Huawei: lessons from the United Kingdom
The UK government released the Huawei Cyber Security Evaluation Centre oversight boardâs 2018 annual report on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks of Huaweiâs involvement in UK critical infrastructure by evaluating the security of Huawei products used in the UK telecommunications market.
The oversight board was set up in 2014 to assess HCSECâs performance relating to UK product deployments. It comprises senior representatives from government and the UK telecommunications sector and a senior executive from Huawei.
For those worried about Huaweiâs involvement in Australiaâs 5G network, the oversight boardâs report does not make reassuring reading.
The central concern in the debate over Huaweiâs pa rticipation in Australiaâs 5G network is that Chinese intelligence services could compel or coerce Huawei to leverage its involvement in critical infrastructure to enable espionage.
China has certainly demonstrated an intent to conduct wide-ranging espionage in Australia. Thereâs now a large body of evidence that China has been behind an array of data breaches, including at the Bureau of Meteorology; the departments of Defence, Prime Minister and Cabinet, and Foreign Affairs and Trade; and the parliamentary email system. But beyond what could be described as âlegitimateâ espionage targeting government agencies, there have also been thefts of intellectual property, commercial-in-confidence material and trade secrets for commercial advantage from companies such as BHP, Rio Tinto and Fortescue Metals.
Chinaâs intelligence services also have the ability to compel Huawei to assist them with their intelligence work.
Article 7 of Chinaâs National I ntelligence Law says that â[a]ll organizations and citizens shall support, assist, and cooperate with state intelligence work according to lawâ and Article 14 states that national intelligence agencies âmay request that concerned organs, organizations, and citizens provide necessary support, assistance, and cooperationâ. In addition, Article 10 says that ânational intelligence work institutions are to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroadâ.
Iâve previously written about how Huawei could be used to enable espionage, with or without Huawei corporateâs complicity. Espionage doesnât necessarily require sophisticated âbackdoorsââ" even compelling Chinese engineers to assist could enable Chinese intelligence services to get useful access to Australiaâs 5G network.
This demonstrated intent combined with the power provided by legal obligations imposed by Beijing means that Ch inese companies like Huawei carry additional supply-chain risk compared with companies from countries without a long history of cyberespionage and/or countries without laws that specifically compel cooperation with intelligence agencies.
On the face of it, the UK approach to mitigate this supply-chain risk with HCSECâ"assessing products to reassure ourselves that they are operating as expectedâ"seems entirely reasonable. Canât we assess products to make sure they wonât be used to spy on us?
The four HCSEC oversight board annual reports (2015, 2016, 2017 and 2018) show that it is very difficult indeed.
On the bright side, the reports have consistently stated that âHCSEC continues to provide unique, world-class cyber security expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UKâ.
HCSEC is also developing new tools and techniques to better und erstand security assurance in telecommunications, has found vulnerabilities that Huawei has subsequently remediated, and is actually improving Huaweiâs basic engineering and security processes and code quality. These efforts have resulted in a more secure Huawei product.
Despite all this, the three most recent board reports have noted that HCSEC cannot confirm that what it has been testing matches what Huawei is using in the UK: the source code HCSEC has been given (that is, the computer instructions for Huaweiâs equipment) doesnât correspond with what has been deployed in the UK. So, much of the security testing that HCSEC has been doing may be irrelevant to the security of products used in the UK. At this point, the oversight board âcan offer only limited assuranceâ.
This yearâs report also indicates that some security-critical third-party software used in Huawei equipment is ânot subject to sufficient controlâ. This is viewed as possibly a significan t risk to UK telecommunications infrastructure mostly because of inconsistent product support lifetimes.
Overall, the report describes HCSEC as a high-functioning, world-class security evaluation centre. However, the board cautions that confidence in HCSECâs ability to provide âlong term technical assurance of sufficient scope and quality around Huawei in the UKâ is declining due to the ârepeated discovery of critical shortfallsâ in âHuawei engineering practices and processes that will cause long term increased risk in the UKâ.
Worse yet, the trend across the four oversight board reports suggests that as HCSEC has improved in capability, confidence that the security evaluation process will sufficiently mitigate risks has declinedâ"the more HCSEC learned, the less confident they were.
There is a simple lesson for Australia from the HCSEC oversight board reports: using Huawei in our 5G network will introduce risks that we will find very difficult to mitigate.Source: Google News United Kingdom | Netizen 24 United Kingdom