19:19 GMT +315 October 2019
Listen Live
    GCHQ from just East of Cheltenham

    Despite Warnings of Huawei's 'Shoddy' Security Standards, GCHQ Has History of Data Failures

    CC BY-SA 3.0 / Bthebest / GCHQ from just East of Cheltenham
    Europe
    Get short URL
    208
    Subscribe

    Huawei has pledged to spend over US$2 billion on rectifying these problems, although has warned it could take up to five years to see results - Levy claims not have detected any sign of the company actually taking necessary action yet.

    Ian Levy, Technical Director of Britain’s National Cyber Security Centre (NCSC), part of the controversial GCHQ signals intelligence agency, has said China’s Huawei Technologies must raise its “shoddy” security standards.

    READ MORE: Europe to Pay Billions if It Chooses to Ban Huawei's 5G Rollout – Report

    “Huawei as a company builds stuff very differently to their Western counterparts. Part of that’s how quickly they’ve grown up, part of it could be cultural – who knows. What we have learnt as a result of that, the security is objectively worse, and we need to cope. Huawei is shoddy, the others are less shoddy,” he told a conference in London.

    “The start of a high-level plan that we can talk about in public would be a good thing. They have a lot of work to do, and I think they know that. You wouldn’t expect to have, in six months since we published that report, less than that, them coming out going ‘we’ve fixed it’. That would be unachievable.”

    Rank Hypocrisy

    While measured, Levy’s comments are just the latest broadside to be levelled against Huawei — the world’s biggest producer of mobile network equipment has been under intense US-led pressure internationally for some time, Washington imposing harsh sanctions on the company, attempting to prevent it from purchasing US goods, and pledging to limit intelligence sharing with allies who use the company’s technology. 

    While Britain has refused to follow suit entirely, in April following a Whitehall report rebuking the company for failing to fix security flaws in its equipment, the National Security Council blocked Huawei from all core parts of its future 5G network, only granting restricted access to non-core segments.

    However, such moves — and the NCSC Technical Director’s concerns about Huawei’s security — are somewhat ironic given GCHQ itself has had significant issues in the same regards.

    For instance, in March 2016 the agency was forced to admit that despite receiving almost one billion pounds over the previous five years, legacy IT issues were “killing” its cybersecurity capabilities.

    In 2014, Whitehall paid Microsoft £5.5 million to extend Windows XP support, as despite being given seven years’ warning the tech giant would be ending its standard support for the operating system, some GCHQ departments were still using the software.

    “We’ve not been spending money on fixing legacy IT issues, and that is just killing us. I’ve tried to make this argument to my bosses that surely you have to start there before you try to do anything more sophisticated. But the response has always been ‘I’m not spending cybersecurity program money to subsidise other departments’ IT budgets’. Come on, it’s the aim that you have in mind that justifies it, but I haven’t won that battle yet,” said Alex Dewedney, director of cybersecurity at the information security arm of GCHQ.

    Moreover, internal MI5 documents acquired by The Intercept reveal British spying agencies including GCHQ may have put lives at risk as their surveillance systems were sweeping up more data than they could analyse, leading them to miss clues and potential security threats, and failed to properly protect information being harvested.

    “[Agencies] can currently collect significantly more than it is able to exploit fully. This creates a real risk of ‘intelligence failure’ i.e. from the Service being unable to access potentially life-saving intelligence from data that it has already collected,” one document cautioned.

    Another, relating to program MILKWHITE, saw GCHQ make some of its vast troves of metadata about people’s online activities accessible to MI5, the Metropolitan Police, Her Majesty’s Revenue and Customs, the Serious Organized Crime Agency, the Police Service of Northern Ireland, and an obscure Scotland-based surveillance unit called the Scottish Recording Centre. There was little evidence of safeguards being in place to prevent the databases being abused, or accessed illicitly by unauthorised individuals at the agencies involved.

    Related:

    Man Killed in Suspected 'Hit and Run' Attack Near Cheltenham GCHQ Spy Agency
    Secret Location of British GCHQ Spy Hub During 2012 Olympics Revealed
    Apple, WhatsApp and Others Slam GCHQ Encrypted Chat Eavesdropping Proposals
    GCHQ Plans to Snoop on Apple, WhatsApp Chats: How Technically Possible is It?
    Community standardsDiscussion
    Comment via FacebookComment via Sputnik