Huawei's technology poses a potential security risk to the country, a UK watchdog group says. But it's not because of any secret backdoors in the company's equipment; the Chinese vendor simply has a shoddy approach to security.
A special oversight board that reports to the UK government on the safety of Huawei's technology found "serious and systematic defects" in the way Huawei engineers its software and practices cybersecurity.
The board uncovered a number in vulnerabilities in Huawei's networking equipment. If attackers ever learned of them, they could disrupt UK's telecommunication networks, access customer traffic, or rig the technology in malicious ways.
"These findings are about basic engineering competence and cybersecurity hygiene," the board said. But the UK's National Cyber Security Centre "does not believe that the defects identified are a result of Chinese state interference."
The findings come as Huawei is attempting to sell 5G networking technologies to mobile carriers across Europe. The US has been urging its European allies to avoid the company's technology over concerns the Chinese government could secretly compel Huawei to spy on its customers. Huawei rejects that and says the US is engaging in unfair competition.
In 2014, the UK established an oversight board in partnership with Huawei to vet the company's networking equipment for security risks. On Thursday, the board provided its fifth annual report, which concludes that integrating Huawei technologies into the UK without any security risks would be difficult.
"The number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team … is a particular concern," the report says.
The board found that Huawei has been building its technology with unpatched or out-of-date software tools and components in computerized build environments the UK watchdog group can't easily replicate. For instance, Huawei has been developing products using vulnerable versions of OpenSSL, a software library designed to prevent eavesdropping over digital communications.
The security issues are also nothing new. Last year's report called attention to similar problems. As a result, the board has been urging Huawei to "fundamentally transform" its software engineering and cybersecurity processes. But Huawei may need three to five years to fix the problems, the board says.
"The Oversight Board currently has not seen anything to give it confidence in Huawei's ability to bring about change via its transformation program," the report adds.
In response, Huawei told PCMag: "We understand these concerns and take them very seriously. The issues identified in the 2019 HCSEC Oversight Board Report provide vital input for the ongoing transformation of our software engineering capabilities."
Huawei has devoted $2 billon over the next five years to clean up its software engineering systems. It also argues that the UK board has said it's been scrutinizing Huawei with "arguably the toughest and most rigorous" oversight in the world, when it's unclear whether other vendors suffer from similar problems.
Thursday's report was published a week after Germany began auctioning frequencies to build the country's 5G network. However, the country has so far refrained from banning Huawei from participating in the 5G rollout, despite warnings from the Trump administration about the Chinese company's technology.