Canada’s cybersecurity watchdog is refusing to say whether it found the same security and software defects in telecommunications equipment from China’s Huawei Technologies Co. Ltd. that Britain’s cyberspy agency identified last week.
The British government’s National Cyber Security Centre, which oversees the vetting of Huawei gear and includes officials from Britain’s GCHQ signals intelligence agency, issued a report last Thursday citing ongoing security and software engineering problems with Huawei gear.
“Overall, the oversight board can only provide limited assurance that all risks to U.K. national security from Huawei’s involvement in the U.K.’s critical networks can be sufficiently mitigated long-term,” the report said.
The British cybersecurity agency said if an “attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a U.K. network, in some cases causing it to cease operating correctly.”
The British said they do not believe the “defects identified are a result of Chinese state interference.”
Canada’s Communications Security Establishment, which handles cybersecurity and oversees the testing of Huawei gear, would not say if it found similar defects.
CSE set up independent labs in 2013, staffed by security analysts, that test all Huawei equipment. Unlike the British agency, CSE does not release annual reports on these tests.
The agency told The Globe and Mail the security review program for Huawei equipment prevents it from releasing the results.
“While non-disclosure agreements prohibit CSE from disclosing further details of this testing process, Canadians can rest assured that the government of Canada is working to make sure the strongest possible protections are in place,” CSE said in a statement.
John Adams, who ran CSE from 2005-2012, told The Globe on Monday it is “logical” that the cyberspy agency would have found the same flaws as the British. Mr. Adams said he does not trust Huawei equipment and believes Canada should join its Five Eyes intelligence-sharing partners in banning the Chinese telecom giant’s equipment from next generation 5G mobile networks.
Christopher Parsons, a senior research associate at the Citizen Lab, a cybersecurity outfit at the Munk School of Global Affairs, said there’s a good chance that testing conducted for CSE may also be finding those flaws.
“I would be surprised if they weren’t finding similar sorts of deficiencies in the networking appliances they are assessing,” Mr. Parsons said.
He said he thinks CSE should disclose what Canada’s tests find. “I think Canadians do have a right to know and understand the actual state of what is going on.”
Mr. Parsons said the CSE doesn’t seem to be transmitting the same concern as U.K. authorities.
“It seems when you read work coming out of the U.K., there is increasing concern about the ability to manage risk, and we don’t get the same sort of messaging out of CSE. Whether that is because we are not finding the same sorts of issues or there is a different relationship, we don’t know.”
Alykhan Velshi, vice-president of corporate affairs for Huawei Canada, declined to say why Huawei doesn’t seek the release of the Canadian test results.
“As you will appreciate, we work closely with Canadian government cybersecurity officials to support the integrity of Canada’s high-speed telecommunications networks. Unfortunately, we cannot speak to the details of that work other than to say that in more than 12 years of operation in Canada, we have never been associated with a single security breach or incident.”
Canada remains the only member of the Fives Eyes alliance – the United States, Australia, New Zealand and the U.K. - that has not taken any action to ban or curb Huawei’s participation in 5G networks.
In July, Prime Minister Boris Johnson reversed a decision to grant Huawei a limited role in the U.K.’s 5G infrastructure, ordering the company’s equipment to be purged from national networks by the end of 2027.
The reason given was the impact of new U.S. restrictions on chip technology that meant Huawei was no longer a reliable equipment supplier.
The Globe has reported that Canada’s military and the Canadian Security Intelligence Service want Ottawa to block Huawei, saying it is not a trusted vendor and that its 5G equipment could be used for Chinese espionage or to disable crucial infrastructure during an international crisis.
The Globe reported that the CSE has argued that robust testing and monitoring of Huawei’s 5G equipment could mitigate potential security risks.
Chinese law requires companies to “support, co-operate with and collaborate in national intelligence work” as requested by Beijing. Security experts in the United States, Australia and Canada warn that equipment produced by firms such as Huawei could be compromised on behalf of China’s ruling party.
The Globe reported in January that the Ministry of Innovation, Science and Industry has several options ready for the federal cabinet that include maintaining the status quo, toughening checks on Huawei’s 5G wireless systems and a ban.
An outright ban could saddle Canadian telecoms with hundreds of millions of dollars in extra costs and upgrades, the official said.
Know what is happening in the halls of power with the day’s top political headlines and commentary as selected by Globe editors (subscribers only). Sign up today.