2 min read

Huawei's embarrassing HCSEC security report card

At the New Zealand Herald Juha Saarinen writes about the HCSEC report in The real reason Huawei shouldn’t be in 5G networks:

“The report from oversight board for Britain’s Huawei Cyber Security Evaluation Centre (HCSEC) makes it clear that clever, secret backdoors in the Chinese company’s equipment is the least of anyone’s worries.

“Instead, it’s old, unsafe and bug-infested software, bad coding practices, and little or no effort by Huawei to sort out some seriously deficient processes and practices.”

Overnight, Huawei’s status went from clever enough spy on networks undetected to bungling clowns.

The report is damning. It’s not about a few weak points here and there. Bad code run through Huawei’s software like the word Blackpool in a stick of seaside rock.

The UK has known this for seven years.

Bad software is everywhere

On one level it’s not a surprise. Poorly-written software is common. It runs the world.

Some of the best-known software names have or had dodgy code including Microsoft and IBM. Enterprise software often holds together with digital chewing gum and paper clips.

Shoddy software lies behind most computer security problems. Attackers find and exploit holes in poor code.

Critical infrastructure

That’s the problem with Huawei. Its network products are part of critical infrastructure. Criminal or hostile-state-controlled coders could find their way into those networks.

Huawei network kit has always looked advanced compared with rival brands.

The NATO Cooperative Cyber Defence Centre of Excellence underlines this:

“It is currently the only company that can produce ‘at scale and cost‘ all the elements of a 5G network, with its closest competitors Nokia and Ericsson not yet able to offer a viable alternative.”

Now it looks like Huawei cut too many corners to get out in front.
The HCSEC report is a wake up call.

Hopefully everyone watching is getting their own house in order. Experience suggests otherwise.

Fixing the mess

In theory, Huawei can fix this mess. It has acknowledge the report and says it will spend $2 billion in a programme to fix the problems.

The UK’s National Cyber Security Centre isn’t confident that will happen. It also fears any fixes that Huawei makes may not make their way into products used in networks.

Huawei has had seven years to fix problems. It’s done nothing.

Last year the National Cyber Security Centre warned the company. According to the report, Huawei made “no material progress” on identified problems.

The HCSEC oversight board say it wants to see “sustained evidence” of better software engineering and cyber security “quality” before it gives Huawei a tick.

HCSEC report not about spies

None of the flaws found in Huawei’s offering is to do with Chinese state intelligence.

That was the reason for setting up HCSEC in the first place. It’s why Huawei faces more scrutiny than other equipment suppliers.

That poses an interesting thought: How would Huawei’s rivals look if they were subject to similar investigation? Until then, there’s no logical reason to assume they are any better.