Huawei has caved in to demands by UK security officials to address serious risks found in its equipment and software in an attempt to avoid being shut out from future 5G telecoms networks.
At a meeting this week between Huawei executives and senior officials from GCHQ's National Cyber Security Centre, the Chinese telecoms provider agreed to a series of technical demands which will change its practices in the UK, according to two people with knowledge of the discussions.
Huawei has also agreed to write a formal letter to the NCSC outlining the company’s agreement to urgently address the issues, first raised in a critical report in July by an oversight board which monitors the testing of the company’s kit before approving it for use in UK networks.
The move comes after the US government stepped up efforts to persuade western allies to shun the world’s biggest telecoms provider when upgrading services to new, fifth-generation technologies, amid fears over cyber espionage.
Senior UK security officials have repeatedly stressed that their concerns are related to technical deficiencies and not the company’s Chinese origins.
But the arrest on US sanctions-busting charges of Meng Wanzhou, the daughter of Ren Zhengfei, founder and chief executive of the Chinese telecoms group, last weekend has only raised the international pressure on the UK to take a tougher line.
The commitment by Huawei to appease the UK’s concerns reflects the need for the Chinese group to tackle concerns where it can amid intense scrutiny of its business by western security organisations. It also represents a major coup for the government as it would require a significant shift in Huawei’s business practices.
Western security chiefs have been unusually vocal in recent days to highlight concerns over Chinese technology groups. Alex Younger, head of MI6, the British intelligence service, said the UK faced a tough decision over whether to allow Huawei to supply technology for its 5G network.
Huawei has been slow to react to the concerns raised in the July report that highlighted “shortcomings” in the Chinese telecoms equipment provider’s engineering processes that exposed British telecoms networks to risks. It also identified long-term challenges in mitigation and management of those risks.
The issues raised include the use of out of date open source software developed by third parties that remained in the code used in some of Britain’s networks. Old software can be vulnerable to cyber attacks.
A wider issue relates to the way that Huawei develops code and equipment, according to multiple people that have used the Chinese company’s kit. Huawei distributes the development of its equipment across multiple teams to speed up the process and reduce the chances of technology being stolen.
That system has served Huawei well as it has grown but has become an issue for governments looking for clearer lines of accountability when auditing equipment.
John Delaney, an analyst with IDC, said that Huawei appears to have responded to the pressure.
“It [HUAWEI]is now the incumbent in the UK and it clearly wants to stay there,” he said. “It makes sense for them to at least pay lip service or to put in place tangible procedures to appease those concerns. They won’t want the contagion to spread to other countries.”
Huawei said that the oversight board report “identified some areas for improvement in our engineering processes. We are grateful for this feedback and committed to addressing these issues. Cyber security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems”. The NCSC declined to comment. - Financial Times