Chinese telecommunications network equipment provider Huawei has suffered another setback in its ambition to supply kit for New Zealand's fifth generation, or 5G, internet services, following new criticisms from the oversight board of the UK-based Huawei Cyber Security Evaluation Centre.
The report identified "further significant technical issues ... in Huawei's engineering processes, leading to new risks in the UK telecommunications networks," the review board says in its annual report. The board is chaired by the chief executive of the UK government's National Cyber Security Centre, Ciaran Martin.
However, Huawei's local arm was quick to stress the report had "not raised any concerns of 'backdoors', or state-sponsored espionage and specifically said that there is no evidence of Chinese state interference".
Huawei NZ deputy managing director Andrew Bowater said "these software issues are not related to 5G mobile networks or technology and are not connected to any of the concerns raised in New Zealand as they relate to historic network builds in the UK".
Huawei was subject to "more scrutiny than any other player in the industry" and all networks have "potential vulnerabilities," Bowater said. "While the report does highlight issues that Huawei will improve on, it shows the collaborative evaluation approach works and reinforces the importance of working together to build better and more secure networks."
Huawei sought "a balanced framework" that would allow such a collaborative review to occur in New Zealand.
The HCSEC findings come ahead of Prime Minister Jacinda Ardern's first state visit to China on Monday, where she will meet president Xi Jinping and premier Li Keqiang.
The issue of the New Zealand government's refusal late last year to allow Huawei equipment into the New Zealand 5G network is likely to arise as Huawei has become a bellwether issue in US-China trade and intellectual property tensions.
It is also a crucial issue for local providers Spark New Zealand and TwoDegrees Mobile, both of which use Huawei equipment in the current, 4G mobile network.
In a press briefing yesterday ahead of her lightning trip to Beijing, shortened to a single day because of the domestic demands of the Christchurch mosque attacks, Ardern said she had had no "recent updates" on the Spark application. It was declined by New Zealand's NCSC equivalent, the Government Communications Security Bureau, citing national security concerns.
Spark had yet to respond to the GCSB's findings and "it's a process that's independent of me and ministers at this stage," said Ardern, who acknowledged discussion of New Zealand's telecommunications regulation regime would come up in talks in Beijing.
"I do know this is an important issue for China, but our legislation is deliberately neutral and does not discriminate against country or company."
Spark and 2Degrees are assessing their options for an appeal to the decision. But they are flying blind on the detailed reasons for the Spark application being declined and therefore are unable to offer proposals to mitigate the claimed security threats.
The issue is diplomatically sensitive because New Zealand joined other countries late last year in calling out the Chinese government for mounting co-ordinated cyber-attacks in 2017. There are also trade and geo-political tensions between the US, New Zealand's long-standing defence ally and partner in the Anglo-world global signals intelligence network known as the Five Eyes, and China, which is New Zealand's largest trading partner.
A Spark spokesman said the company was studying the HCSEC report before considering comment. There had been early hopes that the UK's watchdog approach could offer a route to New Zealand accepting Huawei equipment for the 5G roll-out over the next few years, despite the likelihood of ongoing pressure from the US not to deploy it.
Spark has been an enthusiastic user of keenly priced, actively supported Huawei gear in the 4G network. It is concerned, in part, that a ban on Huawei in the 5G network will make options from alternative suppliers less competitively priced. 2Degrees also extensively uses Huawei equipment in its 4G network.
Both companies have been arguing that as long as Huawei technology is kept out of the 'core' of the 5G network, any security issues can be dealt with. But government agencies are concerned that the decentralised nature of 5G networks raises security concerns that differ from those dealt with in the 4G network.
The HCSEC annual report says "further significant technical issues" it found had led to "new risks in the UK telecommunications networks."
"No material progress has been made by Huawei in the remediation of the issues reported last year, making it inappropriate to change the level of assurance from last year or to make any comment on potential future levels of assurance".
The 2018 review had "continued to identify concerning issues in Huawei's approach to software development" and said it would be difficult to "appropriately risk-manage future products ... until the underlying defects in Huawei's software engineering and cyber-security processes are remediated.
"The Oversight Board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long term."