The report, from the Huawei Cyber Security Evaluation Centre Oversight Board, is the sixth of its kind and covers 2019. Last year, the report had found "concerning issues" in the company's approach to software development, significantly increasing risk to operators and needing ongoing management and mitigation.
It said the number of vulnerabilities and issues reported to UK operators has risen significantly beyond the number found in 2018. This growth was put down to HCSEC’s increasing effectiveness and the analysis of some specific, poorly written components.
"[The] National Cyber Security Centre does not view the increase in vulnerabilities as an indicator of a further decline in Huawei’s product quality, but it certainly does not indicate any marked improvement or transformation."
It said that major quality deficiencies were still found to exist in the products analysed by HCSEC. "Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years. Huawei has made improvements against certain metrics, and most point-issues identified in previous quality reports have been remediated," the report said.
"During 2019, HCSEC identified critical, user-facing vulnerabilities in fixed access products. The vulnerabilities were caused by particularly poor code quality in user-facing protocol handlers and the use of an old operating system. The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei’s engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk. Huawei have since fixed the specific vulnerabilities in the UK, but in doing so, introduced an additional major issue into the product, adding further evidence that deficiencies in Huawei’s engineering processes remain today.
"In this example, the code quality in these user-facing protocol handlers was sufficiently poor that NCSC has required Huawei to fully rewrite the code, and re-architect the product’s security. Huawei have committed to doing so by June 2020."
The report said the HCSEC had fulfilled its obligations to provide software engineering and cyber security assurance artefacts to the UK National Cyber Security Centre and British operators, as "part of the strategy to manage risks to UK national security from Huawei’s involvement in the UK’s critical networks".
"However, as highlighted in previous reports, HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development, bringing significantly increased risk to UK operators, which requires ongoing management and mitigation. This is unchanged from last year," the report said.
"Limited progress has been made on the issues raised in the previous report. The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK. However, this does not suggest that UK networks are more vulnerable than last year.
"The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated.
"At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation program that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC
And, it concluded, "overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term."
The HCSEC opened in November 2010 and aims to mitigate any perceived risks arising from the use of Huawei equipment in parts of the UK critical national infrastructure. The centre provides security evaluation for a range of products used in the UK telecommunications market.
Huawei will not have a role in the UK's 5G networks after 2027, with London having decided in July, following pressure from the US, to remove all its gear by then. All four operators who have built 5G networks used Huawei equipment in non-core areas, as per the existing policy put in place in January, which allowed the company to supply up to 35% of non-core gear.
Contacted for comment, a Huawei representative told iTWire: "This latest report highlights our commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK. The report again concludes that the 'NCSC does not believe that the defects identified are a result of Chinese state interference' and 'this does not suggest that UK networks are more vulnerable than last year'.
"As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.
"Huawei has faced the highest level of scrutiny for almost 10 years. This rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector. We believe this mechanism can benefit the entire industry and Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone."