Britain’s spy agency delivers scathing assessment of security risks posed by Huawei

The British government on Thursday released a scathing assessment of the security risks that Chinese telecom company Huawei poses to Britain’s telecom networks, as London weighs whether to heed U.S. calls to bar the firm from the next-generation 5G network over fears it will enable spying by the Chinese government and potential cyberattacks.

It focused not on the Chinese state but rather on the engineering and software failings of gear made by Huawei, the world’s largest telecommunications equipment maker. The firm has been present in Britain’s telecom network since 2003.

This is the second consecutive year the Government Communications Headquarters, or GCHQ — the British spy agency equivalent to the U.S. National Security Agency — has identified serious problems. This year, officials said they found “further significant technical issues” in the firm’s engineering processes, as well as continued “concerning issues” in Huawei software, “leading to new risks” in Britain’s 4G telecom networks.

Most ominously, the British spy agency, which oversees a center that vets Huawei hardware and software for bugs and security vulnerabilities, said that it can provide “only limited assurance” that the long-term national security risks can be managed in the Huawei equipment deployed in Britain, and that “it will be difficult” to manage the risk of future products until the current defects are fixed.

The United States has mounted a full-court press to urge partners worldwide to refrain from including Huawei in their 5G networks in coming years. Recently enacted laws in China require Chinese firms, if directed, to assist the government in intelligence collection. National security officials say that the laws, along with Huawei’s ties to the Chinese government and allegations that it has engaged in intellectual property theft, make the company an untrustworthy vendor — one whose access to telecommunications networks could open the door to espionage or perhaps, even worse, disruptive operations.

GCHQ officials seemed to offer Huawei some wiggle room, concluding that “Huawei’s transformation plan” to fix its problems “could in principle be successful,” and cited Huawei’s estimate of three to five years.

However, the government would require evidence of “sustained change,” they said.

The intelligence agency oversees the Huawei Cybersecurity Evaluation Center or “the cell,” a facility in Oxfordshire that belongs to Huawei. The center employs Huawei personnel, but it is run by GCHQ. Its findings are advisory, and the oversight board’s job is not to decide whether Huawei should be barred from the networks.

Still, its findings are likely to influence the 5G strategy that the British government announces this spring. The new 5G network is designed to be as much as 100 times faster than the current 4G system, fueling autonomous cars, smart cities and more effective and potentially lethal military operations, but also opening up new concerns about network cybersecurity and espionage.

“This report’s stark conclusion should give pause to any country considering using Huawei for 5G,” said James Lewis, a cyberpolicy expert at the Center for Strategic and International Studies. “It’s pretty damning for the U.K., a country that has done more than any other to reduce the risks of using Huawei, to say it can’t manage the risk of using future Huawei products.”

Congress last year banned Huawei and another Chinese firm, ZTE, from U.S. government and contractor networks, and the four major telecom providers — AT&T, Verizon, Sprint and T-Mobile — have pledged not to use the firms in their 5G networks.

Australia last year effectively blocked Huawei and ZTE from its future 5G networks by requiring that telecom firms not use vendors that are “likely to be subject to extrajudicial directions from foreign governments that conflict with Australian law” — a strong allusion to the Chinese firms.

Britain is still deciding what its 5G strategy will be. The GCHQ report will inform deliberations. The agency has presented options ranging from mitigation techniques to a full ban on companies such as Huawei. A decision by other ministries and the prime minister is expected this spring.

Huawei, in particular, is said to have close links to Chinese security services. The company was founded in 1987 by Ren Zhengfei, who spent about 20 years in the People’s Liberation Army, serving in a military-technology division, and built the company from a staff of three to a multibillion-dollar behemoth. Ren is alleged to have close ties to the PLA, and Huawei’s former vice chairwoman was an officer in the Ministry of State Security, China’s premier intelligence agency.

Huawei accounts for roughly one-third of the British telecom system’s radio-access components, with Nordic firms Nokia and Ericsson making up the other two-thirds. There are no indications that similar software-engineering issues have arisen with the other two firms.

The Huawei security center opened in 2010, and the oversight board was created in 2014 to address concerns that the center, with its Huawei personnel, was vulnerable to Chinese influence. The center is run by the head of the GCHQ’s National Cybersecurity Center, who also chairs the oversight board.

The report concluded that the center had “significant concerns about vulnerability management in the long term” and that Huawei’s software-component management is defective, “leading to higher vulnerability rates and significant risk of unsupportable software.”

Matthew Green, a computer scientist at Johns Hopkins Information Security Institute, said GCHQ is essentially saying that “Huawei can’t write software to save their lives.” According to the report, he said, the GCHQ cannot even verify that the software running on its 4G LTE cell towers is actually the same software provided by Huawei for source-code review.

A source-code review, he said, “is only worthwhile if the source code scrutinized is actually the same code installed on devices. This is a serious issue.”

The report points to duplicate code, in one case 70 copies of four different versions of OpenSSL software, one of the most commonly used types of software. “This is problematic because some older versions of OpenSSL have vulnerabilities, meaning that the cryptography may not be reliable,” Green said.

Huawei officials have repeatedly defended their record, saying that they have not and never will plant “back doors” in their products. However, the presence of serious software flaws could make the systems vulnerable to compromise even without a deliberately planted back door.

Currently, Huawei equipment is not used in Britain’s 4G network core, in government networks or in any sensitive systems that run electricity, transportation or other crucial functions.