The National Cyber Security Centre (NCSC) has identified a "significantly increased risk" to UK network operators based on fresh concerns with Huawei's approach to devices and software development.
The Huawei Cyber Security Evaluation Centre (HCSEC) oversight board has outlined further significant technical issues in Huawei's engineering process in its fifth annual audit of the Chinese company. The report identified new risks to the UK telecommunications network, adding that no meaningful progress has been made on the issues identified in the oversight board's previous report.
"HCSEC's work continues to identify significant, concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation," the report said.
"Operators will need to take into account the mitigations required as a result of the extensive vulnerability and software engineering and cyber security quality information provided by the work of HCSEC."
Moreover, the oversight board "currently has not seen anything to give it confidence in Huawei's ability to bring about change", despite Huawei committing to a long-term plan to address ongoing concerns.
This five-year transformational programme, the NCSC says, could be successful in principle, but would need evidence of sustained change across multiple versions of multiple products.
The criticisms come at a critical moment for both Huawei and UK mobile network operators as they gear up to roll out 5G across the nation.
Operators have taken a mixed approach to the swirling issues, with BT towards the end of last year extracting Huawei technology from its 4G infrastructure over security concerns. But in contrast, Vodafone has warned against a blanket ban of the Chinese firm's technology, suggesting it would lead to delays in 5G rollout.
HCSEC was established in 2010 under arrangements between the networking giant and the government as a means to mitigate any risks from the company's involvement in critical UK infrastructure. This organisation is owned by Huawei, but is independent of the company.
The oversight board, chaired by the NCSC's CEO Ciaran Martin, was created five years ago to audit HCSEC's work, and identify any risks posed to the UK's networking infrastructure.
Crucially, while lambasting weaknesses in Huawei's engineering and software development, the NCSC also maintained it "does not believe that the defects identified are a result of Chinese state interference".
Instead, the report says the concerns raised are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that can then be exploited by a whole swathe of attackers.
Huawei said, despite the concerns raised, that the report does not suggest UK networks are more vulnerable than last year.
"We understand these concerns and take them very seriously. The issues identified in the OB report provides vital input for the ongoing transformation of our software engineering capabilities," a spokesperson said.
"A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent."
The HCSEC assessment regarded evaluations of the products and architectures of five UK network operators. Work to validate a sample of products had already exposed wider flaws in the underlying build process which need to be rectified.
Experts were testing for equivalence between binary installed on UK networks, and the binary that can be built from HCSEC source code. Due to various build-related issues, meanwhile, the oversight board said it is hard to be confident that different deployments of similar Huawei equipment are equivalently secure.
Another issue centred on the use of an old third party-supplied operating system that is soon-to-be out of support. Although Huawei has purchased a premium long-term support agreement from the vendor, there are underlying security risks the NCSC believes must be addressed with a credible plan.
Analysis of Huawei's wider software component lifecycle management, meanwhile, revealed flaws that could cause significant cyber security risks. This was a major finding, according to the oversight board, and will need significant rectification to mitigate.
The NCSC, moreover, is not confident that Huawei is able to remediate the "significant problems" it faces with regards to cyber security issues and software engineering flaws in software for its LTE eNodeB networking hardware.
The Chinese company has found itself embroiled in several battles with nation states and security services, both over allegations of fallibilities in its core technology, and in the case of the US, charges of fraud.
The US has even deemed Huawei high-risk enough to ban its equipment from use in all government departments. This has led to the Chinese company filing a lawsuit against the administration, claiming there is no evidence to support these restrictions.
But the EU has instead recommended that all member states conduct their own cyber security assessments independently, particularly with respect to risks presented by 5G technology as a whole. The EU, meanwhile, aims to conduct its own bloc-wide assessment, with results due by 1 October.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
Off-the-shelf ransomware is spurring a new era in the Ukraine warNews Experts agreed Russian forces could be overwhelmed, forced to use less sophisticated tools to meet the regime's demands
-
NCSC: “New class” of Russian cyber attackers seek to destroy critical infrastructureNews The cyber threat has been raised due to the heightened risk of ideologically driven cyber attacks from Russia-aligned adversaries
-
NCSC warns UK under state-sponsored spear-phishing attacks from Russia and IranNews The acceleration in spear-phishing campaigns last year coincided with the escalating conflict in Ukraine, according to the NCSC
-
NCSC founder details 'biggest regret' in underestimating organised cyber crimeNews In a rare public address, Martin also detailed his proudest achievement and how the idea for the NCSC came to be
-
Second Singtel subsidiary breach in a month sees customer and client data leakedNews The incident at Singtel subsidiary Dialog follows the earlier breach at Singtel-owned Optus, Australia's second-largest telco
-
UK, US condemn Iran for ‘unprecedented’ cyber attack against AlbaniaNews The Balkan nation has cut ties with Iran following the hack, which took down national infrastructure and exposed government information
-
Cyber attack on software supplier causes "major outage" across the NHSNews Unconfirmed reports suggest the attack may be ransomware-related, while the NHS contends with disrupted services on the 111 non-emergency line
