Huawei Cyber Security Evaluation Centre: Review by the National Security Adviser



Similar documents
HUAWEI CYBER SECURITY EVALUATION CENTRE (HCSEC) OVERSIGHT BOARD

How To Manage A Corporate Council

The NHS Foundation Trust Code of Governance

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Audit and risk assurance committee handbook

A Guide to Corporate Governance for QFC Authorised Firms

Internal Audit Terms of Reference

Effective Debt Management. Improving Debt Management Practices Worldwide

Who s next after TalkTalk?

REFORM OF STATUTORY AUDIT

Managing ICT contracts in central government. An update

UNITED KINGDOM DEBT MANAGEMENT OFFICE. Executive Agency Framework Document

REMUNERATION COMMITTEE

ASPG Conference, Perth Jonathan O'Dea - October "Financial Overseers and their Oversight A NSW Public Accounts Committee Perspective"

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

RULES OF PROCEDURE FOR THE BOARD OF DIRECTORS, THE EXECUTIVE CHAIRMAN AND THE GENERAL MANAGER IN DOLPHIN GROUP ASA

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Internal Audit - progress report and plan

REVIEW OF THE EFFICIENCY OF THE ADMINISTRATIVE AND FINANCIAL FUNCTIONING OF THE UNITED NATIONS

INTEGRATED SILICON SOLUTION, INC. CORPORATE GOVERNANCE PRINCIPLES. Effective January 9, 2015

Odgers Berndtson Board Survey. Among CEOs in Denmark s largest corporations

The centre of government: an update

Cyber Security Evolved

European Commission Green Public Procurement (GPP) Training Toolkit - Module 1: Managing GPP Implementation. Joint procurement.

Commonwealth Secretariat Response. to the DFID Multilateral Aid Review Update

HIGHFIELD RESOURCES LIMITED AUDIT, BUSINESS RISK & COMPLIANCE COMMITTEE CHARTER

corporategovernance twothousandfourteen

1. What is a biodiversity offset?

Ramsay Health Care Limited ACN Board Charter. Charter

POLICY ON CORPORATE GOVERNANCE FOR LESOTHO PUBLIC ENTERPRISES, GOVERNMENT AGENCIES AND ENTITIES

Request for feedback on the revised Code of Governance for NHS Foundation Trusts

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

CONTINUOUS CONTROLS MONITORING

CORPORATE GOVERNANCE. 1 Introduction. 2 Board composition and conduct

PROGRAMMES ADVISER HUMANITARIAN ISSUES MSF UK Location: London Permanent position: 40 hours / week

Application of King III Corporate Governance Principles

The promise and pitfalls of cyber insurance January 2016

Rolls Royce s Corporate Governance ADOPTED BY RESOLUTION OF THE BOARD OF ROLLS ROYCE HOLDINGS PLC ON 16 JANUARY 2015

Trends in Institutional Arrangements for Public Debt Management

The Ecumenical Board of Theological Studies - A Review

CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS

E Distribution: GENERAL RESOURCE, FINANCIAL AND BUDGETARY MATTERS. Agenda item 5

Draft Corporate Governance Standard for Central Government Departments

Application of King III Corporate Governance Principles

Corporate Governance is Stretched to Breaking Point

Infratil Limited - Board Charter. 1. Interpretation. 1.1 In this Charter:

Western Australian Auditor General s Report. Information Systems Audit Report

Advocacy Training & Development Programme Blueprint

4.06 Consulting Services

Status Report of the Auditor General of Canada to the House of Commons

Corporate Governance Statement

For personal use only

The Structure of the Quality Assurance System

Aberdeen City Council. Performance Management Process. External Audit Report o: 2008/19

Compliance Review Report Internal Audit and Risk Management Policy for the New South Wales Public Sector

Corporate Governance Guidelines. Cathay General Bancorp. As adopted March 15, 2012, and amended March 20, 2014

Developing Securities Markets in East Africa: Challenging, but Well Worth the Effort

Managing debt owed to central government

Recruitment Principles April 2014 INTRODUCTION... 1 THE LEGAL REQUIREMENT... 1 MEETING THE LEGAL REQUIREMENT The selection panel...

Briefing note: GCHQ Internships

U.S. Securities and Exchange Commission

National Commission for Academic Accreditation & Assessment. Standards for Quality Assurance and Accreditation of Higher Education Institutions

TALENT MANAGEMENT AND SUCCESSION PLANNING

Hon Nikki Kaye Minister for ACC December 2015

Audit of Financial Management Governance. Audit Report

Board means the Board of Directors of each of Scentre Group Limited, Scentre Management Limited, RE1 Limited and RE2 Limited.

Notion VTec Berhad (Company No D) Board Charter

HK Electric Investments Limited

Great skills. Real opportunities.

Government response: EMR consultation on industry code and licence modifications

How To Improve Training In Australia

REVIEW OF CORPORATE SERVICES HR BUSINESS CASE

Breaking out: public audit s new role in a post-crash world AN ENGLISH PERSPECTIVE

The audit and inspection of local authorities

1.1 The Audit Committee (the Committee ) is established by the Board of Directors (the Board ) of G-Resources Group Limited (the Company ).

The overall aim for this project is To improve the way that the University currently manages its research publications data

BRITISH SKY BROADCASTING GROUP PLC MEMORANDUM ON CORPORATE GOVERNANCE

august09 tpp Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

Federal Bureau of Investigation s Integrity and Compliance Program

Corporate Governance Code for Credit Institutions and Insurance Undertakings - Frequently Asked Questions

STATES OF JERSEY INTERNAL AUDIT: FOLLOWING UP THE REPORT OF THE COMPTROLLER AND AUDITOR GENERAL (P.A.C.3/2014) RESPONSE OF DEPARTMENTS

QUALITY ASSURANCE COUNCIL AUDIT MANUAL SECOND AUDIT CYCLE

AUDIT COMMITTEE TERMS OF REFERENCE

World Class Education and Training, for World Class Healthcare

Transcription:

Huawei Cyber Security Evaluation Centre: Review by the National Security Adviser December 2013

Executive Summary 1. The Intelligence and Security Committee (ISC) reported in June 2013 on Foreign Investment in Critical National Infrastructure. The report questioned in particular the ability of the Huawei Cyber Security Evaluation Centre (HCSEC) to operate with sufficient independence from Huawei headquarters. The report recommended that the staff in HCSEC should be GCHQ employees; or that, as an absolute minimum, oversight arrangements should be strengthened, and the Government should be more directly involved in the selection of HCSEC staff. 2. The Government welcomed the ISC report. It responded in July, with a commitment that the National Security Adviser would undertake a review of HCSEC and report to the Prime Minister. A summary of this review is set out below. In essence, the review concluded that HCSEC staff should remain part of Huawei, primarily for reasons of full access to equipment, code, and design teams. But after discussions with the Chairman of the ISC, the review also concluded that oversight arrangements should be enhanced, and GCHQ should have a leading and directing role in senior-level HCSEC appointments, in consultation with Huawei. 3. In more detail, the global reality is that virtually every telecommunications network worldwide incorporates foreign technology. Huawei equipment, for example, is now used in 140 countries and Huawei is a valued investor and employer in the UK. The Government has managed any potential security concerns through: increased engagement with the company; expert assistance to its customers, the Communication Service Providers (CSPs); and since 2010, the establishment of HCSEC. This is, moreover, part of a wider set of measures, designed with the CSPs, to minimise risk and opportunities for interference with equipment. 1

4. HCSEC s basic task is to analyse Huawei equipment to identify potential vulnerabilities. Its broader objective is to inform the design of more secure networks. This represents a relatively new approach but one that some other countries are interested in replicating. 5. The review focused on the operational independence of HCSEC, including the employment of its staff; its planning and budgetary oversight; how it did its work; and the security around the facility. The review involved visits to HCSEC, interviews with the main stakeholders, and examination of the documentary evidence. 6. The review judged that HCSEC was operating effectively and achieving its objectives, and that existing arrangements, although some of them informal, gave it sufficient independence. It noted that, after some initial teething problems, Huawei s cooperation with HCSEC appeared exemplary, with equipment and software supplied without delay and full access provided to Huawei design teams. It also noted that those vulnerabilities identified since HCSEC s establishment could be explained as genuine design weaknesses or errors in coding practice. 7. The review also judged that, although the fact of HCSEC staff being employed by Huawei appeared to create conflicts of interest, it was, in reality, the best way of ensuring continued complete access to Huawei products, codes and engineers, without which HCSEC could not do its job. In particular, were HCSEC staff not to be Huawei employees, access arrangements would be complicated by Huawei s non-disclosure agreements with its hundreds of third party suppliers. Also, there would be a possibility of commercial risk or even liabilities for the taxpayer were GCHQ, in effect, to impose themselves between Huawei and the UK telecommunications market. 8. The review s first conclusion, however, was that GCHQ s involvement in the future appointment of senior staff to HCSEC should be strengthened. At 2

present, GCHQ have a power of veto over appointments through the security vetting process. The review recommends that, in future, GCHQ should lead and direct senior HCSEC appointments (in consultation with Huawei), in particular through chairing the selection panel. 9. The review also concluded that oversight arrangements and current informal agreements between HCSEC and Huawei should be formalised, to ensure the permanent embedding of the open and cooperative relationship existing between HCSEC and Huawei, and to strengthen still further HCSEC s operational independence. The particular recommendations include: The creation of an Oversight Board. This should be chaired by a senior member of GCHQ with Huawei as Deputy Chair. Membership should be small and include representatives of Whitehall departments, including a senior member of the National Security Secretariat in the Cabinet Office, and CSPs. The Board should not get involved in the day-to-day operations of HCSEC. Instead, its purpose should be periodically to assess HCSEC s performance and verify its continuing independence from Huawei headquarters. The Board might appropriately meet quarterly. An annual objective-setting exercise for HCSEC, led by GCHQ in consultation with Huawei, and overseen by the Board. An annual review of HCSEC s performance, again overseen by the Board, and delivered to the National Security Adviser, to share with the National Security Council. This annual review should include a technical assessment of delivery, led by GCHQ, and an annual management audit of continuing independence from Huawei headquarters by appropriately vetted auditors. Summaries of both reviews will be passed to the ISC. 3

The formalisation of currently informal arrangements governing the timely provision by Huawei of equipment and code to HCSEC, and the cooperation of Huawei engineers. And, The creation of a longer-term strategy for HCSEC covering both predicted future workloads and human resource planning. 10. The Terms of Reference of the review were confined to the role, resourcing, management, independence, and overall contribution of HCSEC. Nevertheless, it became clear in the course of the work programme that there were some broader and longer term issues and concerns. Two in particular were worth highlighting. The first was an apparent shortage of individuals in the UK employment market with the necessary technical expertise and skills to fill all the available posts in HCSEC, GCHQ and the relevant parts of Whitehall. The review noted that there were already good education initiatives in place through the National Cyber Security Programme, but recommended further and broader efforts to deepen the pool of individuals with the requisite cyber security skills. 11. The second concerned the fast moving nature of the telecommunications industry. HCSEC is a model for Government collaboration with the private sector. But the industry is evolving rapidly and becoming more diverse and complex. The review therefore recommends that officials assess the security implications arising from the changing industry landscape and propose options for Ministerial consideration. Kim Darroch 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information