Ian Levy, Technical Director of Britain’s National Cyber Security Centre (NCSC), part of the controversial GCHQ signals intelligence agency, has said China’s Huawei Technologies must raise its “shoddy” security standards.
“Huawei as a company builds stuff very differently to their Western counterparts. Part of that’s how quickly they’ve grown up, part of it could be cultural – who knows. What we have learnt as a result of that, the security is objectively worse, and we need to cope. Huawei is shoddy, the others are less shoddy,” he told a conference in London.
“The start of a high-level plan that we can talk about in public would be a good thing. They have a lot of work to do, and I think they know that. You wouldn’t expect to have, in six months since we published that report, less than that, them coming out going ‘we’ve fixed it’. That would be unachievable.”
While measured, Levy’s comments are just the latest broadside to be levelled against Huawei — the world’s biggest producer of mobile network equipment has been under intense US-led pressure internationally for some time, Washington imposing harsh sanctions on the company, attempting to prevent it from purchasing US goods, and pledging to limit intelligence sharing with allies who use the company’s technology.
While Britain has refused to follow suit entirely, in April following a Whitehall report rebuking the company for failing to fix security flaws in its equipment, the National Security Council blocked Huawei from all core parts of its future 5G network, only granting restricted access to non-core segments.
For instance, in March 2016 the agency was forced to admit that despite receiving almost one billion pounds over the previous five years, legacy IT issues were “killing” its cybersecurity capabilities.
In 2014, Whitehall paid Microsoft £5.5 million to extend Windows XP support, as despite being given seven years’ warning the tech giant would be ending its standard support for the operating system, some GCHQ departments were still using the software.
“We’ve not been spending money on fixing legacy IT issues, and that is just killing us. I’ve tried to make this argument to my bosses that surely you have to start there before you try to do anything more sophisticated. But the response has always been ‘I’m not spending cybersecurity program money to subsidise other departments’ IT budgets’. Come on, it’s the aim that you have in mind that justifies it, but I haven’t won that battle yet,” said Alex Dewedney, director of cybersecurity at the information security arm of GCHQ.
“[Agencies] can currently collect significantly more than it is able to exploit fully. This creates a real risk of ‘intelligence failure’ i.e. from the Service being unable to access potentially life-saving intelligence from data that it has already collected,” one document cautioned.
Another, relating to program MILKWHITE, saw GCHQ make some of its vast troves of metadata about people’s online activities accessible to MI5, the Metropolitan Police, Her Majesty’s Revenue and Customs, the Serious Organized Crime Agency, the Police Service of Northern Ireland, and an obscure Scotland-based surveillance unit called the Scottish Recording Centre. There was little evidence of safeguards being in place to prevent the databases being abused, or accessed illicitly by unauthorised individuals at the agencies involved.