Thursday, 07 February 2019 08:56

Huawei says 3-5 years needed to fix issues raised by UK Featured

Huawei says 3-5 years needed to fix issues raised by UK Pixabay

Huawei will take between three and five years to fix security concerns identified in a report by an oversight board, the president of the Chinese telecommunication equipment provider's Carrier Business Group, Ryan Ding, says in a letter to Norman Lamb, the chair of the House of Commons Science and Technology Committee.

The letter was written in response to one from Lamb that asked several questions of the company. One was about the shortcomings identified in the latest report from the Huawei Cyber Security Evaluation Centre's Oversight Board.

The HCSEC, a testing centre set up by the company and jointly run with the UK's National Cyber Security Centre, tests the company's technology to ensure that any security issues are mitigated and issues a report every year.

Ding said the latest report had identified "some areas for improvement in our engineering processes and we are working to address them".

"Enhancing our software engineering capabilities is like replacing components on a high-speed train in motion," he said. "It is a complicated and involved process and will take at least three to five years to see tangible results. We hope the UK Government can understand this."

Ding ruled out any possibility that the company would be asked to assist China in intelligence gathering, saying this had never happened and would never happen.

"Were Huawei to engage in malicious behaviour, it would not go unnoticed - and it would certainly destroy our business," he said. "For us, it is a matter of security or nothing; there is no third option."

With regard to China's National Intelligence Law, Ding said the Chinese Foreign Affairs Ministry had clarified that no Chinese law obliged any company to install backdoors.

"To confirm this interpretation, we have also sought the opinion of a leading Chinese law firm, Zhong Lun, which has been reviewed by Clifford Chance LLC, a well-respected international law firm based in London," he said.

"The legal opinion confirms that relevant provisions of the Counter-Espionage Law, the Anti-Terrorism Law, the Cyber Security Law, the National Intelligence Law, and the State Security Law do not appear to empower PRC government authorities to plant backdoors, eavesdropping devices or spyware in telecommunications equipment.

"In addition, the relevant provisions of China's National Intelligence Law do not appear to have extra-territorial effect over Chinese companies' overseas subsidiaries and employees, such as Huawei UK."

Lamb also asked what reassurances Huawei could provide to show that its products and services were not a threat to British national security.

Ding said in response that the company's "solid track record" was the strongest evidence it could provide. "Over the past 30 years, Huawei has provided network products and solutions to nearly 1500 telecom operators in more than 170 countries and regions," he said, adding that the company was delivering stable telecommunications service to more than three billion people.

He said some governments had labelled Huawei a security threat, but had never substantiated these allegations with solid evidence.

Ding's letter was sent on 29 January, about a week before a report in a London newspaper hinted that the forthcoming report from HCSEC would claim that Huawei had not addressed security concerns raised last year – even though the NCSC said at the time that fixing the issues identified would take until mid-2020.

London's Telegraph newspaper claimed that the latest draft report had found that "issues raised from its previous findings into the Chinese telecoms giant have not been fully addressed and will criticise Huawei over the security of its technology".

The issues in question were raised in July last year when the last report from the HCSEC was issued. At the time, as iTWire  reported, the report claimed that equipment made by Huawei had technical and supply-chain issues that exposed the UK's telco networks to new security issues.

Ding made no reference to this, but mentioned the HCSEC while asserting that the company took cyber security very seriously. He pointed out that since 2011, John Suffolk, a former British government CIO, had been functioning as Huawei's Global Cyber Security and Privacy Officer.

A Cyber Security Verification Lab set up by Huawei reported directly to Suffolk, providing reports that detailed the quality and security capabilities of the company's products, Ding said.

He also said the HCSEC Oversight Board included members of the company, the UK Government and British telcos and the most recent report from this board said this assurance model was the best way to manage any risk stemming from Huawei's involvement in the British telecommunications sector.

Asked about action against Huawei taken by other countries, including the so-called Five Eyes nations, Ding said while some countries had acted to restrict the company's business activities, in many cases the media had exaggerated the extent of the restrictions.

He claimed that to date:

  • Canada had not imposed any restrictions on Huawei;
  • New Zealand had turned down a single 5G proposal but the regulatory process was still ongoing;
  • Australia had raised extra requirement for the supply of 5G products but Huawei was still a major provider of network equipment; and
  • Even in the US, existing laws only restricted use of federal funds to purchase Huawei networking hardware and services and there were no restrictions on the company's business activities.

Thanks to The Register for the link to the letter.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments