Top British cybersecurity officials on Wednesday said the Chinese telecom equipment provider Huawei has yet to fix “serious” engineering problems that could leave civilian networks vulnerable to compromise, at a time when the United States is pressing its case that the company’s ties to China’s government make using its gear an unacceptable security and surveillance risk.
“Last year we said we found some worrying engineering issues,” said Ian Levy, technical director of Britain’s National Cyber Security Center (NCSC). “As of today, we have not seen a credible plan [to address the issue]. That’s the reality of the situation, unfortunately.”
Levy’s remarks, made during a media call, come as Britain is weighing how to manage cyber risks as it prepares for the rollout of super-fast 5G, or fifth-generation, telecommunications systems. A key question is whether British officials will decide to bar Huawei — the world’s largest purveyor of such equipment — from domestic networks. A decision is expected later this spring.
U.S. officials have raised concern with allies and foreign partners, including Britain, about allowing Huawei parts in their 5G networks. The four largest U.S. carriers — Verizon, AT&T, Sprint and T-Mobile — have pledged to the U.S. government that they won’t use Huawei technology in their 5G networks, according a U.S. official. Australia also has opted not to let Huawei provide 5G services.
U.S. officials are planning to make a more strenuous pitch to other governments at next week’s Mobile World Congress in Barcelona that permitting network access to foreign firms such as Huawei, which has close links to the Chinese government, is unwise.
To help make their case, some U.S. officials had wanted to have in hand an order signed by President Trump paving the way for the commerce secretary to bar foreign firms that do not meet security standards from U.S. telecom networks. But now it looks as though such an order is not likely before the conference. The reason for the delay is unclear.
British officials appear to be taking a more measured approach. On Wednesday, NCSC chief executive Ciaran Martin said in a speech in Brussels: “We . . . have strict controls for how Huawei is deployed. It is not in any sensitive networks — including those of the government. . . . Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei.”
He noted the “serious problems with their security and engineering processes” that were flagged in a report last year by a government oversight board but said they were problems with cybersecurity standards and “not indicators of hostile activity by China.”
On the media call, Martin, whose center is part of the British spy agency GCHQ, said that as the oversight board’s chairman, “I would be obliged to report if there was evidence of malevolence” by Huawei, “and we have yet to have to do that.”
Martin said secure 5G networks in Britain will be governed by three “preconditions”: higher cybersecurity standards, resilience — or being able minimize disruptions if a system is exploited — and diversity.
“Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cybersecurity, whether those options are Western, Chinese or from anywhere else,” Martin said. A company in a dominant market position “will not be incentivized to take cybersecurity seriously,” he said.
Such statements have led some experts to speculate that Britain will not ban Huawei outright when it makes a decision about the future of its 5G network, but rather impose more-stringent standards.
“We will not compromise in what we expect from Huawei,” Martin said. “We’re not compromising [on] improvements we’re demanding [from] Huawei.’’