Experts overseeing Huawei’s UK cybersecurity centre bemoaned a lack of progress made by the vendor to address previously-exposed flaws in its equipment, while uncovering other issues they said led to further risks.
Despite the criticism on progress being made to fix the holes, the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board said the issues were due to “poor software engineering and cybersecurity processes” rather than Chinese state interference.
The comments came in the oversight board’s annual report, which discusses the progress made at the HCSEC, a facility founded by Huawei to evaluate products supplied by the company for the UK market.
Findings from the board are submitted to the UK National Cybersecurity Centre, which then advises the government.
Its annual report found: “Further significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks.”
“HCSEC has continued to find serious vulnerabilities in the Huawei products examined. Several hundred vulnerabilities and issues were reported to operators to inform their risk management and remediation in 2018.”
Despite uncovering “severe” vulnerabilities, the group noted most UK operators had controls in place limiting the ability of attackers to exploit them.
In response to the publication of the report, a Huawei representative said the document recognises the effectiveness of the centre and did not suggest UK networks are more vulnerable than in 2017.
The company also noted it was implementing a $2 billion company-wide transformation programme to enhance its software engineering capabilities.
Its representative added the board’s previous report detailed “some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the oversight board report provide vital input for the ongoing transformation of our software engineering capabilities.”
“To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cybersecurity assurance and evaluation.”