in its 5G tech deployed in the UK.

The Chinese firm provides telecoms technology for UK telecoms companies and is seen as a key player in the race to set up next-gen 5G networks in the UK, but it has faced repeated allegations of espionage because of its ties with the Chinese Communist Party.

No evidence has been provided of spying – and Huawei has strongly refuted the allegations – but that has not stopped the US from pressuring allies into rejecting Huawei.

Huawei report: Cybersecurity concerns, not espionage

Yesterday’s report will come as a big blow to Huawei’s attempts to shake off these allegations. But crucially, the NCSC criticisms were all technical – it found no evidence of espionage in its review.

And despite the negative publicity, there are aspects of the report that Huawei can take some solace from, said former GCHQ officer Malcolm Taylor.

“I can’t see the Huawei leadership being best pleased, to say the least,” the now director cyber advisory at cybersecurity company ITC Secure told Verdict.

“But one interesting point here seems to be that the discussion has shifted somewhat, from one of alleged espionage to one of competence or, at best, willingness to address the issues raised in the original report by the UK.”

The 46-page report said that Huawei had made “no material progress” in remedying issues raised in its previous review, issued last year.

“That latter part is particularly tricky for a company with Huawei’s obvious technological capabilities; it is less and less acceptable to be not dealing with cybersecurity for anyone, never mind a company in this sector,” Taylor continued.

The Huawei report found a number of poor cybersecurity procedures, including source code flaws, “end-to-end integrity” and use of an old version of a third-party operating system, among others.

Echoing these concerns, Joseph Carson, chief security scientist at cybersecurity firm Thycotic, said the biggest problem for Huawei is the “continued poor software development practices and cybersecurity competence”.

More specifically, there is “a major concern with the software development practices is the failure with the build process and integrity validation which exposes Huawei to potentially malicious code being introduced and updated into Huawei’s products,” said Carson.

He added that such security risks could be similar to that of the recent ASUS software update that inadvertently distributed malware across devices.

“This poor software development practice could expose major security risks, especially as it is being used for critical infrastructure,” Carson said.

“As we increasingly see elsewhere, good cybersecurity is a differentiator; companies win by being secure as well as proficient,” added Taylor.

UK decision to ban Huawei could go “either way”

The British government is expected to make a decision on whether or not to ban Huawei’s telecoms equipment by early April. Last month, the NCSC recommended that the Chinese tech giant should not be banned.

It reflects the UK’s risk management approach to what Taylor describes as a “complex issue”, who sees yesterday’s report as “further vindication of that approach”.

At its core, the NCSC-led report has determined that Huawei needs to do more to satisfy the UK that it is addressing previously raised security vulnerabilities.

“Huawei will not have helped its case through failure to respond in the way a client requires,” says Taylor.

“But I do think Huawei will take a little satisfaction from the debate having shifted slightly away, for now at least, from espionage – this is in one sense a much more normal commercial situation and one Huawei can still choose to fix.

“It’s in their gift, and the decision about using Huawei can still go either way.”

Huawei: We take the concerns “very seriously”

In a statement, A Huawei spokesperson said that it takes the concerns raised in the report “very seriously” and pointed to a $2bn investment in enhancing its software engineering that was announced last November.

It stressed that the report does not “suggest that the UK networks are more vulnerable than last year”.

Taylor said that Huawei needs to “get to grips” with the issues raised in the previous report.

“If nothing else this is a commercial requirement; the UK is a Huawei client, and has required them to make these changes in order to maintain this relationship,” he said.

“Such commercial disputes arise frequently – just not always with this backdrop or publicity. I wouldn’t see it any differently, were it not for the publicity.”