UK’s GCHQ warns of ‘long-term security risks’ from Huawei equipment

28 Mar 2019

Image: © Zakhar Marunov/Stock.adobe.com

New report from UK’s spymasters does little to calm fears about use of Huawei tech in future 5G networks.

A new report by the National Cyber Security Centre (NCSC) in the UK, part of the Government Communications Headquarters (GCHQ), has claimed that Huawei has failed to adequately address security defects in its systems.

The report comes just as Huawei appears to be winning over European telecoms firms, including Eir, Deutsche Telekom and Vodafone, after enduring a litany of spying claims from the US and its Five Eyes allies.

‘The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK’
– NCSC

Vodafone warned recently that halting the use of the Chinese company’s equipment over unproven spy fears would set back 5G deployment by years. “We would have to slow down the deployment of 5G very significantly,” Vodafone CTO Scott Petty warned.

While the report contains no allegations or evidence that Huawei has been engaging in any form of espionage on behalf of China, it notes that the telecoms giant has failed to address “underlying defects” that had been pointed out.

The timing of the report is interesting as it occurs just as many telecom giants are preparing their 5G investment strategies.

Go your Huawei … at your own risk

The report describes “significant technical issues” in Huawei’s engineering processes and claims that the company’s approach to software development brings “significantly increased risk to UK operators”.

It said that through a rigorous system of oversight, those risks could be managed.

“The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK,” the report said.

“The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cybersecurity processes are remediated.

“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The board will require sustained evidence of better software engineering and cybersecurity quality verified by HCSEC [Huawei Cyber Security Evaluation Centre] and NCSC.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com