Monday, 01 April 2019 11:29

Huawei report: errors of omission, not commission

Huawei report: errors of omission, not commission Image by Andrew Martin from Pixabay

ANALYSIS That the British report into Huawei's operations in the UK used strong language to point out the engineering deficiencies in the company's approach, and then did not recommend a ban on using its equipment in telecommunications is indeed puzzling.

The only logical conclusion that can be drawn is that the Huawei Cyber Security Evaluation Centre Oversight Board considered the shortcomings to be errors of omission, not commission.

In other words, there was no malicious intention behind the sloppiness uncovered, just plain incompetence. This is not surprising given that a majority of coders the world over have very little idea about security.

Unlike the Americans, who have been throwing mud at Huawei for years in the hope that some will stick, the British report took an evidence-based approach.

Some of the issues identified were because of software choices: for example, Huawei's use of version 5.5 of Wind River’s VxWorks real-time operating system, which has reached its end-of-life, in much of its network equipment. The company has obtained an extended support contract from VxWorks, but that runs out in 2020.

Though the Shenzhen-based company has developed a new operating system based on Linux, the report said that the security of this new OS could not be guaranteed due to existing deficiencies in engineering processes.

In some cases, the HCSEC report found that processes which were set out in Huawei's own operations manual were not being followed by its staff.

While four products had been provided to test binary equivalence - that is to verify that the binary contained the same source code which had been viewed - there were issues in the underlying build process, the report said.

Similarly, build-related issues made it difficult to be sure that different deployments of similar equipment had broadly the same level of security.

"For example, it is difficult to be confident that vulnerabilities discovered in one build are remediated in another build through the normal operation of a sustained engineering process," the report said.

"The ability to do so, and the end-to-end assurance that a particular source code set is precisely that used to build a particular binary would normally be satisfied as a side effect of a modern software engineering process."

Additionally, configuration management improvements, which had been driven by the UK community since 2010, had not been applied across product and platform development groups or across configuration item types (source code, build tools, build scripts etc).

There were other engineering issues identified as well but the point made was the same: Huawei needs to get its act in order, else the next time the comments would be harsher.

Britain's Department for Digital, Culture, Media and Sport is carrying out a review of telecommunications supply arrangements and that would be the final say on what kind of role Huawei plays in the UK's 5G rollout.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments