Huawei seeks 5 years to fix security issues red-flagged by NCSC
11 February 2019
Huawei has informed the UK Parliament’s Science and Technology Select Committee that it will need up to five years to resolve a set of security issues in equipment deployed in the UK that were highlighted by the Huawei Cyber Security Evaluation Centre (HCSEC).
Resolving the said issues may also require up to $2 billion (£1.54 billion) in investments from Huawei to “comprehensively improve” its software engineering capabilities and to prepare for a complex security environment in the future.
Last year, the National Cyber Security centre announced that its Huawei Cyber Security Evaluation Centre (HCSEC), which was set up to monitor equipment deployed by Huawei in the UK and to ensure transparency between Huawei, the government and operators, had flagged a range of security issues in the company’s hardware.
“The National Cyber Security Centre is committed to the security of UK networks, and we have a regular dialogue with Huawei about the criteria expected of their products. As was made clear in July’s HCSEC oversight board, the NCSC has concerns around a range of technical issues and has set out improvements the company must make,” said a government spokesperson.
Following NCSC’s announcement, Huawei pledged to spend at least £1.5 billion to address such concerns and to ensure its continued participation in the UK’s 5G network trials.
Huawei promises comprehensive improvement for its software
Recently, in a letter addressed to the Commons Science and Technology Committee, Ryan Ding, President of Huawei’s Carrier Business Group, said that his company would invest up to £1.54 billion over the next five years to “comprehensively improve” its software engineering capabilities and to prepare for a complex security environment in the future.
“Cyber security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems. At our most recent board meeting, we officially signed off on a companywide transformation programme for our software engineering capabilities.
“The company will initially invest US$2 billion over the next five years to comprehensively improve our software engineering capabilities. This will help ensure that our products are better prepared for a more complex security environment both now and in the future.
“This programme is part of a broader effort to redesign our Integrated Product Development process. Technology and networking environments are evolving. Customer and societal expectations for technology are evolving too, as are regulatory requirements. In recognition of these changes, we too are evolving our processes,” he wrote.
Ding added that banning Huawei’s products from networks would be counter-productive and would only serve to create a false sense of security. This is because only one-third of materials used to make Huawei products are sourced in China and the ICT supply chain depends on materials from dozens of countries.
He emphasized that all major telecom equipment vendors have R&D and manufacturing centres in China and their products are heavily deployed across the world, including in the Five Eyes countries, namely the United States, the UK, Canada, Australia, and New Zealand.
Equipment vendors are not threats themselves, but are the first line of defence against bad actors who seek to exploit vulnerabilities in networks and therefore, regulatory policy should encourage equipment vendors and operators to transparently share cyber-security related information and jointly safeguard cyber security, he added.
Huawei won’t assist Chinese agencies in intelligence gathering in the UK
The Commons Science and Technology Select Committee had previously asked Huawei to explain to what extent the company could be compelled to assist Chinese intelligence agencies in gathering intelligence in the UK using the company’s software/hardware deployed in the UK.
In response, Ding said that none of the Chinese laws, such as The Counterespionage Law, the Anti-Terrorism Law, the Cyber Security Law, the National Intelligence Law, and The State Security Law, empower Chinese government agencies to plant backdoors, evesdrop devices or plant spyware in telecommunications equipment.
“We would like to reiterate that Huawei has never received any such requests, and in the event that we did receive this type of request, we would categorically refuse to comply with it. Huawei is an independent company, and customer-centricity lies at the heart of all we do.
“We would never compromise or harm any country, organisation, or individual, especially when it comes to cyber security and user privacy protection. This includes the UK,” he added.