The UK’s dedicated Huawei Cyber Security Evaluation Centre (HCSEC) has published its latest annual oversight report, the first since renewed international pressure mounted over the company.
HCSEC, based in Banbury, Oxfordshire, examines Huawei’s products and engineering practices and issues an annual report identifying any risks or concerns that could affect UK telecommunications networks.
Last year HCSEC reported it could no longer assure that previously identified risks had been fully mitigated, citing worries about Huawei’s software engineering processes and slow progress in addressing known problems. This year’s report confirms those concerns: it states that “no material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance.”
More alarmingly, the report says that new, significant technical issues have been found that introduce additional risks for UK networks. “CSEC’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation,” the oversight body writes.
UK mobile operators such as Vodafone and Three have argued against an outright ban on Huawei equipment because they already use the vendor’s hardware and software extensively. Operators warn that removing and replacing that equipment would be costly and could cause a major delay to 5G rollouts. Three’s CEO, David Dyson, has warned that changing vendors now could set back 5G launches by 12 to 18 months.
Operators maintain they chose Huawei after meeting the same procurement and technical standards as other suppliers, and that continuing to use the vendor was in the best interests of customers and business operations.
In response to the HCSEC report, a Huawei spokesperson reiterated acceptance of the centre’s role and emphasized the company’s planned response. The statement noted the report’s recognition of HCSEC’s rigour and disputed any suggestion that UK networks are more vulnerable now than they were previously. Huawei acknowledged concerns about its software engineering capabilities, described those findings as important input into a company-wide transformation, and pointed to a Board-backed initiative with an initial US$2 billion budget to improve engineering processes.
Huawei said a high-level plan for that transformation has been developed and that it will continue to work with UK operators and the National Cyber Security Centre (NCSC) as the programme is implemented. The company called for industry, regulators, and governments to collaborate on stronger common standards for cybersecurity assurance and evaluation to secure global telecom networks.
The HCSEC oversight board, however, cautions that until Huawei demonstrably addresses the engineering-process deficiencies identified, managing the risk associated with the vendor’s equipment in UK deployments will remain challenging. The board reports it has not yet seen sufficient evidence to be confident in Huawei’s ability to complete the transformational changes needed to repair the underlying defects.
HCSEC has not found evidence of state-backed espionage, which has been the primary worry cited by some international critics. Instead, it has reported several hundred vulnerabilities and issues to UK operators, matters that require technical mitigation and ongoing oversight.
The report underlines two clear points: first, Huawei’s current software engineering practices and related technical problems continue to present material cybersecurity risks that demand active management; second, while Huawei is proposing significant internal reforms, progress to date has not convinced UK overseers that the company can or will implement those reforms quickly enough to reduce the level of risk.
For UK operators and policymakers, the HCSEC findings complicate decisions about how to balance operational continuity, the costs and timelines of replacing equipment, and the security posture of next-generation networks. Until substantive, verifiable remediation is demonstrated, the oversight board’s advice and the need for careful, ongoing mitigation are likely to remain in place.
Interested in discussions and industry perspectives on topics like this? Attend relevant cybersecurity and cloud industry events to hear leaders share their experiences and approaches to securing modern telecom infrastructure.