Technical and supply-chain issues with equipment made by Chinese firm Huawei have exposed Britain's telecom networks to new security risks, a government report said on Thursday.
The assessment, made in a report signed off by Britain's GCHQ spy agency, will intensify the espionage debate around Huawei Technologies, which has come under increasing fire in the United States and Australia over concerns it could facilitate Chinese government spying.
The report was released after sources told Reuters that senior British security officials say they can now give only limited assurances that Huawei's UK operations pose no threat to national security, downgrading their previous position.
"Identification of shortcomings in Huawei's engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management," officials said in the report.
Huawei, the world's biggest producer of telecoms equipment, said that it welcomed the thrust of the report by the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board, which it said showed supervision by British authorities was working well.
"The report concludes that HCSEC's operational independence is both robust and effective. The Oversight Board has identified some areas for improvement in our engineering processes," a Huawei spokesman said.
"We are grateful for this feedback and are committed to addressing these issues. Cyber security remains Huawei's top priority, and we will continue to actively improve our engineering processes and risk management systems."
Huawei says no inspection has ever found any backdoor vulnerabilities in its equipment. It says it is a private company not under Chinese government control and not subject to Chinese security laws overseas.
Huawei is a major supplier of broadband gear and mobile networks in Britain, meaning its products are used in critical national infrastructure which could be targeted by foreign adversaries.
London says it effectively addresses security issues by having all Huawei products reviewed by staff at a special company laboratory overseen by British government and intelligence officials.
The laboratory, known as HCSEC, was set up by Huawei in 2010 in response to British government concerns about possible security threats to national infrastructure. British security officials, including from GCHQ, sit on its oversight board and report annually on its work.
But for the first time, Thursday's report by the oversight board reduced the level of security assurance it said was provided by HCSEC.
Officials said HCSEC provided "unique, world-class cyber security expertise and technical assurance," but also that they had identified technical issues which limited security researchers' ability to check internal product code.
There were also concerns about the security of components from outside suppliers which are used in Huawei products, the report said.
A spokesman for Britain's National Cyber Security Centre, which is part of Government Communications Headquarters (GCHQ), said a program to resolve the code issue was underway and should be completed by mid-2020.
HCSEC is discussing questions about the use of third-party software with Huawei, he added, with the aim of finding a "strategic fix" for the problem."
"This government and British telecoms operators work with Huawei at home and abroad to ensure the UK can continue to benefit from new technology while managing cyber security risks," he said.
Previous oversight board reports published in each of the last three years concluded that HCSEC provided "assurance that any risks to UK national security from Huawei's involvement in the UK's critical networks have been sufficiently mitigated."
A person with direct knowledge of Huawei's work with the British government said the new assessment that HCSEC could now only provide limited assurance was a "big change, though understated."
Huawei has been deepening ties in Britain over the last decade and now supplies broadband equipment to the country's largest telecoms provider, BT Group, and mobile networks for wireless giant Vodafone Group.
It is also a major supplier to other European telecom carriers including Deutsche Telekom and Telefonica.
BT, its operating subsidiaries, and Vodafone were not immediately available to comment on Thursday's report.
Huawei employs 1,500 people in Britain and in February pledged to spend a further 3 billion pounds ($4.01 billion) in Britain following a high-profile meeting between chairwoman Sun Yafang and British Prime Minister Theresa May.
That is in stark contrast to the United States, where lawmakers have stepped up efforts to bar Huawei equipment from the country's networks.
Huawei has also been thwarted in its efforts to establish its U.S. mobile handset business. The largest U.S. consumer electronics retailer, Best Buy, has stopped stocking Huawei products, and a potential breakthrough deal with U.S. carrier AT&T collapsed in January.
Australia is also preparing to ban Huawei from supplying equipment for its planned 5G broadband network, two sources told Reuters last week, after its intelligence agencies raised concerns that Beijing could force the company to hand over sensitive data.
Additional reporting by Eric Auchard; Editing by Jonathan Weber, Jon Boyle and Alexandra Hudson.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.