A review into security arrangements between Huawei and GCHQ for vetting the firm's telecoms kit in the UK has called for several changes, although it has dismissed many of the original concerns raised.
The report was conducted after major security concerns were raised earlier this year by the Intelligence and Security Committee (ISC). It was concerned that Huawei had been able to carve out a dominant position in the telecoms market without scrutiny.
This also led to fears that the Huawei Cyber Security Evaluation Centre (HCSEC, also known as the Cell) used to evaluate Huawei kit in the UK, was staffed by its own employees rather than GCHQ staff.
This led to a review of the working practices at the Cell and the relationship between Huawei and GCHQ, carried out by national security adviser Sir Kim Darroch. The report has now been published and, although no major issues came to light, several recommendations have been put forward.
These focused on formalising many of the currently informal working practices between the two organisations, such as when code and equipment is made available for checking. The report also said that senior staff at the Cell should be appointed with more direct input from GCHQ.
“GCHQ’s involvement in the future appointment of senior staff to HCSEC should be strengthened. At present, GCHQ have a power of veto over appointments through the security vetting process,” it said.
“The review recommends that, in future, GCHQ should lead and direct senior HCSEC appointments (in consultation with Huawei), in particular through chairing the selection panel.”
However, the report noted that although initial concerns focused on the amount of control Huawei has over the oversight of its own equipment, this is required given the complexities involved in accessing source code.
“Although the fact of HCSEC staff being employed by Huawei appeared to create conflicts of interest, it was, in reality, the best way of ensuring continued complete access to Huawei products, codes and engineers, without which HCSEC could not do its job,” it said.
“In particular, were HCSEC staff not to be Huawei employees, access arrangements would be complicated by Huawei’s non-disclosure agreements with its hundreds of third-party suppliers.
“Also, there would be a possibility of commercial risk or even liabilities for the taxpayer were GCHQ, in effect, to impose themselves between Huawei and the UK telecommunications market.”
Huawei said it welcomed the report and that it vindicated its own strategy in tackling cyber security. "We are pleased that the model of the UK Government, the telecom operators and Huawei working together in an open and transparent way has been recognised as the best approach for providing reassurance on the security of products and solutions deployed in the UK," the firm said.
"Huawei believes it is only by working together internationally, as vendors, customers, policy and law makers, that the challenge of global cyber security can be met."
The UK's continued open-arms policy towards Huawei stands in stark contrast with other Western nations such as Australia and the US, which are far more wary of the firm given its close links to the Chinese government.
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.