Huawei gets an ‘F’ for UK telecoms security practices from HCSEC

Huawei

For the fifth year running Huawei has received a fail mark from HCSEC for some of its older cybersecurity practices relating to its UK networking, infrastructure and telecommunications infrastructure.

Ironically the report comes from its own HCSEC (Huawei Cyber Security Evaluation Centre) Oversight Board. HCSEC is a facility in Banbury, Oxfordshire, belonging to Huawei Technologies (UK) Co Ltd (Huawei UK). Its parent is Chinese Huawei Technologies Co Ltd, that is one of the world’s largest network and telecommunication infrastructure providers.

Note, this article does not refer to Huawei consumer products like smartphones.

Ernst & Young independently audit HCSEC

E&Y found that there were no major concerns and is satisfied that the HCSEC is operating in line with the 2010 arrangements between the UK Government and the company. This fundamentally underpins Huawei’s ability to do business in the UK and with its government and Telcos.

But the HCSEC oversight report also found that

  • Further significant technical issues were identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks
  • Huawei has made no material progress in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance.
  • It will be difficult to appropriately risk-manage future products in the context of UK deployments until Huawei remediates the underlying defects in software engineering and cybersecurity processes.
  • It has not yet seen anything to give it confidence in Huawei’s capacity to complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects.

Huawei has responded here.

Donald Trump says I told you so, so many times, I told you so ten times

Now before Donald Trump gets a presidential-sized hard-on, the Report (full uncensored version here) is not as damming as the click-bait headlines would have you believe.

HCSEC
Is that a microphone in your pocket?

Huawei has pledged to a transformation plan. It either does so, or it is out of the UK – and we suspect every other Western country.

Highlights of the HCSEC report

  • HCSEC has spent most of its time evaluating equipment already supplied to Telcos and in recommending remediation. It complains that the older equipment will naturally not be as cyber-secure. Nor is it fair to assume newer equipment has the same underlying cyber-security issues.
  • To a large extent, the underlying issues are from a third-party operating system. Huawei bought this to get a technology boost. Continued patching of an old system versus writing a new one are two entirely different issues. Its own operating system will replace that soon, and with that the identified issues. Note Microsoft used the same argument on Windows 10 saying older Windows code could never stand up to the wild west of the internet. It was right!
  • Then there are lifecycle management issues – when Telco’s upgrade equipment to 5G. In other words, Huawei’s reputation moving forward is due to legacy, lower cost, older equipment and operating systems built for the security levels of yesterday. As HCSEC states these vulnerabilities remain active (but to the best of its knowledge not exploited) in 3G and 4G installations.
  • The character of vulnerabilities has not changed significantly between years. Many of the vulnerabilities are high impact (a high base CVSS score and a relevant operational context), including unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to a denial of service, logic. Again older, lower cost technology is the problem.
  • Despite Huawei mandating application of its secure coding standards across R&D, extensive use of commercial static analysis tools and Huawei’s insistence that risky code has been fixed, there has been little improvement in the objective software engineering, and cybersecurity quality of the code in the legacy systems examined.
  • Finally, it makes it clear that the Telco’s each have their own ideas of risk and corporate risk management practices. Reading between the lines it may be a case of buying cheap to get a service or not being able to provide that service at all. Certainly, that has been the argument of US rural and regional Telcos that bluntly state its Huawei or nothing. HCSEC acknowledges that something important to an independent body may not be material to a Telco.

GadgetGuy will leave it to you to read the rest of the 49-page HCSEC report.

Please accept these comments as passing the pub test – not political posturing. The Australian Government will do what it thinks is best for us all is – whether it is or not!

There is a biblical passage – “Visiting the iniquity of the fathers upon the sons to the third and fourth generation”. It explains that because one generation did something bad or wrong, there is no correlation that the next or the next will do so too. Look at post-war Japan and its progress to a civilised, cultured ‘western-style nation’ over three generations.

HCSEC

Let me draw on personal experience

I first started doing business in China in 1982 importing IT components. At that stage, and probably for the next 25 years, you had to count your fingers after you shook hands with a Chinese mogul. No matter how careful you were the mogul would always win – it was their tradition. So, you factored that into your business model or did more ethical business with the Taiwanese – Acer, AOpen, Benq, ASUS etc at a higher price! I chose the latter.

In 2010, I sold my event management company to a Swiss company with offices all over the world. Part of the attraction of a global company is that information sharing and service should meet the same standards regardless of the office used – except in troublesome China.

Even then the Chinese willingness to commit to agreed standards, plans, contracts and service level agreements was at best, lip service. More likely because we ‘white-eyes’ wanted them to do global business our way and their ways worked so well in China!

Huawei is really no different. In China is must operate under its rules. In other countries, it must operate under the rules of that country.

Then there is the truism about ‘doing business in the west.’ We expect that a shake of the hand is a binding contract. Huawei has learned about trust the hard way because it wants to play in global telecommunications.

Its acceptance of the HCSEC as a condition of doing business in the UK is a huge step forward for a company. In many respects, it is the same action as Kaspersky has recently taken in setting up an independent test organisation in Switzerland or risk public opinion destroying his company.

Don’t judge the children by the sins of the father – this Huawei set up in 1987 – 32 years and nearly two generations ago – may still have some catching up to do to western standards but from what I have seen it’s a quick learner.