Rebuking Huawei’s claim that it is a harmless provider of consumer telecommunications services, British cybersecurity specialists on Thursday ruled that the firm’s inclusion in 5G network facilitation would be dangerous.
This supports active U.S. efforts to exclude Huawei from global 5G networks. China is aggressively resisting the U.S. on this, because Huawei is its primary intended proxy for cyberespionage in the 21st century.
But this report, under the auspices of Britain’s NSA equivalent, is especially important for two reasons. First, because it comes from the NSA’s top foreign partner and some of the world’s top cybersecurity experts. Second, because it represents forensic insight into how China would use Huawei to conduct espionage operations.
The report’s takeaway is clear: It offers only “limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.” This is thanks to “significant technical issues in Huawei’s engineering processes.” Specifically, Huawei has failed to embrace “universally applied… configuration item types (source code, build tools, build scripts etc). Without good configuration management, there can be no end-to-end integrity in the products as delivered by Huawei.”
The report adds that even where Huawei has been told specifically how to close down these backdoors, its product “continues to demonstrate a significant number of major defects. The NCSC therefore remains concerned that Huawei’s software engineering and cyber security competence and associated processes are failing to improve sufficiently.” With typical British understatement, the report notes that this is exacerbated because of “the currently unknown trajectory of Huawei’s [research and development] processes.”
Of course, Huawei’s failure to resolve identified issues is not coincidental. It reflects the Chinese government’s interest in creating backdoors in hidden cyber-telecommunications spaces that will allow Chinese intelligence collection in the future. The report hints as much by asserting that
The number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team… is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly. Other impacts could include being able to access user traffic or reconfiguration of the network elements.
No excrement, Sherlock.
Here, “access user traffic or reconfiguration of the network elements” should translate as “use 5G network access to turn the network or significant elements therein into one big Chinese signal intelligence targeting and collection program. But the report shows that China is trying to be crafty: fixing limited issues to gain a pretense of concern for western security, but simultaneously creating new backdoors.
Fortunately, this report shows the gambit is failing. Reports like this one will help the U.S. and U.K. educate their allies as to the risks of entertaining Huawei’s sour claim of mutual interest. Huawei is a Chinese intelligence cutout in foundation, intent, and action. It must be restricted as such.