UK officials tasked with evaluating Huawei’s network security and overall suitability to be a leading 5G partner in its upcoming deployments have released a report on their findings. The UK and Huawei have an agreement in which Huawei’s compliance with security standards is monitored by the Huawei Cyber Security Evaluation Centre (HCSEC). This organization is overseen by the HCSEC Oversight Board, who authored this most recent report. Their conclusions are quite negative — but they may also finally shed some light on why Huawei has been such a divisive topic over the past few years.
Warnings about Huawei’s security practices began during the Obama administration but ramped up after President Trump took office. What’s been missing from those reports, however, was any firm technical sense of why Huawei’s equipment and software were to be avoided. Did the equipment contain backdoors or other forms of spyware? One of the regular topics around the ExtremeTech water cooler has been the degree to which the government’s consistent-but-vague warnings reflected actual security concerns. In the interests of disclosure: I’ve tended to think the government probably did have reasons it wasn’t willing to publicly disclose. If the UK report reflects the US experience, there are definitely issues to be solved.
In its report, the HCSEC OB states that “Further significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks” (emphasis original). It also states that Huawei has made no progress towards resolving any of the critical security issues identified in the previous year. As a result, the Oversight Board writes that it would be “inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance.”