An independent oversight board in the UK tasked with monitoring Huawei’s equipment in critical telecommunications infrastructure has identified new security risks in its latest annual report.
While some countries, such as the United States and Australia, have imposed strict limits or bans on Chinese telecoms equipment in sensitive networks, the UK has pursued a more measured approach that emphasizes technical scrutiny and mitigation.
Manufacturers like Huawei are widely regarded as highly innovative within the global telecoms industry; some analysts argue that certain Chinese vendors are ahead of their Western competitors in specific areas of engineering and product development.
In 2010 the UK established the Huawei Cyber Security Evaluation Centre (HCSEC). Staffed by UK intelligence and technical experts from agencies including GCHQ, HCSEC inspects Huawei’s equipment and engineering processes to identify potential vulnerabilities and risks to national infrastructure.
Newly Identified Risks
The HCSEC oversight board’s latest report highlights newly identified risks stemming from aspects of Huawei’s engineering processes that could affect the security of UK telecoms networks.
Officials state that shortcomings in engineering practices have revealed fresh risks and that these create long-term challenges for effective mitigation and risk management.
The oversight board issues annual assessments and has previously reported only minor findings. For example, last year’s audit recorded one low-priority finding and two advisory issues, all related to the retention and accessibility of auditable information; each issue included an agreed remediation plan.
For the first time, however, the board has qualified its assurance. It concludes that, due to concerns revealed by the functioning of mitigation strategies and oversight mechanisms, it can provide only limited assurance that all national security risks associated with Huawei’s participation in the UK’s critical networks have been fully mitigated.
The report draws attention to two specific areas of concern: technical limitations that hinder security researchers’ ability to inspect internal product code, and the sourcing of components from third-party suppliers used in Huawei products. Both raise questions about supply chain integrity and the verifiability of security guarantees.
Huawei responded to the report by acknowledging HCSEC’s effectiveness while accepting the board’s recommendations for improvement. A company spokesperson noted that the oversight process demonstrates HCSEC’s operational independence and effectiveness, and confirmed Huawei’s commitment to addressing identified engineering and risk-management shortcomings.
“Cybersecurity remains Huawei’s top priority,” the spokesperson said. “We are grateful for the feedback and will continue to improve our engineering processes and risk management systems.”
Context and International Implications
Where countries have been reluctant to approve Huawei equipment for national infrastructure, the company has offered to establish arrangements similar to HCSEC to provide independent technical scrutiny and transparency.
John Lord, Chairman of Huawei Australia, described the UK model as a way to enter markets transparently: “That was the way to enter the market and be as open as possible, and that’s what we are offering around the world. We believe that all telcos should be open, and equipment should be checked.”
Against the backdrop of the Trump administration’s tougher policy on Chinese technology, Huawei faces substantial obstacles to wider adoption in the United States. Company leadership appears to have adjusted expectations accordingly.
Eric Xu, Huawei’s rotating CEO, commented at an analyst event that the company has chosen to prioritize serving customers and improving products over engaging in political debates it cannot change. “There are things we cannot change the course of, and it’s better not to put it on top of your mind,” he said. “In this way, we have more energy and time to serve our customers, and to build better products to meet the needs of our customers.”
The HCSEC oversight board’s cautionary tone signals that, even with ongoing independent scrutiny and remediation, risks remain and require sustained attention from regulators, operators and vendors. Ensuring the security of critical telecoms infrastructure will depend on continued transparency, robust engineering practices, and effective supply-chain controls.
What are your thoughts on the HCSEC board’s latest report? Let us know in the comments.