UK cyber security officials report Huaweis security practices are a mess

Enlarge / As Huawei makes its bid to roll out 5G, a UK government oversight board is not exactly thrilled with the company's security practices—or how it makes software.Getty Images

In November of 2010, the Chinese networking and telecommunications giant Huawei entered into an agreement with the government of the United Kingdom to allow extensive security reviews of Huaweis hardware and software—a move intended to allay fears that the company posed a security risk to the UKs networks. Since then, the Huawei Cyber Security Evaluation Centre (HCSEC) has given UK officials a window into the companys information security practices. And UK officials havent necessarily liked what theyve seen.

In a report issued today, the HCSEC Oversight Board—a panel including officials from the National Cyber Security Centre, GCHQ and other agencies, as well as a senior executive from Huawei—warned that Huawei had failed to make long-promised changes to its software development and engineering practices needed to improve security.

“HCSECs work has continued to identify concerning issues in Huaweis approach to software development bringing significantly increased risk to UK operators,” the oversight board members noted. “No material progress” had been made in correcting those problems since they were noted last year.

In addition, audits and reviews by the HCSEC had found “further significant technical issues in Huaweis engineering practices,” the board noted. And while Huawei had promised to make major investments in correcting its problems—promising to invest $2 billion in security engineering improvements over five years—the board remained unconvinced based on their review:

At present, the Oversight Board has not yet seen anything to give it confidence in Huaweis capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC. Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huaweis involvement in the UKs critical networks can be sufficiently mitigated long-term.

This report comes as Huawei is poised to play a major role in the deployment of 5G wireless communications in the UK, despite the US governments insistence that Huawei gear poses a security threat. The Trump administration contends that because of Huaweis connections to the Chinese government and military, the companys software and hardware could be used by Chinas Ministry of State Security or the People's Liberation Army for espionage or sabotage.

The problems unearthed by HCSEC, however, suggest that the bigger threat is that Huawei gear could be hacked by just about anyone who cared to make an effort. And because of how Huawei runs its software development, its impossible to give blanket certification for any one products security.

One major problem cited by the report is that a large portion of Huaweis network gear still relies on version 5.5 of Wind Rivers VxWorks real-time operating system (RTOS), which has reached its “end of life” and will soon no longer be supported. Huawei has bought a premium long-term support license from VxWorks, but that support runs out in 2020. That could leave hardware installed by telecommunications carriers at risk.

And while Huawei is developing its own RTOS to eventually replace VxWorks, theres reason for concern about how secure that OS will be—because Huaweis software development process is not exactly reliable. HCSEC reported that the software build process used by Huawei results in inconsistencies between software images. In other words, products ship with software with widely varying fingerprints, so its impossible to determine whether the code is the same based on checksums.

Despite efforts by the UK to getRead More – Source