Huawei’s $2bn software programme ‘not enough’ to ensure security, says UK

Huawei’s $2bn software programme ‘not enough’ to ensure security, says UK

Huawei MWC 2019.jpg

Huawei’s software engineering is creating “serious vulnerabilities” for network operators, says a report today from a UK government security agency.

The oversight board for the Huawei Cyber Security Evaluation Centre (HCSEC) says that it discovered “several hundred vulnerabilities and issues” that it has reported to operators in the past year. “Some vulnerabilities identified in previous versions of products continue to exist,” it adds.

The report (PDF here) says HCSEC can give “only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK”.

Huawei said this morning: “We understand these concerns and take them very seriously. The issues identified in the … report provide vital input for the ongoing transformation of our software engineering capabilities.”

The company points to a decision “to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of $2 billion”.

The report is certain to hit not only Huawei’s business in the UK, but also that in other European countries, such as France and Germany, and in those countries – such as Australia, Canada and New Zealand – that work with the UK on intelligence issues.

The report – which has not found any backdoors in Huawei systems – will also be seized upon by those in the US that are vigorously campaigning for a ban on all Huawei equipment.

HCSEC – nicknamed “The Cell” – is funded by Huawei but staffed entirely by cyber security staff who are security-vetted by the UK government.

It is controlled by the UK’s National Cyber Security Centre (NCSC), allied to Government Communications Headquarters (GCHQ), one of the UK government’s intelligence agencies, and works from a secure location in Banbury, Oxfordshire. It works independently of Huawei but has access to Huawei source code. Indeed, its function is to check Huawei’s software.

In today’s report in identifies risks with “Huawei’s approach to software development” that enable it “to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK”.

That is a particularly damning finding. At the moment worldwide focus is on the use of Huawei equipment in the new 5G networks, but this report focuses on existing equipment and systems.

The oversight board says “it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated”.

After last year’s report of HCSEC’s work, Huawei said it would spend $2 billion on updating its software engineering, but today’s report says the oversight board “has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme”.

Huawei said this morning: “A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitisation, and software-defined everything become more prevalent.”

Huawei added: “To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.”

One of HCSEC’s roles is “to support Huawei R&D in its efforts to enhance Huawei’s software engineering and cyber security competence and so begin to remedy the underlying issues identified in this and previous reports”.

But there is a long way to go. One of the problems that HCSEC has identified is what it calls “binary equivalence” – relating to the certainty that two versions of software used in a network is the same.

When software engineers change the code – as they do frequently – “it is hard to be confident that different deployments of similar Huawei equipment are broadly equivalently secure”, says the report.

“For example, it is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process.”

This is probably an issue that affects all makers of network equipment in this software-defined era. Software is changed and it is hard to be sure how a new version differs from the old version. And not just in telecoms, as the families of victims of the recent two Boeing 737 Max crashes can explain.

Indeed, the report shows some of the vulnerabilities of software engineering. Huawei uses “an old and soon-to-be out of mainstream support version of a well-known and widely used real time operating system supplied by a third party” to manage its software.

Huawei wants to upgrade, and now has “a premium long-term support agreement from the [same] vendor to address vulnerabilities in a commercially viable manner in the future”.

However, warns today’s report, there are still “underlying cyber security risks brought about by the single memory space, [and] single user context”.

The report warns: “NCSC believes there is currently no credible plan to reduce the risk in the UK of the use of this real time operating system.” In addition, “Huawei’s own equivalent operating system is subject to many of the same Huawei development processes as other components and NCSC currently has insufficient evidence to make a judgement on the software engineering quality and cyber security implications of this component.”

The report is sceptical about Huawei’s plan to spend $2 billion on software engineering. This, “while welcome, is currently no more than a proposed initial budget for as yet unspecified activities”.

It says the HCSEC oversight board “will wish to see details of the transformation plan and evidence of its impact on products being used in UK networks before it can be confident it will drive change”.

Until that happens, “it is not possible to offer any degree of confidence that the identified problems can be addressed by Huawei”, says the report.

If the report has a positive note, it is this: “The discovery of the issues exposed in this report are an indication of the model [of HCSEC] working properly. Huawei currently continues to engage with this process.”

And others have pointed out that Huawei’s software engineering is subject to a level of scrutiny that is experienced by no other network equipment or software provider.