UK security experts found a flaw of "national significance" while analysing technology from Chinese networking company Huawei, according to a government report[1].
Huawei's software engineering and cybersecurity practices have been criticised in the annual report (PDF)[2] from the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up by the UK government and the networking giant to evaluate equipment which is to be used in UK networks.
The centre was opened in 2010, with the aim of reducing any potential risk from using Huawei's technologies as part of the UK's critical national infrastructure. As such, the HCSEC annual report provides detailed analysis of the company's software, engineering and cybersecurity processes.
"HCSEC's work has continued to identify concerning issues in Huawei's approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation," the report said, adding that limited progress has been made on the issues raised in the previous report.
Overall, the board that oversees the centre said it could only provide "limited" assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long-term.
"The increasing number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly," it warned.
The report said a flaw of "national significance" had been discovered during HCSEC's work this year.
When a flaw is identified, HCSEC usually reports it to the NCSC, the telecoms company, and to Huawei to fix it.
But the report noted: "In