UK security experts found a flaw of “national significance” while analysing technology from Chinese networking company Huawei, according to a government report.
Huawei’s software engineering and cybersecurity practices have been criticised in the annual report (PDF) from the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up by the UK government and the networking giant to evaluate equipment which is to be used in UK networks.
The centre was opened in 2010, with the aim of reducing any potential risk from using Huawei’s technologies as part of the UK’s critical national infrastructure. As such, the HCSEC annual report provides detailed analysis of the company’s software, engineering and cybersecurity processes.
“HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation,” the report said, adding that limited progress has been made on the issues raised in the previous report.
Overall, the board that oversees the centre said it could only provide “limited” assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.
“The increasing number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” it warned.
The report said a flaw of “national significance” had been discovered during HCSEC’s work this year.
When a flaw is identified, HCSEC usually reports it to the NCSC, the telecoms company, and to Huawei to fix it.
But the report noted: “In rare circumstances, where the impact of the vulnerability is of national significance, the release of full details of the vulnerability to Huawei may be delayed to allow the UK community to assess and mitigate the impact. This occurred during 2019.” According to the BBC this flaw was related to broadband – but officials do not believe anyone exploited it.
The report said that its finding referred to basic engineering competence and cybersecurity hygiene – not flaws deliberately introduced. “NCSC does not believe that the defects identified are a result of Chinese state interference,” the report said.
But it also said that major quality problems were still being found in the products analysed by HCSEC.
“Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years,” the report said.
HCSEC said that in 2019, it identified “critical, user-facing vulnerabilities” in fixed access products. It said these were caused by “particularly poor code quality” and the use of an old operating system.
“The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei’s engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk,” the report said.
While Huawei has since fixed the specific vulnerabilities in the UK, this has introduced an additional major issue into the product, adding further evidence that deficiencies in Huawei’s engineering processes remain, the report added.
Huawei said that it continues “significant” investment to improve its products. “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” the company said, adding that all vendors should be evaluated against an equally robust benchmark, “to improve security standards for everyone”.
The report only covers 2019. However, this year Huawei’s position as a key provider of network technology in the UK has started to change significantly. In July, the government told telecoms operators to halt the purchase of 5G equipment from the Chinese company from 2021, a move largely driven by national security concerns. Telecoms companies are also required to remove all of Huawei’s technology from their 5G networks over the next seven years.