GCHQ needs to take more control at Huawei’s Cyber Security Evaluation Centre to ensure the UK’s critical national infrastructure (CNI) is secure, according to a new report released today by the National Security Advisor.
The security of Huawei’s networking products has been brought into question by numerous governments over the past 18 months due to suspected ties with the Chinese government.
However, while the US House Permanent Select Committee has called for restrictions on the firm’s involvement in public networks, and the Australian government has gone as far as to block its equipment from the country’s National Broadband Network, Huawei technology is already being used in the UK.
Huawei first bid on government contracts in 2003 to provide equipment for BT’s £10bn 21st-Century Network project – moving from cable to IP-traffic fibre networks – ensuring its place within the UK’s CNI.
But the intelligence and security co-ordinator did not warn ministers that there could be security implications until 2006.
In June this year, the Intelligence and Security Committee (ISC) released a report claiming there was “a disconnect between the UK’s inward investment policy and its national security policy” and there was no reason it should have taken so many years – and until after BT had signed the contract with Huawei – to come before ministers with the security concerns raised.
The global reality is that virtually every telecommun- ications network worldwide incorporates foreign technology
Sir Kim Darroch, National Security Advisor
It also questioned whether Huawei’s Cyber Security Evaluation Centre (HCSEC) in Banbury – charged with ensuring the security of the network and the products used within it – was able to act without influence from the firm’s Chinese headquarters.
A month later, prime minister David Cameron pledged a full review of the HCSEC by the National Security Advisor, Sir Kim Darroch, and promised it would be published before the end of the year.
The review involved visits to HCSEC, interviews with the main stakeholders and examination of the documentary evidence, all looking into the operational independence of HCSEC – such as the employment of its staff, its planning and budgetary oversight, how it did its work and security around the facility.
In today’s report, Sir Darroch backed the ISC’s initial call for stronger oversight from the government’s intelligence agency GCHQ, but he did not want to cut ties with the controversial firm.
“The review concluded that HCSEC staff should remain part of Huawei, primarily for reasons of full access to equipment, code, and design teams,” it read. “But after discussions with the chairman of the ISC, the review also concluded that oversight arrangements should be enhanced, and GCHQ should have a leading and directing role in senior-level HCSEC appointments, in consultation with Huawei.”
Despite concerns, the report was keen to highlight “the global reality that virtually every telecommunications network worldwide incorporates foreign technology,” and Huawei was present in 140 countries, as well as being a big investor in the UK.
It also said: “The review judged that HCSEC was operating effectively and achieving its objectives, and that existing arrangements, although some of them informal, gave it sufficient independence. It noted that, after some initial teething problems, Huawei’s cooperation with HCSEC appeared exemplary, with equipment and software supplied without delay and full access provided to Huawei design teams.”
“It also noted that those vulnerabilities identified since HCSEC’s establishment could be explained as genuine design weaknesses or errors in coding practice.”
But the main conclusion was for GCHQ to lead the way.
“GCHQ’s involvement in the future appointment of senior staff to HCSEC should be strengthened,” it read. “At present, GCHQ have a power of veto over appointments through the security vetting process.
The review recommends that, in future, GCHQ should lead and direct senior HCSEC appointments (in consultation with Huawei), in particular through chairing the selection panel.”
The report also called for informal processes to be formalised, such as the creation of an oversight board, led by GCHQ, deputy chaired by Huawei and featuring members of Whitehall departments to periodically assess the HCSEC’s performance, as well as the promise of timely provisions of Huawei equipment to be put into writing.
Sir Darroch highlighted a need for a longer term strategy for the centre though and raised concerns about an apparent lack of skills in the UK jobs market.
Huawei believes it is only by working together internationally, as vendors, customers, policy and law makers, that the challenge of global cyber security can be met
“[There is] an apparent shortage of individuals in the UK employment market with the necessary technical expertise and skills to fill all the available posts in HCSEC, GCHQ and the relevant parts of Whitehall,” he said.
“The review noted that there were already good education initiatives in place through the National Cyber Security Programme, but recommended further and broader efforts to deepen the pool of individuals with the requisite cyber security skills.”
Sir Darroch also said the government must be wary of how quickly technology changes within telecommunications and it must try to keep a grip on new innovations going forward.
Huawei has reacted to the report positively, welcoming the report and supporting its conclusions for more leadership from GCHQ.
A spokeswoman from the company said: “We are pleased that the model of the UK government, the telecom operators and Huawei working together in an open and transparent way has been recognised as the best approach for providing reassurance on the security of products and solutions deployed in the UK. We also support the review’s recommendations to optimise the management of the HCSEC and will continue to work with stakeholders to improve its capabilities.”
“Huawei believes it is only by working together internationally, as vendors, customers, policy and law makers, that the challenge of global cyber security can be met. Huawei shares the same goal as the UK government and our customers in raising the standards of cyber security in the UK and ensuring that network technology benefits consumers.”
Related content from ComputerWeekly.com