This is the second consecutive year the Government Communications Headquarters, or GCHQ — the British spy agency equivalent to the U.S. National Security Agency — has identified serious problems. This year, officials said they have found “further significant technical issues” in the firm’s engineering processes, as well as “concerning issues” in Huawei software, “leading to new risks” in Britain’s 4G telecom networks.
Most ominously, the spy agency, which oversees a center that vets Huawei hardware and software for bugs and security vulnerabilities, said it can provide “only limited assurance” that the long-term national security risks can be managed in Huawei equipment deployed in Britain, and that “it will be difficult” to manage the risk of future products until current defects are fixed.
Huawei said in a statement Thursday, “We understand [the oversight board’s] concerns and take them very seriously.” It said it has developed “a high-level plan” to enhance its software engineering and “meet the requirements” set by GCHQ and British telecoms.
The United States has mounted a full-court press to urge partners worldwide to refrain from including Huawei in the rollouts of their 5G networks in coming years. National security officials say Huawei’s ties to the Chinese government and allegations that it has engaged in intellectual property theft make it an untrustworthy vendor — one whose access to telecommunications networks could serve as a back door to cyberespionage.
Recent laws in China require Chinese firms, if directed, to assist the government in intelligence collection.
The GCHQ report focused not on the Chinese state but on the engineering and software failings of the gear made by Huawei, the world’s largest telecommunications equipment maker. The firm has been present in Britain’s telecom network since 2003.
GCHQ officials seemed to offer Huawei some wiggle room, concluding that “Huawei’s transformation plan” to fix its problems “could in principle be successful” and cited Huawei’s estimate of three to five years.
The government would require evidence of “sustained change,” they said.
The intelligence agency oversees the Huawei Cybersecurity Evaluation Center, or “the cell,” a facility in Oxfordshire, England, that belongs to Huawei. The center employs Huawei personnel but is run by GCHQ. Its findings are advisory, and the oversight board’s job is not to decide whether Huawei should be barred from the networks.
Its findings are likely to influence the 5G strategy the British government is slated to announce this spring. The 5G system is designed to be up to 100 times faster than the current 4G system, fueling autonomous cars, smart cities and more effective, potentially lethal military operations. But it also opens up new concerns about network cybersecurity and espionage.
“This report’s stark conclusion should give pause to any country considering using Huawei for 5G,’’ said James Lewis, a cyberpolicy expert at the Center for Strategic and International Studies. “It’s pretty damning for the U.K., a country that has done more than any other to reduce the risks of using Huawei, to say it can’t manage the risk of using future Huawei products.”
Congress last year banned Huawei and another Chinese firm, ZTE, from government and contractor networks, and the four major U.S. telecom providers — AT&T, Verizon, Sprint and T-Mobile — have pledged not to involve those firms in their 5G networks.
Australia last year effectively blocked Huawei and ZTE from its future 5G networks by requiring that telecom firms not use vendors “likely to be subject to extrajudicial directions from foreign governments that conflict with Australian law” — a strong allusion to the Chinese firms, which are required to assist the government in intelligence activities when requested.
Britain is still deciding what its 5G strategy will be. The GCHQ report will inform deliberations. The agency has presented options ranging from a full ban on companies such as Huawei to various mitigation techniques. A decision by other ministries and the prime minister is expected later this spring.
Huawei, in particular, is said to have close links to Chinese security services. The company was founded in 1987 by Ren Zhengfei, who spent about 20 years in the People’s Liberation Army serving in a military-technology division and built the company from a staff of three to a multibillion-dollar behemoth. Ren is alleged to have close ties to the PLA, and Huawei’s former vice chairwoman was an officer in the Ministry of State Security, China’s premier intelligence agency.
Huawei accounts for roughly one-third of the British telecom system’s radio-access components, with Nordic firms Nokia and Ericsson making up the rest. There are no indications that similar software-engineering issues have arisen with the other two firms.
The Huawei security center opened in 2010, and the oversight board was created in 2014 to address concerns that the center, with Huawei personnel, was vulnerable to Chinese influence. The center is run by the head of the GCHQ’s National Cybersecurity Center, who also chairs the oversight board.
The report concluded that the center had “significant concerns about vulnerability management in the long term” and that Huawei’s software-component management is defective, “leading to higher vulnerability rates and significant risk of unsupportable software.”
Matthew Green, a computer scientist at Johns Hopkins Information Security Institute, said GCHQ is essentially saying that “Huawei can’t write software to save their lives.” According to the report, he said, the GCHQ cannot even verify that the software running on its 4G LTE cell towers is the same software provided by Huawei for source-code review.
A source-code review, he said, “is only worthwhile if the source code scrutinized is actually the same code installed on devices. This is a serious issue.”
The report points to duplicate code — in one case, 70 copies of four different versions of OpenSSL software, one of the most commonly used types of software. “This is problematic because some older versions of OpenSSL have vulnerabilities, meaning that the cryptography may not be reliable,” Green said.
Huawei officials have continued to defend their record, saying they have not and never will plant “back doors” in their products. However, the presence of serious software flaws could compromise systems even without a deliberately planted back door.
Huawei equipment is not currently used in Britain’s 4G network core, in government networks or in any sensitive systems that run electricity, transportation and other critical functions.