“Lack of the required end-to-end traceability from source code”
Senior British security officers warned in a bombshell report published today that “critical” shortfalls by Chinese telecommunications giant Huawei pose a potential cybersecurity risk to the UK’s critical national infrastructure.
The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, chaired by NCSC CEO Ciaran Martin, can “provide only limited assurance” that risks from the company’s involvement in UK critical networks have been sufficiently mitigated, it said.
HCSEC said the chairman of its oversight board had written to Mark Sedwill, the UK’s National Security Adviser – who advises the Prime Minister and Cabinet on national security strategy – in February, to explain the issue.
Issues Already in the Wild
It is working to remediate the engineering process issues in products already deployed in the UK, prioritising them based on risk profiles and deployment volumes.
HCSEC initially raised the problem in an annual report last year, after identifying a failure by the company’s R&D team to repeatedly build a product to a consistent binary.
Subsequent analysis of four specific products from different product groups showed that the underlying engineering issues, including the failure to reproduce builds, are consistent across Huawei’s various product lines.
As a result, it can offer “only limited assurance due to the lack of the required end-to-end traceability from source code examined by HCSEC through to executables use by the UK operators”, the report said.
Huawei makes everything from the routers and switches that direct traffic across the internet, to BT’s green street cabinets, to mobile transmission equipment used in masts.
“Repeated Discovery of Critical Shortfalls”
In its fourth report, published today, the security watchdog blasted the company, saying: “Through 2017, HCSEC has continued to find issues in Huawei products, demonstrating their continued ability to discover weaknesses in the Huawei product set.”
“The NCSC has advised the Oversight Board that it is less confident that NCSC and HCSEC can provide long term technical assurance of sufficient scope and quality around Huawei in the UK.”
“This is due to the repeated discovery of critical shortfalls, including but not limited to BEP and the third party component support issue, in the Huawei engineering practices and processes that will cause long term increased risk in the UK.”
Security critical third party software used in a variety of Huawei products was also not subject to sufficient control, NCSC, HCSEC and UK Operators found, after a technical visit to Shenzhen.
Huawei admitted to the BBC that there “some areas for improvement”. A spokesman for the firm added: “We are grateful for this feedback and are committed to addressing these issues. Cyber-security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems.”
The HCSEC board concluded: “It is evident that HCSEC continues to provide world-class cyber security expertise and technical assurance… However, Huawei’s processes continue to fall short of industry good practice and make it difficult to provide long term assurance. The lack of progress in remediating these is disappointing.”
Elsa Kania, an adjunct fellow in the Technology and National Security Program at the Center for a New American Security, earlier noted in blog that “there’s also a new legal basis that the Chinese government could use to mandate Huawei’s compliance with state security interests that may be contrary to corporate imperatives.
She added: “Notably, in China’s National Intelligence Law (国家情报法), released in June 2017, Article 7 declares: ‘All organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of national intelligence work they are aware of. The state will protect individuals and organizations that support, cooperate with, and collaborate in national intelligence work.'”
US Already Blocks Huawei
In April, 2018, the US Federal Communications Commission voted unanimously to prevent federally subsidised telecommunications carriers from using suppliers deemed to pose a risk to American national security.
The decision takes direct aim at the company, which makes telecommunications network equipment and smartphones, and its main Chinese rival, ZTE. AT&T walked away from a deal with Huawei this spring, reportedly under political pressure.
The company is growing strongly regardless: On July 18, CEO Richard Yu said in a post on China’s Weibo social media platform that the company had now shipped 100 million phones and aimed to ship 200 million by the end of 2018.
Unreviewed Third Party Security Libraries
Etienne Greef, CTO and co-founder at SecureData, told Computer Business Review: “My suspicion is that an oversight board has very little chance of determining whether there are state sponsored vulnerabilities within extremely complex products. As we saw from this report there are numerous third party security libraries that are not reviewed.”
He added: “In addition, with the release cycles of code it is virtually impossible to have the same version of software that is used by operators. Against the backdrop of Chinese Intelligence Law mandating that businesses collaborate with the PlA and restricting them by law to disclose this, how will we ever have oversight? The oversight board is doing a great job but they are effectively just acting as quality control from a security point of view and may not be able to detect the major state sponsored backdoors which is what they are designed to detect.”
He concluded: “The only natural conclusion to this is that telecom operators will have to stop using H equipment. This isn’t because H is a bad vendor it is simply because they are Chinese and have to do the Chinese governments bidding by law.