UK officials tasked with evaluating Huawei’s network security and overall suitability to be a leading 5G partner in its upcoming deployments have released a report on their findings. The UK and Huawei have an agreement in which Huawei’s compliance with security standards is monitored by the Huawei Cyber Security Evaluation Centre (HCSEC). This organization is overseen by the HCSEC Oversight Board, who authored this most recent report. Their conclusions are quite negative — but they may also finally shed some light on why Huawei has been such a divisive topic over the past few years.
Warnings about Huawei’s security practices began during the Obama administration but ramped up after President Trump took office. What’s been missing from those reports, however, was any firm technical sense of why Huawei’s equipment and software were to be avoided. Did the equipment contain backdoors or other forms of spyware? One of the regular topics around the ExtremeTech water cooler has been the degree to which the government’s consistent-but-vague warnings reflected actual security concerns. In the interests of disclosure: I’ve tended to think the government probably did have reasons it wasn’t willing to publicly disclose. If the UK report reflects the US experience, there are definitely issues to be solved.
In its report, the HCSEC OB states that “Further significant technical issues have been identified in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks” (emphasis original). It also states that Huawei has made no progress towards resolving any of the critical security issues identified in the previous year. As a result, the Oversight Board writes that it would be “inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance.”
The report goes on to state that the OB has seen nothing that would give it confidence that Huawei can address these issues. While the company has proposed a plan for doing so, the UK doesn’t have confidence in its ability to execute said plan. As a result:
the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the
UK’s critical networks can be sufficiently mitigated long-term. (emphasis original)
So What’s the Problem?
The HCSEC OB identified multiple key issues. According to the report, Huawei cannot provide software builds that demonstrate binary equivalence across its product lines. It can’t demonstrate that issues that arise in one build are properly solved in the next through “the normal operation of a sustained engineering process.” It cannot provide end-to-end assurance that a particular source code set is precisely the one used to build a particular binary. Its configuration management tools are not consistently used across its various product families, preventing it from guaranteeing end-to-end security. VM configuration when starting builds is poor and the builds are not clean. Configuration management of the build environment is poor-to-nonexistent, with no consistent deployment of toolchain support. Configuration management of source code is poor:
Secondly, the integration into the overall product architecture is very poor, with multiple copies and versions of components, apparently identically versioned components containing significant differences, circular dependencies between components and some components regressing in version between overall product increments.
Huawei continues to rely on an old and very nearly outdated RTOS OS (Wind River VxWorks 5.5, an OS that debuted in 2002). Huawei purchased an extended license for VxWorks 5.5, but that license expires in 2020. Huawei has developed its own OS to replace VxWorks 5.5, but the HCSEC notes:
Huawei’s own equivalent operating system is subject to many of the same Huawei development processes as other components and NCSC currently has insufficient evidence to make a judgement on the software engineering quality and cyber security implications of this component. Furthermore, it employs more modern memory and security models and so integration with the existing product running on the operating system brings risk. This means that moving to this real time operating system may not improve the situation long-term, while bringing integration risk to the UK operators… However, NCSC remains concerned about the time elapsed since discovery of this issue without a credible plan being presented.
HCSEC has conducted a trend analysis of the various fixes and patches Huawei has provided and found them to be inadequate, with the final code demonstrating a “significant number of major defects.” When asked to present a plan for how to address the continued existence of these problems, whatever Huawei came up with was judged to be inadequate. The NCSC (National Cyber Security Centre, which contributed to the report) has stated, however, that it believes the defects that riddle Huawei’s equipment — and the report is quite damning in this regard — are not the result of “Chinese state actor interference.”
In short, Huawei isn’t trying to riddle its software or hardware with secret back doors, but it’s also really, really bad at security. That’s not a conclusion that’s hard to fathom, particularly given how many companies have been hit by security breaches or had their own poor practices exposed.
Top photo credit: Kevin Frayer/Getty Images