UK raises new Huawei concerns, but a broader security strategy is needed

Although the UK has stopped well short of banning Huawei equipment from new telecoms networks, its officials remain cautious. The latest annual report from the UK government’s Huawei cybersecurity evaluation center (HCSEC) says that Huawei has not addressed all the security concerns regarding some of its products, and has not implemented a company-wide cybersecurity overhaul, which it promised in 2012.

The watchdog’s report said it “has continued to identify concerning issues in Huawei’s approach to software development, bringing significantly increased risk to UK operators, which requires ongoing management and mitigation”.

The HCSEC was launched in 2010 as part of an agreement between Huawei and the UK government to address the “perceived risks” of using the Chinese company’s equipment in critical national infrastructure. The Center’s oversight board, which publishes the annual reports, was then set up in 2014.

Following last year’s HCSEC report, Huawei promised to spend $2bn on a security overhaul, but UK officials reportedly walked out of that meeting, and the latest document says there has been “no material progress” in addressing security concerns identified in 2018. It added that none of the remedies set out in a 2012 Huawei white paper on cybersecurity had yet been implemented.

And it concluded that it could not “appropriately risk-manage future products” in UK deployments until Huawei addresses what HCSEC calls “defects in Huawei’s software engineering and cybersecurity processes”.

However, the UK government has said it has found no proof of espionage. UK operators have been vocal in insisting they must be free to choose Chinese equipment, otherwise costs will rise and 5G potentially be delayed. They argue, like MNOs from many countries, that they are capable of ensuring their own security without state bans being necessary. Two of the operators, O2 and 3UK, are currently testing 5G networks with Huawei, but Vodafone has said it will suspend 5G tests with Huawei until the security issues are resolved. BT/EE has been a major supporter of Huawei in its RAN trials but excludes the firm from the core.

Although the focus of political and media attention is on Huawei and ZTE, in fact, many governments are increasingly concerned about far wider issues of cybersecurity which are raised by the emergence of 5G and IoT networks, which will connect vast numbers of devices to an IP network and drive deployment of infrastructure which is critical to many aspects of life.

For instance, the UK recently unveiled a government-backed national IoT research center with a specific focus on cybersecurity. The country hopes to take a lead in knowledge about how to secure the data collected, in future, by huge numbers of IoT devices and sensors, hence the establishment of the new facility, labelled Petras 2 (privacy, ethics, trust, reliability, acceptability, and security) IoT Centre of National Excellence.

The new center, led by a professor from University College London, is part of a government initiative to explore how to design out cyber threats and vulnerabilities in any kind of IT hardware. This is particularly critical in the IoT because of the volume, and dispersed nature, of the items of equipment that could be used in a large-scale network.

The program was first announced in January, with the aim of supporting hardware designs that will be inherently more secure from the start, and which incorporate protections right down to chip level.

Among the initial areas of research will be threats that arise, or are worsened, by the implementation of edge computing and artificial intelligence to support the IoT and other systems.

“The centre’s ultimate aim is, by creating a trustworthy and secure infrastructure for the Internet of things, to deliver a step change in socio-economic benefit for the UK with visible improvements for citizen wellbeing and quality of life,” said Jeremy Watson, Petras director and professor at UCL’s department of science, technology, engineering and public policy (STEaPP).

Petras 2 is the second phase of the Petras project, funded by UK Research and Innovation (UKRI) as part of the a broader program called Security Digital Technologies at the Periphery. Since phase 1 was kicked off in 2016, 11 universities and 110 industrial and government partners have been involved.

Meanwhile, the European Commission has released a set of recommendations to target cybersecurity across all 5G networks in Europe, regardless of their supplier. The recommendations are the result of European Council meeting, held on March 22, in which heads of state called for a “concerted approach to the security of 5G networks”.

The recommendations call for each member state to complete a national risk assessment of 5G network infrastructure by the end of June 2019, and then update existing security requirements in line with that. They also call for states to exchange information with one another and the European Agency for Cybersecurity (ENISA) in order to complete a coordinated risk assessment by October 2019, which will lead to a more comprehensive set of proposed measures, including new certification requirements, tests and controls.

Finally, the document requests member states to collaborate with industry stakeholders to develop a single EU-wide certification scheme for 5G, which would be mandatory for 5G vendors.

“The resilience of our digital infrastructure is critical to government, business, the security of our personal data and the functioning of our democratic institutions,” said Commissioner Julian King. “We need to develop a European approach to protecting the integrity of 5G, which is going to be the digital plumbing of our interconnected lives.”