The annual report from Huawei Cyber Security Evaluation Cell (HCSEC) Oversight Board said the company had made “considerable progress” in some areas, but key concerns remained
The HCSEC Oversight Board has today released its annual report regarding the Chinese vendor’s equipment’s ability to meet industry standards regarding cyber security, concluding that “no overall improvement” has been made in the company’s software engineering and cybersecurity quality over the past three years.
The HCSEC was established in 2014 to assess the suitability of Huawei equipment for UK networks, by was subsumed by the National Cyber Security Centre (NCSC), part of the Government Communications Headquarters (GCHQ) in 2016.
Since that time, Huawei has been working with this oversight organisation to fix issues within its software and hardware to bring it up to scratch. In 2018 this was particularly notable, with Huawei pledging $2 billion to address concerns after a particularly scathing annual report. HCSEC was, at the time, sceptical that this proposed budget would have a meaningful impact in network transformation.
The latest report, however, suggests that the company’s software engineering and cybersecurity practices have not noticeably improved since last year’s report, in which HCSEC noted network vulnerabilities described as “nationally significant”. Far from evidence of espionage, however, these vulnerabilities were more likely the result of oversights and poor software development practices.
“The work of HCSEC continues to uncover issues that indicate there has been no overall improvement over the course of 2020 to meet the product software engineering and cyber security quality expected by the NCSC,” concluded the latest report.
It is worth noting, however, that the report is far from entirely negative. The report showed Huawei to have made “considerable progress on the rectification of boards containing an old and out-of-mainstream-support component, and progress on binary equivalence, fixed access issue, and vulnerability management in line with expectations”.
For Huawei, this report is far less inflammatory than the previous year’s, with the company noting the difficulty in improving during an international pandemic.
“The report concludes Huawei has made ‘sustained progress’ in addressing issues highlighted in previous reports and has made ‘considerable progress’ in third-party component support, which in the context of the global pandemic, the report describes as ‘remarkable’,” read a statement from Huawei. “Rapidly evolving technologies present all innovators with security challenges and Huawei, as the only vendor to operate under a transparency centre (HCSEC), always strives to achieve the highest standards to keep our customers safe.”
It is also notable here that the report does not specify exactly how or why Huawei had not met the requirements, only that the company had not met the “product software engineering and cyber security quality expected” by the oversight body. Given the geopolitical pressure that still surrounds Huawei and China in general, it may be that the report is deliberately vague to mollify the political situation.
Around a year has passed since the UK government announced that all Huawei equipment must be removed from the UK’s networks by 2027. BT began removing and replacing Huawei equipment in Hull back in May, using the city as something of a test run for its wider replacement plans.
“We were quite keen to pick one city area and do the whole of that, and make sure that we can really check that we’re not having an adverse impact on customer service,” said BT Chief Technology Officer Howard Watson. “The signs are really good for that so far.”
Want to learn more about the security of the UK’s telecoms networks? Hear the experts in discussion at this year’s live Connected Britain event