Friday, 02 October 2020 07:20

UK Huawei report says little progress made on fixing old flaws Featured

UK Huawei report says little progress made on fixing old flaws Image by methodshop from Pixabay

A British report into Huawei's operations in the country has found that the company has made limited progress in fixing up issues which were reported in 2019, "making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance".

The report, from the Huawei Cyber Security Evaluation Centre Oversight Board, is the sixth of its kind and covers 2019. Last year, the report had found "concerning issues" in the company's approach to software development, significantly increasing risk to operators and needing ongoing management and mitigation.

It said the number of vulnerabilities and issues reported to UK operators has risen significantly beyond the number found in 2018. This growth was put down to HCSEC’s increasing effectiveness and the analysis of some specific, poorly written components.

"[The] National Cyber Security Centre does not view the increase in vulnerabilities as an indicator of a further decline in Huawei’s product quality, but it certainly does not indicate any marked improvement or transformation."

The report found that "the character of vulnerabilities had not changed significantly between years, with many vulnerabilities being of high impact (equivalently, a high base CVSS score and a relevant operational context), including unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials and many other basic vulnerability types".

It said that major quality deficiencies were still found to exist in the products analysed by HCSEC. "Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years. Huawei has made improvements against certain metrics, and most point-issues identified in previous quality reports have been remediated," the report said.

"During 2019, HCSEC identified critical, user-facing vulnerabilities in fixed access products. The vulnerabilities were caused by particularly poor code quality in user-facing protocol handlers and the use of an old operating system. The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei’s engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk. Huawei have since fixed the specific vulnerabilities in the UK, but in doing so, introduced an additional major issue into the product, adding further evidence that deficiencies in Huawei’s engineering processes remain today.

"In this example, the code quality in these user-facing protocol handlers was sufficiently poor that NCSC has required Huawei to fully rewrite the code, and re-architect the product’s security. Huawei have committed to doing so by June 2020."

The report said the HCSEC had fulfilled its obligations to provide software engineering and cyber security assurance artefacts to the UK National Cyber Security Centre and British operators, as "part of the strategy to manage risks to UK national security from Huawei’s involvement in the UK’s critical networks".

"However, as highlighted in previous reports, HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development, bringing significantly increased risk to UK operators, which requires ongoing management and mitigation. This is unchanged from last year," the report said.

"Limited progress has been made on the issues raised in the previous report. The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK. However, this does not suggest that UK networks are more vulnerable than last year.

"The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.

"At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation program that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC

And, it concluded, "overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term."

The HCSEC opened in November 2010 and aims to mitigate any perceived risks arising from the use of Huawei equipment in parts of the UK critical national infrastructure. The centre provides security evaluation for a range of products used in the UK telecommunications market.

Huawei will not have a role in the UK's 5G networks after 2027, with London having decided in July, following pressure from the US, to remove all its gear by then. All four operators who have built 5G networks used Huawei equipment in non-core areas, as per the existing policy put in place in January, which allowed the company to supply up to 35% of non-core gear.

Contacted for comment, a Huawei representative told iTWire: "This latest report highlights our commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK. The report again concludes that the 'NCSC does not believe that the defects identified are a result of Chinese state interference' and 'this does not suggest that UK networks are more vulnerable than last year'.

"As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.

"Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector. We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone."

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News