Uk intelligence officials forced chinese telecoms firm huawei to fully rewrite the code and security for a product used in the countrys broadband networks after poor quality and out of date systems caused a vulnerability of national significance last year, it was revealed on thursday.
Britains national cyber security centre, part of signals intelligence agency gchq, intervened after the uks telecoms companies were forced to take extraordinary action to resolve the vulnerability before it triggered a major incident such as a network outage or cyber attack. an attempt by huawei to fix the problem then introduced a separate major issue into its broadband product.
Details of the intervention were made public in the annual report by the uks huawei monitoring body, which seeks to mitigate the risk posed by the involvement of the chinese company in parts of the uks critical national telecoms infrastructure.
Its publication comes three months after the uk banned british telecoms operators from installing new equipment made by the chinese company from 2021 and announced the phasing out of huawei kit from its existing 5g mobile telephone networks over the next seven years.
That move, which followed new us sanctions blocking the chinese companys access to american chips, marked a major u-turn for the british government which had previously decided to grant huawei a limited role in future 5g networks.
The report by the banbury-based huawei cyber security evaluation centre is likely to heap yet more pressure on a company already facing intense political scrutiny from the us and its western allies.
Focusing on technical deficiencies in existing equipment used, the report issued an explicit warning on the potentially devastating impact on the security of the uks telecoms infrastructure unless they were fixed.
If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of an uk network, in some cases causing it to cease operating correctly. other impacts could include being able to access user traffic or reconfiguration of the network elements, the oversight board said.
The board also warned that due to the us sanctions, issued in august, and the poor quality of huaweis software, managing the security risks of new equipment from the chinese company would be more difficult.
The us administration has consistently warned downing street that allowing huawei into uk networks risks giving beijing a backdoor to spy on british communications.
The ncsc stressed that, to the best of its knowledge, the vulnerabilities it identified had not been exploited by hackers and were the result of poor engineering rather than any interference by the chinese state.
However, there is frustration within government that huawei has not done more to improve the quality of its products at a time when its technology is subject to international scrutiny. among the five eyes intelligence-sharing alliance of the uk, us, canada, australia and new zealand, all except canada have now formally blocked huawei from their 5g networks.
Huawei pledged last year to spend $2bn over a five-year period to appease concerns about the quality of its legacy code and its engineering practices. but limited progress has been made, according to the watchdog. it added it had not seen anything yet to give it confidence in huaweis capacity to successfully address underlying defects in its equipment.
A new hurdle for the uk revealed in thursdays report is that the huawei monitoring board itself is now subject to us sanctions as a result of the curbs imposed on the whole chinese company by washington earlier this year. uk officials are working with lawyers to work out how to remove the evaluation centre from the entity list in a way which is compatible with us law.
The company said: this rigorous review sets a precedent for cyber security collaboration between the public and private sectors, and has provided valuable insights for the telecoms sector. we believe this mechanism can benefit the entire industry and huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone.