By Jack Stubbs and Joseph Menn
LONDON/SAN FRANCISCO (Reuters) – Huawei Technologies is facing increased scrutiny in Britain because it is using an ageing software component sold by a firm based in the United States, one of the countries where lawmakers allege its equipment could facilitate Chinese spying, sources told Reuters.
The fact that the British misgivings stem in part from Huawei’s relationship with a U.S. company shows how trade wars and heightened national security concerns are making it harder for technology firms and governments to safeguard products and communication networks.
A report last month by a British government oversight board charged with analysing Huawei equipment said it had found technical and supply chain “shortcomings” which exposed the country’s telecoms networks to new security risks.
One of those is due to Huawei’s use of the VxWorks operating system, which is made by California-based Wind River Systems, said three people with knowledge of the matter, all of whom spoke on condition of anonymity when discussing details which were not made public in the report.
The sources said the version of VxWorks being used by Huawei will stop receiving security patches and updates from Wind River in 2020, even though some of the products it is embedded in will still be in service, potentially leaving British telecoms networks vulnerable to attack.
“Third party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer,” the July report, which did not name VxWorks, said.
U.S. and Australian lawmakers have said Huawei’s products can be used to facilitate Chinese espionage operations, an allegation the world’s biggest producer of telecoms equipment has repeatedly denied.
All three sources said there was no indication that the VxWorks mismatch was deliberate. There is also no suggestion that the software itself represents a security risk.
Reuters was not able to establish which Huawei products were involved or what steps the Chinese company was taking to address the issue.
A spokeswoman for Wind River Systems said she was unable to comment on Huawei, but said the company often helped customers upgrade to newer software versions. “Wind River offers migration routes and paths for its customers, which should be pretty well known and understood in the industry,” she said.
A Huawei spokesman declined to comment on specific issues in the report but said the company would address any areas for improvement which were raised by British authorities.
“Cyber security remains Huawei’s top priority, and we will continue to actively improve our engineering processes and risk management systems,” he said.
While the United States and Australia have moved to restrict the use of its gear due to security concerns, Huawei has been deepening ties with Britain, supplying broadband equipment to its largest telecoms provider, BT Group <BT.L>, and mobile networks for wireless giant Vodafone Group <VOD.L>.
Consultant Edward Amoroso, a former chief security officer at AT&T, said Huawei’s experience in Britain showed the challenges of securing international supply chains.
Although no one should dismiss Huawei as a supplier solely because of its geographical location, reliance on software that is going out of support is a legitimate concern, Amoroso said.
“I don’t care if it’s from China, Indiana or the moon, it speaks badly for them,” he added.
The globalised nature of the technology industry has come under increasing scrutiny as countries seek to limit the use of equipment from nations they regard as adversaries.
In the United States, the Pentagon is working on a “do not buy” list to block vendors who use software code originating from Russia and China, and Moscow has had problems implementing a data storage law without relying on foreign technology.
By contrast, London says it effectively addresses any security issues presented by the use of Huawei products as part of Britain’s critical national infrastructure by having the equipment reviewed by staff at a special company laboratory.
This is overseen by British government and intelligence officials who report annually on its work. In addition to the issue with VxWorks, this year’s report also cited technical issues which limited security researchers’ ability to check internal product code.
Many in the cybersecurity industry say efforts to bar equipment or software on grounds of nationality are futile because of the deeply inter-dependent nature of the global technology business.
“There’s a real dilemma for policy makers, for politicians,” said Robert Hannigan, former director of Britain’s GCHQ spy agency and now executive chairman for Europe at cybersecurity services firm BlueVoyant.
“How do we find a way of taking advantage of foreign technology in a way that we don’t think compromises our security? That’s a really difficult balance to get.”
(Editing by Jonathan Weber and Alexander Smith)