A report by the British Huawei Cyber Security Evaluation Centre (HCSEC) shows that serious vulnerabilities still exist a year after the date sum. However, direct cooperation with operators in the United Kingdom is unlikely to allow the vulnerabilities to be attacked.
The HCSEC was founded in 2010 by Huawei in consultation with Her Majestys Government to mitigate risks due to Huawei’s critical position within the national infrastructure. HCSEC provides security assessments of a range of telecom products within the UK. All telecom providers (EE, Vodafone, O2 and Three) use Huawei hardware today.
The HCSEC Oversight Board (OB) report first of all confirms that no direct evidence of state-sponsored espionage was found. However, it does criticise Huawei’s slow attitude towards vulnerabilities.
Mitigation strategy
The report highlights that HCSEC continues to find serious vulnerabilities in Huawei products. Several hundred vulnerabilities and comments were reported to the telecom operators. Some vulnerabilities identified in previous versions of products remain.
However, the report stresses that the mitigation strategy for Huaweis’ presence in the UK is possibly the toughest and most severe in the world. The report also emphasises that the networks are no more vulnerable than last year. In addition, the security management of telecom operators in the UK makes it extremely difficult to exploit vulnerabilities.
Huawei has responded by saying that it understands the concerns and is taking the outcome very seriously. The problems that have been identified are vital inputs for Huawei in a process of transformation of its software engineering capabilities.
At the end of last year, the Board of Directors of Huawei issued a resolution to launch a company-wide transformation programme. The goal is to significantly improve the software engineering capabilities. It has set aside a budget of 2 billion dollars for this transformation.
Competition?
The report is sensitive because today the four telecom providers in the UK are preparing their 5G networks. EE has already indicated that it will not use Huawei hardware in the core of its network because of a policy that owner BT has had since 2006. Vodafone has paused the use of Huawei equipment. O2 and Three both test hardware for future use.
Huawei has announced that a high-level plan for the programme has been developed and that it will continue to work closely with telecom operators and the National Cyber Security Centre (NCSC) in the UK. Huawei wants to meet the requirements as cloud, digitization and software-defined networking become increasingly important. To ensure the continued security of global telecom networks, according to the company, industries, regulators and governments need to work together to set higher standards for cyber security.
Huawei is getting the wind out of the report, but today it is the only telecom manufacturer that makes its source code available for testing. Competitors Cisco, Nokia and Ericsson keep that code secret and share it with no one. It is therefore impossible to compare with them to see whether Huawei needs to get back on its feet or whether the competition also has its faults. I’m sure you’ll be prosecuted.
Related: Visiting Huawei in Shenzhen: cybersecurity, source code and right of veto
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.