Some interesting bedtime reading …
Hilighting mine…
- The Oversight Board has now completed its fifth full year of work. In doing so
it has covered several areas of HCSEC’s work over the course of the year. The
full details of this work are set out in Part II of this report. In this summary, the
main highlights are:
i. New secure premises for HCSEC completed - the previously reported
acquisition of new premises for HCSEC had experienced some
commercial delays, but has now completed successfully and the new
facilities are fully operational;
ii. The NCSC Technical Competence Review found that the capability
of HCSEC has improved in 2018, and the quality of staff has not
diminished, meaning that technical work relevant to the overall mitigation
strategy can be performed at scale and with high quality;
iii. The fifth independent audit of HCSEC’s ability to operate
independently of Huawei HQ has been completed, with – again – no
high or medium priority findings. The audit report identified one low-rated
finding, relating to delivery of information and equipment within agreed
Service Level Agreements. Ernst & Young concluded that there were no
major concerns and the Oversight Board is satisfied that HCSEC is
operating in line with the 2010 arrangements between HMG and the
company;
iv. Further significant technical issues have been identified in
Huawei’s engineering processes, leading to new risks in the UK
telecommunications networks;
v. No material progress has been made by Huawei in the remediation
of the issues reported last year, making it inappropriate to change the
level of assurance from last year or to make any comment on potential
future levels of assurance.
… and …
- The key conclusions from the Oversight Board’s fifth year of work are:
i. In 2018, HCSEC fulfilled its obligations in respect of the provision of
software engineering and cyber security assurance artefacts to the
NCSC and the UK operators as part of the strategy to manage risks to
UK national security from Huawei’s involvement in the UK’s critical
networks;
ii. However, as reported in 2018, HCSEC’s work has continued to
identify concerning issues in Huawei’s approach to software
development bringing significantly increased risk to UK operators,
which requires ongoing management and mitigation;
iii. No material progress has been made on the issues raised in the
previous 2018 report;
iv. The Oversight Board continues to be able to provide only limited
assurance that the long-term security risks can be managed in the
Huawei equipment currently deployed in the UK;
v. The Oversight Board advises that it will be difficult to appropriately
risk-manage future products in the context of UK deployments, until
the underlying defects in Huawei’s software engineering and cyber
security processes are remediated;
vi. At present, the Oversight Board has not yet seen anything to give it
confidence in Huawei’s capacity to successfully complete the
elements of its transformation programme that it has proposed as a
means of addressing these underlying defects. The Board will require
sustained evidence of better software engineering and cyber security
quality verified by HCSEC and NCSC;
vii. Overall, the Oversight Board can only provide limited assurance that
all risks to UK national security from Huawei’s involvement in the
UK’s critical networks can be sufficiently mitigated long-term.
… of course there is a response from Huawei …
… putting a rather different emphasis on the report to how I read it.
The 2019 OB report again recognises the effectiveness of the HCSEC. As the report says, “The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.”
The 2019 OB report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.
A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.
Fun times indeed …