Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Report: UK Believes Risk of Using Huawei Is Manageable
New Zealand Follows Suit, Saying It Will Test Huawei Suitability for 5G RolloutBritain's intelligence establishment has reportedly concluded that any risks posed by Chinese-built Huawei networking equipment used as part of the country's 5G rollout can be minimized if the process is appropriately managed.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The technical assessment from the U.K.'s National Cyber Security Center, first reported by the Financial Times, is part of the country's ongoing development of 5G security and resiliency policies, which is set to conclude in March or April after reviewing a range of options. Many telecommunications firms await the findings to help guide their rollouts, the BBC reports.
Any assessment that concludes Huawei could be used as part of the U.K.'s 5G rollout would stand as a rebuke to the administration of U.S. President Donald Trump, which has been lobbying allies to avoid using networking equipment built by China's Huawei or ZTE (see: US Intensifies Pressure on Allies to Avoid Huawei, ZTE).
The U.K. assessment would also be notable because the country is part of the "five eyes" intelligence alliance, which also includes the U.S., Canada, Australia and New Zealand. Last August, Trump signed a law blocking the use of Huawei and ZTE for U.S. government projects. Both Australia and New Zealand, meanwhile, have blocked Huawei and ZTE from networking projects or 5G rollout plans.
Last week, U.S. Secretary of State Mike Pompeo visited Europe, reportedly telling leaders that using Chinese networking gear posed a security risk because it could be used by China to facilitate surveillance or disrupt other countries' critical infrastructure.
The White House has produced no public evidence to substantiate its allegations. Huawei and ZTE say they have done nothing wrong.
'Trust But Verify'
The NCSC is the public-facing arm of Britain's GCHQ intelligence agency. NCSC's decisions are not binding. Rather, it issues technical guidance to U.K. policymakers.
The NCSC declined to comment on the specifics of the FT report. But a spokeswoman tells Information Security Media Group: "The National Cyber Security Center is committed to the security of U.K. networks, and we have a unique oversight and understanding of Huawei engineering and cybersecurity."
Indeed, Huawei's U.K. operations are monitored by the Huawei Cyber Security Evaluation Center, run by GCHQ. The government launched the center in 2010, which is "staffed by 35 heavily vetted analysts," according to the Guardian.
In July 2018, the HCSEC issued a report documenting concerns about Huawei's engineering and security processes that it wants to see the manufacturer address. Security experts have said the concerns documented by the NCSC team didn't appear to be malicious, but rather process shortcomings.
"As was made clear in July's HCSEC oversight board, the NCSC has concerns around Huawei's engineering and security capabilities," the NCSC spokeswoman tells ISMG. "We have set out the improvements we expect the company to make. The latest annual HCSEC report will be published in the near future."
Decision Could Be Emulated
Any official assessment from the U.K. that Huawei products can be used for its 5G rollout, with appropriate oversight, will "carry great weight" with other countries as they consider whether to use Huawei networking equipment, an unnamed source told FT.
"Other nations can make the argument that if the British are confident of mitigation against national security threats then they can also reassure their publics and the U.S. administration that they are acting in a prudent manner in continuing to allow their telecommunications service providers to use Chinese components as long as they take the kinds of precautions recommended by the British," the source told the FT.
New Zealand Will Test Huawei
Indeed, on Monday, New Zealand Prime Minister Jacinda Ardern told reporters that her government will independently evaluate Huawei. Last November, New Zealand's Government Communications Security Bureau blocked telecommunications service provider Spark from using Huawei in the country's 5G network rollout. But Ardern said that GCSB responded to Spark with details of how it mitigates concerns over using Huawei equipment, Reuters reported.
"I would expect the GCSB to apply with our legislation and our own security assessments. It is fair to say Five Eyes, of course, shares information, but we make our own independent decisions," she told reporters, Reuters reported.
Risk-Assess Everything
Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, says the NCSC's technical evaluation process is a reminder that no IT equipment should be implicitly trusted.
"All equipment, not just from Huawei, should be risk-assessed and managed accordingly ... and particularly here in Ireland where the majority of our critical network infrastructure for communications is managed by companies owned by entities outside of Ireland " Honan tweeted. "[It's] naive to think China may be the only nation-state that may take advantage of domestic communications manufacturers."
Like Ireland, the U.K. also relies on foreign manufacturers to supply its networking hardware.
British security expert Alan Woodward, testifying before Parliament last October, said a "trust but verify" approach to using foreign-built networking equipment could succeed, provided that the security and engineering processes underlying manufacturing could be fully vetted and devices that come off of the production line verified against those parameters (see: Report: Trump Weighs Executive Order Banning Huawei, ZTE).