Cyber security analysts tasked with investigating Huawei equipment used in the UK’s telecommunications networks discovered a “nationally significant” vulnerability last year.
Investigators at the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) found an issue so severe that it was withheld from the company, according to an oversight report published on Thursday.
Vulnerabilities are usually software design failures which could allow hostile actors (in particular the Chinese state when it comes to Huawei) to conduct a cyber attack. They are not necessarily intentional and can’t be seen as an indication of any hostile intent on the part of the developers themselves.
There is a hypothetical concern that Beijing could purposefully design some kind of deniable flaw in Huawei’s equipment which it would know how to exploit – or that it could have been alerted to a potential attack vector once the issue was reported to Huawei.
The report explicitly states that the UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – “does not believe that the defects identified are as a result of Chinese state interference”, and adds that there is no evidence the vulnerabilities were exploited.
Instead, the agency reported that “poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities” – and that “the increasing number and severity of vulnerabilities discovered” is of particular concern.
“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” the report warns.
“Other impacts could include being able to access user traffic or reconfiguration of the network elements.”
After the major vulnerability was assessed by the UK’s security services then it was reported to Huawei, in line with the HCSEC’s normal vulnerability disclosure process.
The report adds that HCSEC “continues to reveal serious and systematic defects in Huawei’s software engineering and cyber security competence” – and warns that despite fixing specific issues when directed to do so, the agency has “no confidence that Huawei will effectively maintain components within its products”.
A spokesperson for Huawei said the report highlighted the company’s “commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK”.
They stressed the NCSC’s conclusion that the defects were not believed to be a result of malicious interference from the Chinese state, and that the UK’s networks are not more vulnerable than last year.
“As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” said the spokesperson.
“Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector.”
Although similar vulnerabilities for rival companies which provide networking equipment – whether radio antennas or core switches and gateways – are often discovered, the company argues they do not get the same attention.
“We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone,” the spokesperson added.
American restrictions on Huawei (stated to be based on security grounds, although the company argued that it has been unfairly hit by the Trump administration’s trade war) will prohibit US technology companies from providing components – such as computer chips – to the company.
As a result of these restrictions, the British government has ordered that all Huawei equipment must be stripped out of the UK’s telecommunication networks by 2027, following NCSC’s recommendation that it could no longer guarantee the security of Huawei’s equipment if it was to adopt chips from less trusted manufacturers.
The US sanctions were criticised as “arbitrary and pernicious” by Huawei, which has confirmed that 40% of the roles within its enterprise business group in the UK are being made redundant as a result.
Speaking to Sky News last week, Matt Warman MP – who has the infrastructure portfolio under the digital secretary – said he did not expect the US to change its approach towards the company even if a new administration was elected come November.
“If I look across the Atlantic, actually this is an issue where – while the language might be different – there is considerable bipartisan support that is in line with the decision we’re taking,” he said.