UK says Huawei coding quality still falls short, as global businesses look toward 5G

A U.K. auditing agency found that Huawei coding fell short of acceptable standards,  and that the company has yet to address several of the security issues identified in last year’s report. (Rowingbohe via Creative Commons Attribution-Share Alike 4.0 International license)

The United Kingdom’s official Huawei auditing board claims the beleaguered Chinese telecommunications supplier continues to show “concerning issues" in its approach to software development and data security.

HCSE, which resides within the U.K.’s cybersecurity regulatory agency, was established to examine ongoing concerns tied to telecommunications giant Huawei's handing of customer data. The 2020 annual report, released Tuesday, determined that company coding fell short of acceptable standards, and that Huawei has yet to address several of the security issues identified in last year’s report.

Former U.S. Representative Mike Rogers, now chairman the China-opposed advocacy group 5G Action Now, told SC Media via email that the HCSEC report demonstrated Huawei was failing to meet the minimum of “cybersecurity 101."

"Most companies want to protect their users’ data and aggressively work to close these security holes," he said. "But then again, Huawei is anything but a normally operating company.”

Huawei faces international scrutiny as global telecommunications networks upgrade equipment for 5G, particularly from critics in the United States government. The company is frequently accused of aiding the Chinese government in espionage or, at a minimum, being subject to Chinese laws that enable efforts to capture intellectual property and, in so doing, violate U.S. sanctions. The company denies allegations of wrongdoing. 

HCSE noted in the 2019 report that coding was riddled with security vulnerabilities, but determined it was a likely consequence of poor engineering, not intentional sabotage. The board again reported this year no signs of intentional sabotage or evidence of use in espionage. 

“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects,” reads the report. 

Huawei did fall short over the past year in a number of areas, however. The company struggled to prepare products for the pending end-of-life of at least one major component, for example, only mitigating the issue in 17 percent of deployed U.K. systems. Huawei also maintains too many parallel versions of the same product for adequate security preparations, the report noted, and code quality still appears to be sub par. And while several specific problems identified by the HCSEC were fixed, the endemic issues in Huawei’s approach to development, which caused those problems ,were not addressed. 

A representative from Huawei emphasized that the report found no evidence of baked-in espionage. 

“As innovators, we continue significant investment to improve our products. The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” wrote the company in a statement.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.