Security concerns but no evidence of spying tied to Chinese vendor, says UK cyber spy chief

The security risks posed by using Huawei kit in 5G telecoms networks can be managed, according to UK cybersecurity chiefs.

Ciaran Martin, chief executive of the UK’s National Cyber Security Centre (NCSC), the assurance division of GCHQ, told journalists on Wednesday that the NCSC has not seen any evidence of malicious activity by Huawei, even though it remains on the lookout.

“I would be obliged to report it if there was evidence of malevolence by Huawei but we’re yet to do that,” Martin explained, adding that a recent alert on alleged Chinese state-sponsored cyber espionage had relied on weak corporate security rather than backdoors in any telecoms kit.

Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia.

“As far as we know, those networks didn’t have any Russian kit in them, anywhere,” Martin told delegates at the CyberSec conference in Brussels, Belgium.

“The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run.”

“In the 1,200 or so significant cybersecurity incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out,” he added.

Huawei 5Eyes

Britain’s closest intelligence partners including the US, Australia, and New Zealand had barred the use of Huawei kit in critical national infrastructure networks over fears the vendor could aid spying by the Chinese state.

Huawei allegedly attempted to steal trade secrets from telecoms service providers and equipment suppliers through an employee bonus program and other sketchy tactics. Asked about this point, Martin said questions about criminal accusations against Huawei should be referred to US authorities.

The UK has strict controls on how Huawei’s technology is deployed. For example, Huawei’s telecoms equipment is not approved for use in UK government networks.

A technology centre staffed by NCSC workers has accesses and audit Huawei’s equipment, a regime not in place for Huawei’s few 5G telecoms equipment supplier rivals such as Cisco and Ericsson.

The regime is arguably the toughest and most rigorous oversight in the world for Huawei, according to Martin.

Last July, the NCSC-led Oversight Board downgraded the assurance it provided to the UK government on mitigating the risks associated with Huawei because of “serious problems with their security and engineering processes”.

These issues stemmed from failure to adhere to best practice and cybersecurity standards rather than anything malign.

Huawei has accepted these findings and offered a “letter of intent” to improve its infosec over the next three to five years but the NCSC has not yet seen a “credible plan” to address its concerns, according to NCSC’s technical director Ian Levy.

In response to a follow-up question on this point, Martin said the NCSC “will not compromise on the improvements we need to see from Huawei”.

This doesn’t sound promising for Huawei but one chink of light comes from the UK’s requirement for supplier diversity as one criteria for selecting 5G kit.

Martin stressed that there’s been no UK decision on 5G deployment as yet. This decision will be made by UK ministers at the end of an ongoing review that is considering economic and quality of service issues as well as security concerns.

“Everything is on the table,” Martin concluded. “Contrary to some reports, no decisions have been taken.”

The 5G review being carried out by the Department for Digital, Culture, Media & Sport (DCMS) is expected to conclude in spring this year.

Higher standards of cybersecurity across the entire telecommunications sector are needed, Martin said, adding that resilience was a key factor.

Independent experts argued that telecoms equipment from any supplier needs to be carefully audited.

Brian Honan, infosec consultant and founder of Ireland’s CSIRT, commented: “All equipment, not just from Huawei, should be risk assessed and managed accordingly. Naive to think China may be the only nation state that may take advantage of domestic communications manufacturers.”

A blog post by the NCSC’s Ian Levy, entitled ‘Security, Complexity and Huawei; protecting the UK’s telecoms networks’, sets out the agency’s approach to assurance from a technical perspective.

RELATED UK plans to ‘manage’ Huawei 5G security risk