17 May 2019

Here's how GCHQ scours Huawei hardware for malicious code

By AMIT KATWALA

A nondescript business park on the outskirts of Banbury could play a hugely important role in the UK’s future security.

Since 2010, the humdrum business park has been the home of the Huawei Cyber Security Evaluation Centre (HCSEC) - a unique partnership between the mobile giant and the UK authorities that aims to ensure that UK infrastructure isn’t compromised by the involvement of the Chinese firm.

Those fears are in the news again, with fresh scrutiny over Huawei’s involvement in the UK’s 5G plans, triggered by a public confrontation between the company and the United States. But, as the existence and work of the HCSEC demonstrates, this is only the latest stage in Huawei’s long and complicated relationship with the UK security services.

Huawei opened its first office in the UK in 2001, but its involvement in critical infrastructure increased after 2005, when BT contracted it to supply routers and other transmission equipment as part of a £10bn network upgrade. At the time, BT was under no obligation to inform the British government that it had granted contracts to a company with close links to a foreign state. A later government report said ministers had been “put in the position of trying to shut the stable door after the horse has bolted”.

According to British intelligence sources who spoke to ABC last year, BT noticed that core switches installed by Huawei as part of that network were doing an unusual amount of “chattering,” raising concerns amongst UK authorities. By 2010, these fears had grown enough for GCHQ to take the unprecedented step of setting up the HCSEC, also known as ‘The Cell’. Its aim was to study every piece of hardware or software destined for the UK market, at Huawei’s expense - looking for potentially malicious code.

It’s a unique arrangement, and a level of scrutiny levelled at no other technology companies operating in the UK. According to Tim Stevens, a lecturer in global security at King’s College London, the formation of The Cell came at a time when the David Cameron-led government was “crawling to China, begging for investment”. Setting up HCSEC allowed Huawei to continue to provide its cheap, market-leading equipment to the UK, while assuaging security fears. “It was a political move, a way of allowing Huawei to demonstrate that it was serious about putting good quality kit in the UK market.” But it’s not without flaws.

Because Huawei pays for the facility, it’s staffed largely by its own employees, with regular oversight from GCHQ. A 2013 report by the Intelligence and Security Commission questioned The Cell’s ability to operate independently from Huawei headquarters, and recommended that all of its staff be GCHQ employees. A quick search of LinkedIn reveals that many HCSEC employees, including the managing director and other senior figures, have joined straight from Huawei itself.

Starting in 2014, the UK’s National Cyber Security Centre began publishing annual oversight reports on The Cell. The most recent report, published in July 2018 identified shortcomings in Huawei’s engineering processes that had “exposed new risks in the UK telecommunications networks.” Although the report raised no high or medium priority concerns, it was the first time the government had expressed concerns over Huawei technology. According to the Telegraph, the next annual report will criticise Huawei for failing to address those concerns, despite the company pledging to spend $2bn addressing issues in its equipment.

The UK’s biggest mobile operators, including Vodafone, EE and Three, have been working with Huawei on implementing 5G, and are awaiting a government decision due in March or April on whether those relationships will be allowed to continue. Last year, BT - which owns EE - said it would remove Huawei equipment from its core network.

Britain’s Five Eyes security partners in Australia and New Zealand have already banned imports of Huawei hardware, but the UK is not expected to follow suit. The United States is pursuing legal action, and in a speech on Saturday at the Munich Security Conference, vice president Mike Pence warned of the “threat” posed by the company. It’s about managing the risk, says Stevens, and the National Cyber Security Centre believes that can it do that.

The difference in attitude probably has more to do with geopolitics than any escalation of the risk. While President Trump pursues a trade war in an attempt to make America great again, Britain is desperate not to alienate another potential trading partner. In February last year, Huawei pledged to spend £3bn on UK intellectual property and services.

Stevens stresses that there is no evidence - at least nothing in the public domain - of any wrongdoing by Huawei, and the company itself insists on its innocence. Although its founder has close links to China’s ruling Communist party and its military, Huawei emphasises that it is owned by its employees, not the Chinese state.

"We are probably the most audited, inspected, reviewed, poked and prodded company in the world,” said John Suffolk, head of Huawei’s cyber security operations in an interview last year. “The stakes are a lot higher now,” says Stevens - but this is a debate that has been going on behind closed doors for a decade.

No comments: