Two low-priority national security findings and two advisory issues have popped up in the evaluation of the Huawei Cyber Security Evaluation Centre (HCSEC) in the United Kingdom, according to the annual report.
The HCSEC, located in Oxfordshire, was launched in November 2010 to help mitigate any potential risks in using Huawei technology in the UK’s critical national infrastructure, and has been subject to annual evaluations for the last four years.
In the most recent report, the HCSEC oversight board identified “technical issues” in Huawei’s engineering processes, which it said could cause “new risks in the UK telecommunications networks”.
According to the HCSEC Oversight Board Annual Report 2018: A report to the National Security Adviser of the United Kingdom July 2018 [PDF], four products were found by the UK government’s National Cyber Security Centre (NCSC) to be lacking binary equivalence, with Huawei working to “correct the deficiencies in the underlying build and compilation process”.
“It is the NCSC intent that all products deployed in the UK will have repeatable builds and that HCSEC will be able to routinely show equivalence between the binary installed in UK networks and the binary that can be built from the source code held by HCSEC,” the report, first reported on by Reuters, said.
Work on this had completed, but the engineering changes had yet to be integrated into the wider development process, the report said, with this work to be completed by mid-2020.
An additional issue was found in Huawei’s use of commercial and open-source…