A UK government report indicates a flaw of national significance in Chinese company Huawei. The Huawei Cyber Security Evaluation Centre (HCSEC) was set up by the UK government and the tech company to evaluate equipment meant for UK networks.
HCSEC was initiated in 2010. Its purpose has been to reduce any potential harm from utilizing Huawei technologies as part of the country’s critical national infrastructure. This year’s annual report presents a thorough analysis of the Huawei’s software, engineering and cybersecurity procedures.
“One of the greatest challenges for HCSEC is the scale and complexity of Huawei’s products. HCSEC’s security analysts would not be able to effectively analyse Huawei equipment without the support of tools to scan the totality of the equipment. Consequently, HCSEC has maintained an on-going programme to develop its toolsets, increasing its technical effectiveness year-on-year,” the report explains.
Huawei Flaw of National Significance Discovered
The security experts discovered “an increasing number and severity of vulnerabilities”. Architectural and build issues are also a concern. If attackers are aware of the flaws and have
“sufficient access to exploit them”, they could possibly affect the operation of a UK network, causing it to cease operating correctly.
Overall, Huawei’s approach to software development has created an increased risk to UK operators, requiring ongoing management and mitigation. Unfortunately, only limited assurance exists that all liabilities to UK national security can be mitigated sufficiently in the long-term, the researchers note.
During HCSEC’s analysis this year, a severe flaw of national significance was discovered. When this happens, the security organization reports it to the NCSC (National Cyber Security Centre) and to the company to address the issue.
However, finding such a flaw is a rare circumstance, which may delay the release of full details to Huawei, allowing the UK experts to assess and mitigate the impact. The flaw in question is related to broadband, but experts believe it hasn’t been exploited. Furthermore, “sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines”.
In 2019, the HCSEC team identified severe, user-facing vulnerabilities in fixed access products. Badly written code caused these flaws, as well as the use of an old operating system. The telecom company said that it continues significant investment to improve their products, noting that “we have made some progress in improving our software engineering capabilities.”
It is noteworthy that the HCSEC report only involves 2019.