The British government on Thursday released a scathing assessment of the security risks posed by Chinese telecom company Huawei to Britainās telecom networks, as London weighs whether to heed U.S. calls to bar the firm from its next-generation 5G networks over fears it could enable cyberattacks and espionage by the Chinese government.
This is the second consecutive year the Government Communications Headquarters, or GCHQ ā the British spy agency equivalent to the U.S. National Security Agency ā has identified serious problems. This year, officials said they have found āfurther significant technical issuesā in the firmās engineering processes, as well as āconcerning issuesā in Huawei software, āleading to new risksā in Britainās 4G telecom networks.
Most ominously, the spy agency, which oversees a center that vets Huawei hardware and software for bugs and security vulnerabilities, said it can provide āonly limited assuranceā that the long-term national security risks can be managed in Huawei equipment deployed in Britain, and that āit will be difficultā to manage the risk of future products until current defects are fixed.
Huawei said in a statement Thursday, āWe understand [the oversight boardās] concerns and take them very seriously.ā It said it has developed āa high-level planā to enhance its software engineering and āmeet the requirementsā set by GCHQ and British telecoms.
The United States has mounted a full-court press to urge partners worldwide to refrain from including Huawei in the rollouts of their 5G networks in coming years. National security officials say Huaweiās ties to the Chinese government and allegations that it has engaged in intellectual property theft make it an untrustworthy vendor ā one whose access to telecommunications networks could serve as a back door to cyberespionage.
Recent laws in China require Chinese firms, if directed, to assist the government in intelligence collection.
The GCHQ report focused not on the Chinese state but on the engineering and software failings of the gear made by Huawei, the worldās largest telecommunications equipment maker. The firm has been present in Britainās telecom network since 2003.
GCHQ officials seemed to offer Huawei some wiggle room, concluding that āHuaweiās transformation planā to fix its problems ācould in principle be successfulā and cited Huaweiās estimate of three to five years.
The government would require evidence of āsustained change,ā they said.
The intelligence agency oversees the Huawei Cybersecurity Evaluation Center, or āthe cell,ā a facility in Oxfordshire, England, that belongs to Huawei. The center employs Huawei personnel but is run by GCHQ. Its findings are advisory, and the oversight boardās job is not to decide whether Huawei should be barred from the networks.
Its findings are likely to influence the 5G strategy the British government is slated to announce this spring. The 5G system is designed to be up to 100 times faster than the current 4G system, fueling autonomous cars, smart cities and more effective, potentially lethal military operations. But it also opens up new concerns about network cybersecurity and espionage.
āThis reportās stark conclusion should give pause to any country considering using Huawei for 5G,āā said James Lewis, a cyberpolicy expert at the Center for Strategic and International Studies. āItās pretty damning for the U.K., a country that has done more than any other to reduce the risks of using Huawei, to say it canāt manage the risk of using future Huawei products.ā
Congress last year banned Huawei and another Chinese firm, ZTE, from government and contractor networks, and the four major U.S. telecom providers ā AT&T, Verizon, Sprint and T-Mobile ā have pledged not to involve those firms in their 5G networks.
Australia last year effectively blocked Huawei and ZTE from its future 5G networks by requiring that telecom firms not use vendors ālikely to be subject to extrajudicial directions from foreign governments that conflict with Australian lawā ā a strong allusion to the Chinese firms, which are required to assist the government in intelligence activities when requested.
Britain is still deciding what its 5G strategy will be. The GCHQ report will inform deliberations. The agency has presented options ranging from a full ban on companies such as Huawei to various mitigation techniques. A decision by other ministries and the prime minister is expected later this spring.
Huawei, in particular, is said to have close links to Chinese security services. The company was founded in 1987 by Ren Zhengfei, who spent about 20 years in the Peopleās Liberation Army serving in a military-technology division and built the company from a staff of three to a multibillion-dollar behemoth. Ren is alleged to have close ties to the PLA, and Huaweiās former vice chairwoman was an officer in the Ministry of State Security, Chinaās premier intelligence agency.
Huawei accounts for roughly one-third of the British telecom systemās radio-access components, with Nordic firms Nokia and Ericsson making up the rest. There are no indications that similar software-engineering issues have arisen with the other two firms.
The Huawei security center opened in 2010, and the oversight board was created in 2014 to address concerns that the center, with Huawei personnel, was vulnerable to Chinese influence. The center is run by the head of the GCHQās National Cybersecurity Center, who also chairs the oversight board.
The report concluded that the center had āsignificant concerns about vulnerability management in the long termā and that Huaweiās software-component management is defective, āleading to higher vulnerability rates and significant risk of unsupportable software.ā
Matthew Green, a computer scientist at Johns Hopkins Information Security Institute, said GCHQ is essentially saying that āHuawei canāt write software to save their lives.ā According to the report, he said, the GCHQ cannot even verify that the software running on its 4G LTE cell towers is the same software provided by Huawei for source-code review.
A source-code review, he said, āis only worthwhile if the source code scrutinized is actually the same code installed on devices. This is a serious issue.ā
The report points to duplicate code ā in one case, 70 copies of four different versions of OpenSSL software, one of the most commonly used types of software. āThis is problematic because some older versions of OpenSSL have vulnerabilities, meaning that the cryptography may not be reliable,ā Green said.
Huawei officials have continued to defend their record, saying they have not and never will plant āback doorsā in their products. However, the presence of serious software flaws could compromise systems even without a deliberately planted back door.
Huawei equipment is not currently used in Britainās 4G network core, in government networks or in any sensitive systems that run electricity, transportation and other critical functions.