Garrett Marquis, a spokesman for the National Security Council, said the United States commended Britain “for taking a hard look at its telecommunications vendors in order to ensure the maximum security of its networks.” He added, “We share many of the concerns listed in the Oversight Board’s report.”
The British authorities are trying to differentiate Huawei’s security flaws from a broader effort by Beijing to infiltrate its networks. The report on Thursday described a company with poor engineering practices and problems stemming from those engineering flaws, more than one operating at the orders of Chinese authorities.
In the report, British officials determined that Huawei could not replicate much of the software it built, meaning that the authorities could not be sure what code was being introduced into the country’s wireless networks. They added that Huawei had poor oversight of suppliers that provided components for its products.
“There remains no end-to-end integrity,” the report said.
A senior American government official, speaking on condition of anonymity to discuss sensitive internal deliberations about Huawei, said the British finding of pervasive sloppy engineering underscored concerns about the security risks and hidden costs of using cheaper Huawei equipment in 5G networks.
The environment at Huawei could allow for the intentional introduction of an exploitable flaw that would be lost in the background noise of poor practices, the official said. The official added that the intelligence community did not expect to find overt, smoking-gun “back doors” in Huawei code clearly meant to permit illicit access to network data. Instead, it expects “bug doors” — flaws that can be explained away as a mere mistake if they come to light, but that can be exploited for the same purposes by China or by other sophisticated actors who discover them.
Since 2010, Britain has had an oversight board, now led by the National Cyber Security Center, tasked with overseeing Huawei’s operations. The company’s products and code are reviewed at a security lab about 70 miles outside London. In November, after British officials raised questions with Huawei about its practices, the company pledged to spend $2 billion over the next five years to improve its software and security processes.
The approach is seen as a potential model for other countries looking to add more safeguards over Huawei. Germany has opened a security lab in Bonn where Huawei’s equipment and code can be reviewed. The company has also opened a facility in Brussels to appease the concerns of European Union officials.