The software Huawei uses to power its telecommunications equipment is flawed, fails to meet security standards, and poses significant vulnerabilities for operators and their respective customers, according to a new report by an oversight board in the United Kingdom.
The conclusions may bolster the Trump administration’s efforts to pressure other countries to ban Huawei equipment, but the U.K. report falls short of calling for an outright ban. The security “defects” are an underlying and well-documented problem that were previously discovered and remain in place today, but the U.S. government has largely based its accusations on the unproven premise that the Chinese government can and will use its influence over Huawei to spy on Americans and allies.
Huawei has consistently denied these charges, but the company is owning up to some of the issues that were detailed in the report to the national security adviser of the U.K. government. The report “details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously,” Huawei said in a prepared statement.
The company described the evaluation as “arguably the toughest and most rigorous in the world,” but, as noted by British security authorities, it hasn’t presented a clear plan to resolve the persistent problems with its software. The company says it will spend $2 billion during the next five years to improve software engineering capabilities, but it hasn’t provided any further details beyond a “high-level plan” to work with U.K. operators and the National Cyber Security Center (NCSC) to “meet the requirements as cloud, digitization, and software-defined everything become more prevalent.”
The U.K. report reinforced previous concerns with respect to Huawei’s approach to software development. Vulnerabilities that remain in place include “protected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials, and many other basic vulnerability types.”
NCSC, which has been reviewing Huawei’s equipment and processes to mitigate any perceived risks to critical infrastructure in the U.K. for almost nine years, concluded that the company has made no progress of late and “is not confident that Huawei is able to remediate the significant problems it faces.” Moreover, the report concludes that “Huawei’s software engineering and cybersecurity competence and associated processes are failing to improve sufficiently.”
The British authorities are also concerned about Huawei’s software lifecycle management and, as such, have “limited confidence in Huawei’s ability to understand the content of any given build or in their ability to perform true root cause analysis of identified issues.” Part of the problem stems from Huawei’s use of an “old and soon-to-be out of mainstream support version of a well-known and widely used real time operating system supplied by a third party.” NCSC also concluded that Huawei’s own operating system is subject to many of the same concerning development processes.
Chetan Sharma, founder of Chetan Sharma Consulting, said he is surprised the company hasn’t resolved these issues already. “Given the scrutiny [Huawei] is under right now, they should have put a process in place to fix these things and regain confidence,” he said. “They can fix these problems but if the software processes are not proper in a way that can be validated and vetted you may see the same problems again.”
Government agencies routinely analyze equipment that could impact national security, but it’s rare for the findings to be made publicly available as the U.K. government has done with respect to Huawei, Sharma explained. “Trust is the fundamental issue,” he said. “You can have the best and the greatest software but if you don’t have trust you never win over.”
Regulators in the West are partially to blame for some of the dynamics in the telecom infrastructure market today, according to Sharma. By focusing almost exclusively on access, regulators in the United States neglected the stack above the access layer, including infrastructure, and missed opportunities to shield U.S.-based infrastructure vendors that have since gone out of business or been acquired for foreign entities. “If indeed the policy was about national security, they should have actually regulated as such,” he said.
Daniel Conde, an independent analyst, says the report is the result of politics more than anything else, noting that authorities did not discover any backdoors or suspect code. He questions if equipment and software from other vendors is better or of higher quality, and said the same standards need to be imposed on all vendors.
“The vendors who also compete, such as Nokia and Ericsson, are not [based in the United States], but we don’t make a big deal about using these non-U.S. vendors,” Conde wrote in an email. “I think people should just insist on secure, high quality software and hardware systems, regardless of where it comes from. And we need ways to properly assess, validate before deployment, and monitor once it’s deployed.”
The British report details how much scrutiny Huawei is under, but other companies don’t face oversight to the same degree. Nonetheless, NCSC says it “continued to find serious vulnerabilities in the Huawei products examined.” It has reported “several hundred vulnerabilities” to U.K. operators to date and concluded that “the character of vulnerabilities has not changed significantly between years” and “there has been little improvement in the objective software engineering and cybersecurity quality of the code.”