The issue with Huawei’s equipment was initially withheld from the Chinese company and not reported due to security concerns says GCHQ
Cyber security analysts within GCHQ, who were tasked with investigating Huawei’s equipment within use in the UK’s telecommunications networks, had discovered a “nationally significant” level of vulnerability last year.
Investigators within the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) found that there was an issue so severe that it had been withheld from the company, which is according to an oversight report that was published on Thursday.
Vulnerabilities within networks are usually due to software design failures which could allow for hostile actors (in particular those from the Chinese state when it comes to Huawei) to infiltrate the systems and implement a cyber attack.
The report explicitly states that the UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – “does not believe that the defects identified are as a result of Chinese state interference”, and adds that there had been no evidence that the vulnerabilities were exploited.
This comes after Brussels has claimed that the prime minister is breaching the “good faith” promise that was made by both sides when they signed up to the withdrawal agreement, which was announced in and passed by the British parliament last year.
Instead, the agency reported that “poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities” – and that “the increasing number and severity of vulnerabilities discovered” is of particular concern.
“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” the report warns.
“Other impacts could include being able to access user traffic or reconfiguration of the network elements.”
After the major vulnerability had been assessed by the UK’s GCHQ security services, it was then reported to Huawei, which was in line with the normal vulnerability disclosure process of the HCSEC.
The report adds that HCSEC “continues to reveal serious and systematic defects in Huawei’s software engineering and cyber security competence” – and warns that despite fixing specific issues when directed to do so, the agency has “no confidence that Huawei will effectively maintain components within its products”.
A spokesperson for Huawei said the report highlighted the company’s “commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK”.
This comes after a minister has suggested that tighter social restrictions could potentially be imposed if COVID-19 infections in the UK continue to rise. Helen Whately blames restrictions on household mixing as a newspaper says a government source claims the action “will have to come”.
Huawei insisted that the NCSC’s conclusion that the defects were not believed to have been a result of malicious interference from the Communist Chinese state, and that the UK’s networks are no more vulnerable than they were last year.
“As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” said the spokesperson.
“Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector.”
