{"id":40932,"date":"2018-07-25T14:30:43","date_gmt":"2018-07-25T04:30:43","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=40932"},"modified":"2018-07-26T09:09:30","modified_gmt":"2018-07-25T23:09:30","slug":"huawei-lessons-from-the-united-kingdom","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/","title":{"rendered":"Huawei: lessons from the United Kingdom"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"667\" class=\"alignnone size-full wp-image-40933 aligncenter\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg 1000w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b-205x137.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b-768x512.jpg 768w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b-332x221.jpg 332w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n<p>The UK government released the Huawei Cyber Security Evaluation Centre oversight board\u2019s <a href=\"https:\/\/assets.publishing.service.gov.uk\/government\/uploads\/system\/uploads\/attachment_data\/file\/727415\/20180717_HCSEC_Oversight_Board_Report_2018_-_FINAL.pdf\" target=\"_blank\" rel=\"noopener\">2018 annual report<\/a> on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks of Huawei\u2019s involvement in UK critical infrastructure by evaluating the security of Huawei products used in the UK telecommunications market.<\/p>\n<p>The oversight board was set up in 2014 to assess HCSEC\u2019s performance relating to UK product deployments. It comprises senior representatives from government and the UK telecommunications sector and a senior executive from Huawei.<\/p>\n<p>For those worried about Huawei\u2019s involvement in Australia\u2019s 5G network, the oversight board\u2019s report does not make reassuring reading.<\/p>\n<p>The central concern in the debate over Huawei\u2019s participation in Australia\u2019s 5G network is that Chinese intelligence services could compel or coerce Huawei to leverage its involvement in critical infrastructure to enable espionage.<\/p>\n<p>China has certainly demonstrated an intent to conduct wide-ranging espionage in Australia. There\u2019s now a large body of evidence that China has been behind an array of data breaches, including at the <a href=\"http:\/\/www.abc.net.au\/news\/2015-12-02\/china-blamed-for-cyber-attack-on-bureau-of-meteorology\/6993278\" target=\"_blank\" rel=\"noopener\">Bureau<\/a> of <a href=\"https:\/\/www.acsc.gov.au\/publications\/ACSC_Threat_Report_2016.pdf\" target=\"_blank\" rel=\"noopener\">Meteorology<\/a>; the <a href=\"http:\/\/www.abc.net.au\/news\/2016-08-29\/chinese-hackers-behind-defence-austrade-security-breaches\/7790166\" target=\"_blank\" rel=\"noopener\">departments of Defence, Prime Minister and Cabinet, and Foreign Affairs and Trade<\/a>; and the <a href=\"https:\/\/www.smh.com.au\/technology\/hackers-hit-gillard-ministers-computers-report-20110329-1cdtb.html\" target=\"_blank\" rel=\"noopener\">parliamentary email system<\/a>. But beyond what could be described as \u2018legitimate\u2019 espionage targeting government agencies, there have also been thefts of intellectual property, commercial-in-confidence material and trade secrets for commercial advantage from companies such as <a href=\"http:\/\/www.itnews.com.au\/news\/abc-fingers-china-over-cyber-attacks-172554\" target=\"_blank\" rel=\"noopener\">BHP, Rio Tinto and Fortescue Metals<\/a>.<\/p>\n<p>China\u2019s intelligence services also have the <em>ability<\/em> to compel Huawei to assist them with their intelligence work.<\/p>\n<p>Article 7 of <a href=\"https:\/\/www.chinalawtranslate.com\/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E5%9B%BD%E5%AE%B6%E6%83%85%E6%8A%A5%E6%B3%95\/?lang=en\" target=\"_blank\" rel=\"noopener\">China\u2019s National Intelligence Law<\/a> says that \u2018[a]ll organizations and citizens shall support, assist, and cooperate with state intelligence work according to law\u2019 and <a href=\"https:\/\/www.lawfareblog.com\/beijings-new-national-intelligence-law-defense-offense\" target=\"_blank\" rel=\"noopener\">Article 14<\/a> states that national intelligence agencies \u2018may request that concerned organs, organizations, and citizens provide necessary support, assistance, and cooperation\u2019.\u00a0In addition, Article 10 says that \u2018national intelligence work institutions are to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroad\u2019.<\/p>\n<p>I\u2019ve previously <a href=\"https:\/\/www.aspistrategist.ru\/opinion\/technical-reasons-why-huawei-too-great-5g-risk\" target=\"_blank\" rel=\"noopener\">written<\/a> about <em>how<\/em> Huawei could be used to enable espionage, with or without Huawei corporate\u2019s complicity. Espionage doesn\u2019t necessarily require sophisticated \u2018backdoors\u2019\u2014 even compelling Chinese engineers to assist could enable Chinese intelligence services to get useful access to Australia\u2019s 5G network.<\/p>\n<p>This demonstrated intent combined with the power provided by legal obligations imposed by Beijing means that Chinese companies like Huawei carry additional supply-chain risk compared with companies from countries without a long history of cyberespionage and\/or countries without laws that specifically compel cooperation with intelligence agencies.<\/p>\n<p>On the face of it, the UK approach to mitigate this supply-chain risk with HCSEC\u2014assessing products to reassure ourselves that they are operating as expected\u2014seems entirely reasonable. Can\u2019t we assess products to make sure they won\u2019t be used to spy on us?<\/p>\n<p>The four HCSEC oversight board annual reports (<a href=\"https:\/\/www.gov.uk\/government\/publications\/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2015\" target=\"_blank\" rel=\"noopener\">2015<\/a>, <a href=\"https:\/\/www.gov.uk\/government\/publications\/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2016\" target=\"_blank\" rel=\"noopener\">2016<\/a>, <a href=\"https:\/\/www.gov.uk\/government\/publications\/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2017\" target=\"_blank\" rel=\"noopener\">2017<\/a> and <a href=\"https:\/\/www.gov.uk\/government\/publications\/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2018\" target=\"_blank\" rel=\"noopener\">2018<\/a>) show that it is very difficult indeed.<\/p>\n<p>On the bright side, the reports have consistently stated that \u2018HCSEC continues to provide unique, world-class cyber security expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UK\u2019.<\/p>\n<p>HCSEC is also developing new tools and techniques to better understand security assurance in telecommunications, has found vulnerabilities that Huawei has subsequently remediated, and is actually improving Huawei\u2019s basic engineering and security processes and code quality. These efforts have resulted in a more secure Huawei product.<\/p>\n<p>Despite all this, the three most recent board reports have noted that HCSEC cannot confirm that what it has been testing matches what Huawei is using in the UK: the source code HCSEC has been given (that is, the computer instructions for Huawei\u2019s equipment) doesn\u2019t correspond with what has been deployed in the UK. So, much of the security testing that HCSEC has been doing may be irrelevant to the security of products used in the UK. At this point, the oversight board \u2018can offer only limited assurance\u2019.<\/p>\n<p>This year\u2019s report also indicates that some security-critical third-party software used in Huawei equipment is \u2018not subject to sufficient control\u2019. This is viewed as possibly a significant risk to UK telecommunications infrastructure mostly because of inconsistent product support lifetimes.<\/p>\n<p>Overall, the report describes HCSEC as a high-functioning, world-class security evaluation centre. However, the board cautions that confidence in HCSEC\u2019s ability to provide \u2018long term technical assurance of sufficient scope and quality around Huawei in the UK\u2019 is declining due to the \u2018repeated discovery of critical shortfalls\u2019 in \u2018Huawei engineering practices and processes that will cause long term increased risk in the UK\u2019.<\/p>\n<p>Worse yet, the trend across the four oversight board reports suggests that as HCSEC has improved in capability, confidence that the security evaluation process will sufficiently mitigate risks has declined\u2014the more HCSEC learned, the less confident they were.<\/p>\n<p>There is a simple lesson for Australia from the HCSEC oversight board reports: using Huawei in our 5G network will introduce risks that we will find very difficult to mitigate.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The UK government released the Huawei Cyber Security Evaluation Centre oversight board\u2019s 2018 annual report on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks &#8230;<\/p>\n","protected":false},"author":618,"featured_media":40933,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[52,749,301,1369],"class_list":["post-40932","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-china","tag-cyber-espionage","tag-national-security-2","tag-telecommunications"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Huawei: lessons from the United Kingdom | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Huawei: lessons from the United Kingdom | The Strategist\" \/>\n<meta property=\"og:description\" content=\"The UK government released the Huawei Cyber Security Evaluation Centre oversight board\u2019s 2018 annual report on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-25T04:30:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-07-25T23:09:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"667\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Tom Uren\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tom Uren\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg\",\"width\":1000,\"height\":667},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/\",\"name\":\"Huawei: lessons from the United Kingdom | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#primaryimage\"},\"datePublished\":\"2018-07-25T04:30:43+00:00\",\"dateModified\":\"2018-07-25T23:09:30+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Huawei: lessons from the United Kingdom\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a\",\"name\":\"Tom Uren\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g\",\"caption\":\"Tom Uren\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/thomas-uren\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Huawei: lessons from the United Kingdom | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/","og_locale":"en_US","og_type":"article","og_title":"Huawei: lessons from the United Kingdom | The Strategist","og_description":"The UK government released the Huawei Cyber Security Evaluation Centre oversight board\u2019s 2018 annual report on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks ...","og_url":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2018-07-25T04:30:43+00:00","article_modified_time":"2018-07-25T23:09:30+00:00","og_image":[{"width":1000,"height":667,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg","type":"image\/jpeg"}],"author":"Tom Uren","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Tom Uren","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/07\/4946450248_5776769b0b_b.jpg","width":1000,"height":667},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/","url":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/","name":"Huawei: lessons from the United Kingdom | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#primaryimage"},"datePublished":"2018-07-25T04:30:43+00:00","dateModified":"2018-07-25T23:09:30+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/huawei-lessons-from-the-united-kingdom\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Huawei: lessons from the United Kingdom"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a","name":"Tom Uren","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g","caption":"Tom Uren"},"url":"https:\/\/www.aspistrategist.ru\/author\/thomas-uren\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/40932"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/618"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=40932"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/40932\/revisions"}],"predecessor-version":[{"id":40948,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/40932\/revisions\/40948"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/40933"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=40932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=40932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=40932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}