LONDON—British officials accused Huawei Technologies Co. of repeatedly failing to address security flaws in its products and said the company hasn’t demonstrated a commitment to fixing them.
The findings, contained in a report published Thursday, subject the Chinese telecom-equipment giant to fresh international scrutiny as it tries to fend off American accusations that its gear poses a cybersecurity threat.
In the report, U.K. officials said they were particularly concerned that Huawei hasn’t implemented companywide cybersecurity practices that it vowed to put in place in 2012, the same year a report from the U.S. Congress labeled Huawei a national security threat.
The congressional report effectively banned Huawei from the U.S. But many other foreign markets, like the U.K., embraced Huawei, the world’s largest maker of telecommunications equipment used by wireless carriers.
The U.S. government has based its recent campaign to blacklist Huawei world-wide on the claim that Beijing could order the company to spy or disrupt communications. Washington has pressured its allies to join its ban, but many countries—like Germany—haven’t followed suit, seeking specific proof that Huawei is a cybersecurity threat.
The U.K. report doesn’t offer any proof along those lines. But it makes a separate claim: that the company hasn’t made cybersecurity a priority and that its products might have security flaws that anyone, not just the Chinese government, could exploit.
Why It’s Almost Impossible to Extract Huawei From Telecom Networks
British officials said Huawei’s “poor software engineering” is the problem, adding that they don’t believe “the defects identified are a result of Chinese state interference.”
The findings could have global ramifications. Wireless carriers world-wide are on the verge of upgrading to 5G, the cellular technology that could enable driverless cars and internet-connected factory components. Britain, with one of the world’s most respected cybersecurity agencies, has also had some of the most extensive experience among Western nations in testing Huawei gear.
A Huawei spokesman said “we understand these concerns and take them very seriously.” He reiterated that Huawei has committed $2 billion over five years to overhauling its engineering processes and that “a high-level plan for the program has been developed and we will continue to work with U.K. operators” and British cybersecurity authorities during implementation.
In 2012, John Suffolk, Huawei’s global security and privacy officer and the U.K.’s former information-security chief, said company processes that ensure cybersecurity was “part of our DNA.” Huawei officials have often pointed to his 24-page report as a sign of Huawei’s commitment to security.
U.K. officials said in their Thursday report that Huawei didn’t follow through on its 2012 pledges and as a result, they aren’t confident about the company’s recent promises to overhaul its cybersecurity practices. “Strongly worded commitments from Huawei in the past haven't brought about any discernible improvements,” the report said.
The report, written by the U.K.’s National Cyber Security Centre, is an annual update on a Huawei-run lab near Oxford, England, that examines the Chinese company’s products used in British networks. It identified several specific, technical issues with Huawei’s products and said the company hasn’t fixed many of them.
The report said that given Huawei’s record, it is probable that the lab would find more vulnerabilities in the future, especially with new products which may include 5G equipment.
“It is highly likely that security risk management of products that are new to the U.K. or new major releases of software for products currently in the U.K. will be more difficult,” the report said.
British officials said Huawei was slow to address problems identified in a previous review. Last summer, officials identified engineering shortfalls that they said led to discrepancies between Huawei software examined in the lab and software used in British networks. It found that Huawei’s engineering processes couldn’t re-create the same software from scratch twice—a key prerequisite for an adequate test of Huawei gear.
Because the inspectors in the lab can’t replicate the software used in British networks, they can’t determine if Huawei’s equipment has security flaws.
In recent months, U.K. officials grew impatient with Huawei for not rolling a fix out more quickly. The Thursday report said the $2 billion investment promised from Huawei, “while welcome, is currently no more than a proposed initial budget for as yet unspecified activities.”
Newsletter Sign-up
British cybersecurity officials continue “to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the U.K,” the report said.
Britain, where Huawei gear is popular with all of the country’s major telecom carriers, is in the middle of a review of its telecom supply chain. That review is separate from the report issued Thursday. Officials have publicly suggested they won’t ban Huawei outright, but could recommend partial restrictions.
Huawei has launched a counteroffensive to the U.S. campaign. Huawei’s founder and CEO has said the company has never spied for the Chinese government and never would. The company has also sought to soothe worries about the security of it products by setting up labs in Britain, Germany and Belgium, all designed to let government officials inspect Huawei’s hardware and software.
The lab in Britain, Huawei’s oldest and most important major Western market, was the first to open, in 2010. It employs Huawei employees, all British nationals with top-secret security clearance, and is overseen by board with officials from both the government and Huawei, as well as representatives from British carriers.
The report from British cybersecurity officials said its findings aren’t a statement about the security of Britain’s networks. The report doesn’t dictate policy, but rather highlights problems and recommends how the government and telecom providers can address them.
From December: Why China’s Huawei Matters
U.K. officials have said they share American concerns that Beijing could order Huawei to spy or conduct cyberattacks, but believe they can minimize those risks with security measures—such as the lab near Oxford—and by requiring wireless providers to use equipment from multiple suppliers in their networks. Huawei has two major rivals, Finland’s Nokia Corp. and Sweden’s Ericsson AB.
Write to Stu Woo at Stu.Woo@wsj.com
https://www.wsj.com/articles/u-k-says-huawei-gear-has-major-security-flaws-11553765403
2019-03-28 10:30:00Z
CAIiELAhDECP-Hya4xzuQCn0rDUqFwgEKg8IACoHCAow1tzJATDnyxUwx4YY
Tidak ada komentar:
Posting Komentar