back to article Huawei hasn't yet fixed its security vulns, says UK's NCSC overseers

Huawei has not showed British government overseers a "credible plan" for dealing with security shortcomings flagged in a report issued last year, the technical director of the National Cyber Security Centre (NCSC) has said. Dr Ian Levy of GCHQ's cyber arm told the world’s press at a briefing that the Chinese network equipment …

  1. Kurgan

    Different issues

    So, what's the real issue? Is it just poor security (as the report seems to suggest) or fear of Chinese government backdoors?

    1. Anonymous Coward
      Anonymous Coward

      Re: Different issues

      One issue I've seen with my own eyes is that Huawei kit in general insists on IP header compression, which isn't supported by some legacy chipsets still in active use. Hardly a threat to national security, though.

    2. John Robson Silver badge

      Re: Different issues

      Completely different, but most people won't see that.

      Headline is that we don't use it.

      I wonder, do we have a source code viewing arrangement with the other suppliers of said kit? Or do we just know about these potential weaknesses because that's where we looked.

    3. Paul Crawford Silver badge

      Re: Different issues

      In a sense they are the same - if a company has piss-poor software quality and no credible plan to fix it then you just know there are lots of known bugs waiting to be exploited.

      In that sense the Chinese don't need to put in any "back door" code if the windows, air vents, gutters and skylight windows are secured by wet string (or your nearest equivalent) and are well known to their secret service.

      1. Anonymous Coward
        Anonymous Coward

        Re: Different issues

        Yes, but the question is, are there really security issues or is this something political? And, do the same or similair issues exist in competing products?

        1. Paul Crawford Silver badge

          Re: Different issues

          On a technical level they may the same, but given the lack of any information about it actually being used, and the known information about the NSA bugging US equipment, the current brouhaha is most likely political/economic than an actual security issue.

    4. jmch Silver badge

      Re: Different issues

      "So, what's the real issue? Is it just poor security (as the report seems to suggest) or fear of Chinese government backdoors?"

      They're looking for Chinese backdoors, but can't find any.

      So they're grabbing on to any security flaw they can find to use as an excuse for blacklisting Huawei kit. Of course other vendors might or might not have similair security flaws, and should be getting the same in-depth scrutiny. And of course the REALLY pertinent security question is, are they looking for *American* backdoors in other vendors' kit?

  2. Anonymous Coward
    Anonymous Coward

    Hardly a threat to national security, though.

    But a few things like this can be dressed up to "justify" a Huwawei ban and appease the Yanks. Germany might have a government capable of thinking for itself, the British government....well, not capable of any form of intelligent thought.

    1. Anonymous Coward
      Anonymous Coward

      so, here's the truth!

      https://www.nzherald.co.nz/politics/news/article.cfm?c_id=280&objectid=12205495

      "GCSB spy chief says no Five Eyes pressure in decision to block Huawei"

      20 Feb, 2019 10:32am

      "GCSB spy chief Andrew Hampton has given an assurance to MPs on the Intelligence and Security Committee that he was not pressured by Five Eyes intelligence partners in a preliminary decision about Spark's plans for the 5G network - effectively blocking Huawei"

      By: Audrey Young, Political editor, NZ Herald

      Well Audrey, and Dr GCHQ, UK half-in/half-out...probably fully-out in 40 days or so, CANADA arrests the daughter, AUSTRALIA bans the 'merch, AMERICA does what it likes, and NZ follows meekly with "no-pressure"

      that's the 'truth', OK

      1. Yes Me Silver badge

        Re: so, here's the truth!

        Yeah, well, I don't know what definition of "no pressure" he was using. Something like this perhaps: "Andrew, look, no pressure buddy, but we think the boys in Langley would be really, really pleased if you banned f***ing Huawei. And really, really annoyed if you didn't."

  3. Scott Broukell

    Well I don't think I will rest until every single piece of UK telecomms / internet equipment is henceforth manufactured, to be as hard as nails, anywhere from, say, Wolverhampton northwards, in the factory of some fella by the name of e.g. Braithwaite, by folk that are all as hard as nails, with each item sporting a heavily embossed British Standards Kite mark on each side. That way we will now what we are dealing with.

  4. Anonymous Coward
    Terminator

    Credible plan for dealing with security shortcoming?

    “Huawei has not showed British government overseers a “credible plan” for dealing with security shortcomings flag[g]ed in a report issued last year” theRegister

    How about hiring on someone full time to test the software for security vulnerabilities.

    “The Royal United Services Institute, a military-themed think tank with close links to the government, described the use of Huawei network equipment in the UK as “at best naive, at worst irresponsible” in a paper it issued today. It based this conclusion on new Chinese laws that allow the Communist state to compel its citizens to co-operate with its spies.” theRegister

    “The German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain's GCHQ eavesdropping agency. The bulk monitoring is carried out through direct taps into fibre optic cables and the development of covert relationships with telecommunications companies.” Guardian

    1. Yes Me Silver badge

      Re: Credible plan for dealing with security shortcoming?

      RUSI seems to be some sort of Dad's Army reunion, no? They know even less about network security than I do, I suspect. But they have a good quota of xenophobe paranoids, apparently.

  5. Anonymous Coward
    Anonymous Coward

    A cynic would ask...

    ...what backdoor code does the UK firmware require to be acceptable?

    1. stiine Silver badge
      Devil

      Re: A cynic would ask...

      Probably code that they've licensed from Cisco, which means that Huawei can't use it.

  6. Ole Juul

    Old hat

    ". . . new Chinese laws that allow the Communist state to compel its citizens to co-operate with its spies."

    And how exactly is this different from the USA National Security Letters? (Other than that the US version is almost 20 years old now.)

    1. John Mangan

      Re: Old hat

      ...and I'm sure no other Western democracies have any similar powers either.

      Shit! I nearly ruptured a bowel trying to keep a straight face typing that.

  7. Anonymous Coward
    Anonymous Coward

    How much hypocrisy can the UK government pack into one statement?

    So....the other guys are "bad guys", but we wouldn't ever do any of that spying stuff!

    - https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report

    More generally, western countries have subcontracted almost all computer manufacturing to China for many years......because it's CHEAPER than doing it at home. And now we have governments (responsible for industrial policy at home) whining because the Chinese have learned a thing or two from the outsourcing experience!!!

    And this industrial policy point doesn't just apply to computers and electronics. Take a day off and visit the excellent RAF Museum in Cosforth. I enjoyed my visit, and while I was there counted at least ten brands of British aircraft (built in the UK)....now long gone -- Gloster, English Electric, Short Brothers, Hawker, Fairey, de Havilland, Avro, Vickers, Bristol, Supermarine.....

    So when it comes to industrial policy, CHEAP or CONVENIENT seems to trump SELF-SUFFICIENCY. And afterwards (and maybe a LONG TIME afterwards) we get the pathetic whining when the policy comes back to bite us......as with Huawei!!

  8. HmmmYes

    Oh the Chinese princlings have given up on ripping off Ciso and the like, and selling their stolen IP to the West.

    They are all specualting on property with huge sums of debt.

  9. Aye

    Does Cisco have enough security code ? NSA used to hack Cisco's firewall to hack EU ministers in 2014.

    Have Huawei ever done that ?

    Huawei is as risk as American products.

  10. TheBat

    The Borg - aka USA

    Don’t forget that Osama Bin Laden evaded capture simply by not using computers

  11. Anonymous Coward
    Anonymous Coward

    Has anyone actually read the original report from HCSEC?

    It turns out the report highlights issues with Huawei's engineering processes, use of old software here and there, code equivalency errors, etc.. this is at worst, sloppy. Some western companies have been found to be in a worse state in the past yet no-one cared. Huawei must get its house in order no doubt, but if anything these items represent risks which must be mitigated to the degree required by each end user/consumer/customer. No other company in the industry is remotely required to undergo the level of scrutiny these guys are. Is there a risk that a multi-billion dollar with double-digit growth YoY company would risk its entire future in exchange for spying for the Chinese gov? well yes, in the same way there's a risk a c*ck-shaped meteorite lands on my backyard right this instance and saves me from having to hear the USA contingent look stupid at MWC trying to dig out dirt on these guys.

    Facebook has been found to allow companies to mass download and exploit user data, Purestorage settled a lawsuit with EMC for IP theft a few years back, US telcos have just been found guilty of selling location information to bounty hunters.. you get the picture, there are no saints.

    Control the guys? yes. Keep a short leash on them? yes. Exclude from 5G overall? sounds stupid. Exclude from CNI/secret gov/GCHQ stuff? of course. IT's called common sense.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like