China’s Huawei Technologies has failed to convince British security officials that the security risks of using its products in UK national infrastructure can be adequately managed, according to a government report released on Thursday.
A government-led board that oversees the vetting of Huawei gear in Britain said continued problems with the company’s engineering and security practices meant it could only give “limited assurance” that all risks to UK networks could be sufficiently mitigated long-term.
The board –- which includes officials from Britain’s GCHQ signals intelligence agency — said Huawei had only made limited progress addressing issues raised last year and it had no confidence in the company’s ability to complete a previously-announced cybersecurity overhaul.
Huawei has repeatedly denied the allegations and said on Thursday the British assessment showed equipment vulnerabilities were not a result of “Chinese state interference.”
“The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” a company spokesman said.
After initially granting Huawei a limited role in the UK’s 5G infrastructure, Prime Minister Boris Johnson reversed that decision in July, ordering all of the company’s equipment to be purged from national networks by the end of 2027.
The reason given for the about-turn was the impact of new US restrictions on chip technology, which Britain’s National Cyber Security Centre (NCSC) told ministers meant Huawei was no longer a reliable equipment supplier.
Officials said the latest report, which is produced annually as part of the government’s procedure for vetting Huawei equipment used in the UK, looked at events in 2019 and did not relate to the subsequent impact of the sanctions.
Increased vetting meant the number of vulnerabilities identified in Huawei equipment in 2019 rose significantly compared to the previous year, the report said, including one issue with the company’s broadband products that was deemed to be of “national significance.”
The board said it was not aware of any of the vulnerabilities being exploited by nation-state hackers but the weaknesses nevertheless presented a serious risk.
“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” the report said.
“These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors,” it added.
“NCSC does not believe that the defects identified are a result of Chinese state interference.”