UK watchdog says Huawei poses a national security risk

In its fifth annual report, the UK's Huawei oversight board says that the Chinese firm poses a threat to national security. It reached the conclusion after discovering that the company has made "no material progress" in addressing the security flaws highlighted in last year's report.

But while the report was damning of Huawei, saying it found additional "significant technical issues in Huawei’s engineering processes leading to new risks in the UK telecommunications networks", the board stopped short of calling for a ban on Huawei's involvement in 5G in the UK.

See also:

• Sources: Huawei is on the verge of suing the US government
• Senators want Huawei equipment removed from US power grid because of security concerns
• Huawei's Mate X is a seriously impressive folding 5G smartphone... but you'd hope so for $2,600!

In the US and other countries, Huawei has found itself scrutinized and cut out of key markets because of security concerns. While Huawei's critics say the company could be used by the Chinese government to spy on other countries, this is something the smartphone-maker strenuously denies.

The report says:

At present, the Oversight Board has not yet seen anything to give it confidence in Huawei's capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality.

It goes on to say:

Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long-term.

The Oversight Board received advice from GCHQ's National Cyber Security Centre (NCSC) which made a number of observations:

1. That there remains no end-to-end integrity of the products as delivered by Huawei and limited confidence on Huawei's ability to understand the content of any given build and its ability to perform true root cause analysis of identified issues. This raises significant concerns about vulnerability management in the long-term.
2. That Huawei's software component management is defective, leading to higher vulnerability rates and significant risk of unsupportable software.
3. That although the review of subsequent major versions of the eNodeB showed improvements in code duplication and a significant reduction in the number of copies of the OpenSSL component, the general software engineering and cyber security quality of the product continues to demonstrate a significant number of major defects.

Despite the concerns voiced in the report, the NCSC says it "does not believe that the defects identified are a result of Chinese state interference".

Image credit: astudio / Shutterstock