The latest annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board has warned the UK’s national security advisor that it can offer “only limited assurance” that the widespread use of Huawei broadband and mobile infrastructure hardware poses no national security risks.
China’s Huawei is the world’s largest producer of telecoms equipment – hardware that makes up a large part of the UK’s communications infrastructure, mostly installed and maintained by BT Openreach, including routers, switches, and the green boxes that stand on many streets.
The HCSEC Oversight Board is comprised of UK security officials, including representatives from the government communications monitoring agency GCHQ, the Cabinet Office, and the Home Office.
GCHQ has monitored Huawei’s activities in the UK – including staff appointments – ever since the company began growing its presence on British soil.
This year’s report, the fourth of its kind, highlights a “lack of progress” in remedying issues identified in past versions, and shortcomings in Huawei’s internal practices:
Identification of shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management.
A visit to Huawei’s headquarters in Shenzhen in 2017 also revealed that the company was failing to monitor the security of the third-party components used in its products.
The 2018 report concludes:
“Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.”
The BBC spoke to security expert and former consultant to GCHQ Alan Woodward, who said:
It’s difficult not to conclude that Huawei appears to be falling short in doing what is required to enable the UK government to confidently give the green light to use its equipment in critical areas.
He also recalled an earlier GCHQ warning that Beijing had passed new laws giving it the right to interfere with products from fellow Chinese communications company, ZTE.
Internet of Business says
In April this year, US regulators announced that they would ban resident companies from buying from any supplier deemed to be a national security threat. This included the likes of China Mobile, Huawei, and ZTE.
However, in recent weeks US president Donald Trump has muddied the waters by using the term ‘national security’ in the broadest sense, even applying it to European carmakers’ competitive moves into the US market. Earlier this year, he used it to block Broadcom’s planned purchase of Qualcomm – a move that can now be seen as a prelude to the current US-China trade war.
ZTE has since received a temporary reprieve from the US government until 1 August to allow it to maintain its existing networks and work towards lifting the supplier ban. It must also pay a $1 billion penalty and put $400 million in escrow to resume business in the US.
Huawei faces similar scrutiny from Western governments. It was founded by a former officer in the People’s Liberation Army, though it maintains that it is privately owned and completely separate from the state. The company established a foothold in the UK when it signed a deal to supply transmission equipment to BT in 2005.
However, the UK’s concerns over the extensive use of Chinese technology and possible links to the Beijing government are nothing new.
The Cell, the Banbury-based, Huawei-owned security agency that monitors the company’s processes, hardware, and software for exploitable flaws, was set up in 2010 for precisely this reason. It operates under the supervision of the British government and GCHQ.
At its establishment, the Cell represented a compromise between government security fears and the private sector’s desire for low-cost infrastructure – especially at the tail end of a global recession.
The Guardian has previously reported that past investigations into the Cell’s independence from Huawei found that processes were operating “robustly and effectively”, and that any potential threats to national security had been “sufficiently mitigated”.
This was despite the fact that Huawei sets the bonus of the Cell’s managing director.
But if any Chinese companies are monitoring their customers’ communications in the UK, then they are being monitored too. Papers leaked from the US National Security Agency (NSA) by Edward Snowden revealed that investigators had hacked into Huawei’s headquarters, monitored its executives, and obtained technical documents, as disclosed by the New York Times:
“Many of our targets communicate over Huawei-produced products,” the NSA document reads. “We want to make sure that we know how to exploit these products,” to “gain access to networks of interest” around the world.
With then prime minister David Cameron’s leave, former chancellor of the Exchequer George Osborne eagerly pursued Chinese investment in the UK while he was in office. For her part, current Prime Minster Teresa May has been more wary of Chinese influence, and has previously expressed reservations about Huawei.
Games of political influence and intelligence have always largely played out in the shadows, yet increasingly the intelligence agencies of the world’s major powers are dealing with individual components on circuit boards and single lines of code to gain new lines of intelligence.