back to article UK's Huawei handler dials back support for Chinese giant's kit in critical infrastructure

A UK government-run oversight board has expressed misgivings about the security of telecoms kit from Chinese firm Huawei. An annual report (PDF) from the Huawei Cyber Security Evaluation Centre (HCSEC) concluded that "shortcomings in Huawei's engineering processes have exposed new risks in the UK telecommunication networks and …

  1. Nezumi
    Black Helicopters

    Obviously, all other vendors in our infrastructure are subject to the same scrutiny...

    SpyBlog commented: "There should also be an equivalent to the Huawei Cyber Security Evaluation Centre for other foreign government-influenced networking stuff on which the UK Critical National Infrastructure depends. e.g. Cisco." ®

    I bet they aren't... Anything to do with the Prince of Orange (TM) will be done on a nod and a wink... If I was Huawei, I'd prove this and then sue the living **** out of the UK Govt for unfair discrimination.

    1. BillG
      Megaphone

      Re: Obviously, all other vendors in our infrastructure are subject to the same scrutiny...

      As someone in the industry, I can tell you that all vendors ARE subject to the same scrutiny.

      Not only that but to get on the approved vendor list you must demonstrate a secure supply chain, dependable quality control, consistent manufacturing quality, alternate manufacturing facilities, and a whole lot more.The question here is if Huawei is failing all this now, how the hell did they get on the approved vendor list in the first place? (those of you that understand already know the answer to that question).

      Repeat after me, @Nezumi: "This is industry standard" whether you are selling switches to the U.K. or voltage regulators to Ford. You don't just waltz into a major account and sell your kit based on charm and a smile, you must first run Purchasing and QC's gauntlet.

  2. Camilla Smythe

    Bwaa-Hwaa-Hwaa StalkStalk and Internet Connection Records Anyone?

    This is likely to be the kit used by TalkTalk for their StalkStalk,

    http://support.huawei.com/enterprise/en/doc/EDOC1000009228?section=j00a

    It is also likely to be the kit used by TalkTalk and other ISPs should they get around to implementing Internet Connection Records as mooted in the IPAct.

    ISTR TalkTalk dropping a clanger by suggesting in their customer forums that the equipment was maintained by and remotely accessible to Huawei's engineers.

    Never mind that the system was illegal because, and TalkTalk also admitted but later fudged with The ICO even though the evidence was smeared all over website logfiles, it was monitoring for and visiting below top level URLs.

    Now people are suggesting that there might be Security Risks.

    Does the Bear wipe its Arse with the Rabbit?

  3. Anonymous Coward Silver badge
    Megaphone

    >"Huawei kit is widely used on BT's network backbone"

    Personally, I've never seen Huawei-branded yoghurt, so where do they get the pots from to put on the end of the string?

  4. Anonymous Coward
    Anonymous Coward

    You get what you pay for

    They are cheap and nasty for a reason. We were convinced to try out their stuff by one of their snake oil sales people, but we were not impressed and there are huge concerns about security of course.

    We're happy to pay more for the tried and trusted manufacturers, we have too much to lose should things go wrong.

  5. spold Silver badge

    Having spent some time at Unimatrix 1 in Shenzhen (on contract as a business consultant - for a large American firm - yes lol) I would observe (note that I'm not supporting just observing)...

    Besides any deliberate actions that may or may not happen there are a couple of process issues. These arise from a common root in many cases.

    1. Chinese configured devices are required to have Lawful Intercept Gateway functionality for obvious uses in China and compliance with local legislation. (Yes boo hiss but it's the local law - I believe Cisco etc. devices also have to comply to be sold there).

    2. Sales may have customer pressure on new product in another part of the world so they may divert product configured for China to customers in those markets, sometimes it may not be reconfigured to remove the above functions... it's not SUPPOSED to be there/used. This is a process failure.

    3. Product may be configured by default for China which means process failures result in this product escaping - this is a Privacy by Design failure - it should be neutral configured then specially configured for the destination market.

    4. Product is cheap in Shenzhen - some 3rd parties will buy up cheap product, stuff it into a container, and send it on a slow boat from China to other markets where it is more expensive. Escape and/or 3rd party product sales failure.

    So process failures are one issue - they aren't unique in this respect.

    Ok you might think that is some cases product may "accidentally" escape to certain end users - I couldn't possibly comment :-)

    I know - The Borg know where I am and are coming to get me. Resistance is futile.

    (I am using a VPN).

    1. Jellied Eel Silver badge

      1. Chinese configured devices are required to have Lawful Intercept Gateway functionality for obvious uses in China and compliance with local legislation. (Yes boo hiss but it's the local law - I believe Cisco etc. devices also have to comply to be sold there).

      That's not a feature just for the Chinese whisperers. Kit destined for the US has to comply with CALEA since that was introduced in '94, and the EU has similar requirements. Admittedly I'm now curious if Huawei simply copied CALEA implementations. But compliance with national regulations relating to lawful intercept is part of the approvals process. Telco's need to comply, governments need to trust it given the potential for espionage, or just blowing law enforcement investigations.

      The big issue has always been security of supply. Especially with the current US-China-EU trade spat and tariffs imposed by the EU on US telco kit. If that gets worse, maybe China could just block exports, so no kit for sparing or new installs. Or, as the report says, ensuring there's continued support for sub-components used in the kit, ie the report mentions component support ending 2020, but Huawei's EOS/EOL are beyond that.

      Politics can often have interesting consequences though. So when the EU decided to ban lead, there were kit shortages while manufacturers switched to lead-free solder.. Then more faults due to joints failing.

      1. Anonymous Coward
        Anonymous Coward

        This is why the "developed economies" need to be able manufacture our own devices. The prices would go up, I'd wager not greatly though more of a shareholder hit, and at least then we know who's spying on us. This is where the orange one is partially correct and why so many fall for his BS. He sprinkles his lies with grains of truth.

  6. Anonymous Coward
    Anonymous Coward

    China cottoned on years ago

    that one of the weaknesses in capitalism is it's fetish for low costs. Ultimately, low cost trumps EVERYTHING - even national security.

    That's it really. Sure, we ("the West") can ramp up efforts to ensure imported kit is "secure". But that would make the kit more expensive. And those shareholders aren't going to give up their cash so easily.

  7. Rob D.

    Security risks are still just risks

    Define the risk, assess the probability, quantify the impact, define the mitigation and arrive at a cost. Decide whether you want to spend the money to mitigate the risk and if not, accept the cost of the impact if it happens.

    Most exec management decision makers aren't good with the low probability, stupidly high impact kind of risks. Ask BP re Deepwater Horizon or Lehman Brothers re sub-prime mortgage risks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security risks are still just risks

      Most exec management decision makers aren't good with the low probability, stupidly high impact kind of risks. Ask BP re Deepwater Horizon or Lehman Brothers re sub-prime mortgage risks.

      And TEPCO in Japan, most of the airline industry (pilot fatigue), loads more banks...

      Huawei are a big enough player that they can buy up a lot of the competition. I think they did that when BT were picking kit.

    2. Mike Pellatt

      Re: Security risks are still just risks

      Or ask RBS too. Except their Head of Risk was quite explicit about the risks Fred the Shred was exposing the bank to....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like