While Chinese tech giant Huawei remains hopeful about eventually becoming a trusted 5G wireless partner in the UK, the short-term prospects look dismal at best. That’s because the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has just published a highly critical study on Huawei’s software engineering and cybersecurity practices, and the results were even worse than originally anticipated. Huawei has made “no material progress” on addressing cybersecurity flaws discovered a year ago, and in general, Huawei cybersecurity practices are untrustworthy and present high risk to the UK for large 5G network build-outs.
Key findings about Huawei cybersecurity practices
In fact, the problems described in the report are so extensive that even Huawei admits that it could take anywhere from three to five years to fix all the problems and properly address all the security risk issues uncovered by UK security experts. That’s quite remarkable, given how much time Huawei cybersecurity issues have been under scrutiny by UK security experts.
Back in 2010, the HCSEC was set up as a quasi-government watchdog to ensure that Huawei followed best-in-class cybersecurity processes as it ramped up its presence in the UK. The original concern of the UK government was that Huawei was secretly building “backdoors” into its networking equipment that might be used for cyber-espionage efforts at the request of the Chinese government. Those concerns first arose during the Barack Obama presidency in the United States, and have expanded in nature during the current Trump administration.
Judging from the findings of the HCSEC Oversight Board report, though, the much more pressing problem is risk management and not cyber-espionage. After taking a closer look at the Huawei engineering process, the HCSEC Oversight Board (which includes representatives from the UK’s National Cyber Security Centre) concluded that there were just too many glaring problems. For example, Huawei was still relying on a very old and outdated RTOS OS, which is scheduled to reach its “end of life” in 2020. Thus far, Huawei has been unable to demonstrate that it has suitable replacement, or that future software can ever be fully trusted.
In large part, that’s due to the fact that the entire software development process at Huawei appears to be sloppy and poorly executed. The HCSEC Oversight Board specifically pointed out several hundred vulnerabilities in 2018 for remediation, and Huawei has done almost nothing to address them. Moreover, the report specifically pointed out that it would be “hard to be confident” that different deployments of similar Huawei equipment are broadly equivalent secure. That’s because vulnerabilities are fixed in some versions of software, but not in others. And it’s never really clear what source code is being used at any point in time. Thus, even if Huawei claims to have fixed one vulnerability, there is no guarantee that it won’t pop up somewhere else.
What was particularly damning about the HCSEC report was that it clearly questioned the basic competence of Huawei cybersecurity professionals. How is it possible, for example, that Huawei has pledged $2 billion to overhaul and fix its equipment, but nothing seems to have been done? How is it possible that Huawei and the UK government have been working on the development of trusted technology since 2010 – back when the first hints were being made that Chinese tech giants were engaged in state-backed cyber-espionage – and still Huawei has done nothing to give the UK watchdog any confidence?
The timing of the HCSEC report on Huawei
In recent months, Huawei has been taking extraordinary steps to convince UK government officials that Huawei cybersecurity practices were nothing to worry about. The company pledged to commit $2 billion to beef-up Huawei cybersecurity practices at the end of 2018, and has been running a soft PR campaign in 2019 to counteract pressure from the U.S. not to do business with Chinese companies. At stake is the right to participate in the build-out of 5G networks across the UK using Huawei’s equipment. In fact, as a result of the findings of the report, Huawei hoped to provide a final positive factor in its favor.
But that doesn’t look like it’s going to happen. Even prior to what the HCSEC reported on “serious and systematic defects,” mobile giant Vodaphone had paused any plan to integrate Huawei 5G networking equipment. Other mobile operators had been waiting on this report, since the UK is scheduled to announce the list of companies participating as vendors in its 5G networks very soon.
Implications of the report on Huawei
Going forward, Huawei may have to dial back its aspirations for the UK marketplace. The U.S. has been applying pressure on its allies not to buy equipment from the Chinese, and it is not out of the realm of possibility that the final findings of the report may have been influenced by this pressure. Other U.S. allies – including New Zealand and Australia – have already walked back initial commitments to buy Huawei equipment, and it looks like Canada is close to doing the same. Thus, across North America and Oceania, it’s going to be harder and harder to find anyone who will buy from the Chinese, and especially from Huawei. Once a company acquires a negative reputation, it becomes a very difficult task to reverse marketplace perceptions.
So, in a sense, this Huawei cybersecurity evaluation marks a serious setback for the company. Long-term fixes to security processes will take years to address, and by that time, UK operators will have already selected their future 5G partners. In 2020, even if the HCSEC reported a sudden turnaround in Huawei cybersecurity standards, it would already be too late.
For other tech companies, the findings on Huawei cybersecurity issues and shortfalls should be a wake-up call. Governments and corporations take a number of factors into account when they decide to choose partners, and technical specifications are just part of the mix. Software engineering and cybersecurity practices also matter. In a world where data breaches and network intrusions are the norm rather than the exception, no company wants to deal with the potential headache of third-party hackers affecting the operation of their networks or accessing user traffic.