Senior U.S. official gives Huawei "failing grade" in U.K. review
A new report issued by a government-led oversight board in Britain offered a highly critical assessment of the Chinese telecom giant Huawei, citing "significant technical issues" in the company's engineering processes and software that it said led to "new risks" in networks where Huawei's equipment was in use.
The board, which is led by a cybersecurity official from top British spy agency, GCHQ, and includes among its members a senior executive from Huawei, said it could provide "only limited assurance" that the long-term security risks of Huawei equipment could be managed. GCHQ is the British equivalent of the National Security Agency (NSA) in the United States.
The U.S., which has effectively banned Huawei products since 2012, has been warning allies about the potential national security threats posed by Huawei, with increasing urgency recently, advising them to follow suit and ban Huawei's products from their developing 5G networks. 5G is the cellular technology that will facilitate significantly faster internet connections and pave the way for broad implementation of complex technologies like self-driving cars.
The report also said that Huawei had not taken meaningful steps to address security flaws in problems that had been identified a year ago. While it identified "serious and systemic defects in Huawei's software engineering and cyber security competence," the board said in the report that it does not believe the defects were a result of Chinese state interference.
The British oversight board, which has been running for eight years, is uniquely positioned to make assessments of Huawei products and processes; the Shenzhen-based company provides the board, known as the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, with the source code for its equipment in order to mitigate perceived risks arising from its use.
Speaking on condition of anonymity, a senior U.S. government official told CBS News the U.K.'s report "doubles down on exactly why we have concerns" about Huawei.
"We see them giving a pretty public failing grade – and our assessment is we couldn't mitigate or manage [those risks], either," the official said.
Key among the HCSEC's findings, according to the official, is what essentially looks like the incorporation of, rather than a backdoor, a 'bug door' – a software bug that may resemble poor engineering practice but could actually be a way to offer the company a deniable means of sharing purported source code that in reality doesn't match its actual software.
"That's where this concern arises: you can't tell what's intentional, what's discovered but unfixed … what is truly just a process of poor quality and engineering practices," the official said. "And as long as there's that debate it gives the company the margin of safety, the country the margin of safety, but still leaves you just as exposed."
"It's explainable if found – but it's just as deadly," the official said, adding the bug could also be found and exploited by other adversaries, including Russia and Iran.
The most critical findings of the report were likely to have been softened, the official added, given Huawei's direct involvement in the board that issues it.
Still, the official stressed, "We think it's pretty heinous, and that's after Huawei got to sand the edges off to make it less so."
Last summer, Australia effectively banned Huawei from its 5G buildout, but other major U.S. allies, including Britain, Canada and Germany, have held out. The latter recently signaled it would not move to block Huawei from its 5G networks, in defiance of the U.S.'s appeals.
And earlier this week, the European Union also declined to issue a blanket ban on Huawei, calling instead for a security review, to conclude by the end of this year, by all of its Member States. Huawei said it welcomed the EU's "objective and proportionate" approach.
The company did not immediately respond to a request for comment from CBS News.
The senior U.S. official said that countries that are dismissing warnings – these findings from the U.K. latest among them – were potentially inviting both compromised security and higher costs.
"The message I would want those countries considering using Huawei, who are doing it primarily on cost – I think this analysis should show that the total cost of ownership is not reflected in the equipment alone, but also the impact the flaws will have on reliability, quality control, and support."
"We can't afford an environment where the lowest bidder drives out the most secure Western options for economic reasons," the official said.
And the forcefulness with which the U.S. has been issuing its own warnings, the official suggested, was a reflection of the high stakes at hand.
"I think some of the hard messaging you're seeing is because of this serious worry we have," the official said, "that we're watching others fall into a pretty dangerous space."
