First, let’s get the good news out of the way. British intelligence services have been scrutinising Huawei’s network equipment for more than a decade, but have never reported evidence of the Chinese state using the company’s technology for espionage.

So, for the time being, let’s set aside discussions of trade spats, extreme sanctions and cyberwars between global superpowers and talk about something far less exciting: cybersecurity in South Africa.

Now for the bad news. British intelligence services have repeatedly found that Huawei has serious, company-wide cybersecurity issues and, over the years, the company has often been unable to resolve them.

Fortunately for the Brits, UK authorities say they can handle the cybersecurity risks posed by Huawei equipment. Unfortunately for South Africans, our country’s resources to mitigate such risks don’t come close to the UK’s arsenal. This is despite the fact that South Africa is far more reliant on Huawei than the UK.

Huawei’s cybersecurity issues have become public knowledge thanks to annual reports published over the past five years about the work of a unique facility in the quaint town of Banbury in Oxford in the UK. It’s the Huawei Cyber Security Evaluation Centre (HCSEC) and within it UK cyber experts examine Huawei equipment for security flaws. 

(In case you are new to all of this: examples of telecom equipment include antennae, base stations, switches – the digital version of the erstwhile telephone exchange – and all the software that accompanies such equipment.) 

HCSEC’s work is overseen by a special oversight board, which is chaired by the chief executive officer of the UK’s National Cyber Security Centre (NCSC), the country’s leading authority on cybersecurity. The NCSC is a division of Britain’s leading electronic signals intelligence agency, the Government Communications Headquarters (GCHQ).

Huawei and several network operators also have representatives on the board. Every year since 2015 the oversight board has issued a report to the UK cabinet on HCSEC’s work. The next annual report is due in a few months.

The 2019 report states that HCSEC has repeatedly detected  “significant technical issues” in Huawei’s “unique software engineering and cyber security processes”. The report said the issues brought “significantly increased risk” to the UK’s networks.

It also stated that the HCSEC oversight board had “not yet seen anything to give it confidence in Huawei’s capacity” to implement its own plans to fix “underlying defects”.

The findings are significant for South Africans too: Huawei equipment is critical to the country’s telecoms networks, and the HCSEC’s findings show that cybersecurity issues potentially occur in many Huawei products, so problems aren’t necessarily limited to the UK’s networks.

Keywords from the 2019 HCSEC report are “unique” and “underlying”. It means that the problems are specific to Huawei as a company, and to the way their engineers work.

All telecoms equipment manufacturers have security issues. But the 2019 report repeatedly states that Huawei does not meet expectations of “industry good practice”. In a June 2019 press conference, about two months after the report was released, the technical director of the NCSC, Ian Levy, put it more bluntly to The Guardian: 

“Huawei as a company builds stuff very differently to their Western counterparts… the security is objectively worse.”

Although the last report was damning, a closer look shows some problems go much further back, illustrating Huawei’s long-standing inability to fully resolve cybersecurity issues.

To boot, the 2019 report expressed the NCSC’s strong doubts about future Huawei products, stating that it was “highly likely that there would be new software engineering and cyber security issues in products” that HCSEC had “not yet examined”.

Huawei has acknowledged the problem. In response to the findings last year, rotating chairman Eric Xu said the company was “definitely not just about addressing the concerns of the UK”.

Huawei has promised company-wide transformation, pledging $2-billion over a five-year period to do that. Xu said this was “just an initial fund”. But the 2019 HCSEC report was sceptical, stating that it was “no more than a proposed initial budget for as yet unspecified activities”.

At the June 2019 press conference, Levy said he still hadn’t seen any concrete plans, saying that Huawei had a lot of work to do: “You wouldn’t expect to have, in six months since we published that report, less than that, them coming out going ‘we’ve fixed it’. That would be unachievable.”

Although the last report was damning, a closer look shows some problems go much further back, illustrating Huawei’s long-standing inability to fully resolve cybersecurity issues.

The core network is considered far more sensitive as it is basically the “brain” of the network. It carries far more information because it keeps track of customer billing data, connects calls and routes data, among other things. If hackers target the core, they can steal massive amounts of information, or bring down the network.

In 2010, UK cybersecurity authorities demanded that Huawei fix problems with a practice known as configuration management. Roughly speaking, this is a fundamental part of the software development process that can affect cybersecurity. Huawei worked to improve their processes, but UK authorities weren’t satisfied. In 2016, HCSEC issued a special report about the lingering issues, but Huawei rejected it. Those issues remained, with the 2019 report labelling them “systemic across the product lines in the company”.

By 2018 there was fresh hell for the UK’s cyber experts, with that year’s HCSEC report stating that “shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks”. For the first time, the HCSEC oversight board said it “could provide only limited assurance” that all risks posed by Huawei equipment to the UK’s national security could be “sufficiently mitigated”. In 2019 the risks remained.

Additional unknowns are something South Africa can scarcely afford in its fight against cybercrime, especially now. Cybersecurity attacks saw a massive increase in March following the announcement of the National State of Disaster, Business Day reported. According to cybersecurity firm Kaspersky Lab, numbers were up from 30,000 targeted devices per day to as many as 310,000. 

Multiple experts have sharply criticised South Africa’s lax cybersecurity, with phrases like “horribly exposed” and “safe haven for cyber criminals” used to describe the situation. Major criticisms include inaction from intelligence services and ineffective legislation.

There is no equivalent to the UK’s HCSEC in South Africa, despite the fact that the country is infinitely more dependent on Huawei than Britain is. In the UK, Huawei components are only used in so-called non-core parts (like base stations and radio antennae); South Africa relies on Huawei for both core and non-core components, particularly Cell C, Telkom and Rain.  

The core network is considered far more sensitive as it is basically the “brain” of the network. It carries far more information because it keeps track of customer billing data, connects calls and routes data, among other things. If hackers target the core, they can steal massive amounts of information, or bring down the network.

However, the NCSC has said it cannot effectively mitigate the risks of components from vendors like Huawei in core networks, which is why Huawei gear is only used in non-core parts. In January, despite pressure from the US to ban Huawei, British Prime Minister Boris Johnson gave the company a 35% share in the roll-out of future non-core 5G network sections. The British were able to do this in part because they have the HCSEC to help mitigate risk.

(An aside: The UK’s announcement in late May that the NCSC would do an emergency security review on Huawei following even stricter sanctions from the US, means a new question mark hangs over Huawei’s future in the UK. The matter is likely not so much one of espionage, but rather an issue of supply chain risk. The US sanctions will prevent any company, regardless of nationality, from selling parts to Huawei if US tech was used to make those parts.)

Then there’s the so-called “bugdoor” – a backdoor dressed up as a bug, ideal for espionage since one cannot prove intent to spy even if you detect the error.

Although the UK’s intelligence community will continue to push Huawei to improve its cybersecurity practices, they can only advocate for better product security in UK networks. That means South Africa cannot necessarily rely on the outcomes of HCSEC’s efforts to see improvements in its own network security. It also doesn’t look like South Africa will be getting its own HCSEC any time soon.

HCSEC’s history reveals some prerequisites for establishing a cybersecurity evaluation centre that’s accountable to both governments and their citizens. These include highly skilled cybersecurity experts, skilled intelligence officials, mechanisms to hold intelligence officials accountable, and strong political will. But there are clear indications that South Africa lacks these prerequisites.

First, South Africa reportedly has a significant shortage of skilled cybersecurity technicians. Though it is unclear just how many are needed, the government views it as a major problem. Globally, the research group Cybersecurity Ventures estimates a 3.5 million shortage of cybersecurity experts by 2021.

HCSEC is staffed with about 40 cybersecurity experts who work with Huawei’s research and development teams and UK network operators to address security problems. These experts have to make it through strict government security vetting processes.

More specifically, HCSEC examines Huawei’s software source codes for vulnerabilities. Roughly speaking, source codes are the original blueprints for software programmes. In general, vulnerabilities are weak points in source code that can allow a hacker to insert a computer virus into the system. Viruses, in turn, can allow a hacker to completely shut down a network, disable parts of it, take control of it, steal data or spy on communications and Internet activities.

Vulnerabilities can include bugs and backdoors: the former are innocent errors in computer code that may cause malfunctioning, while the latter are sections of code deliberately built-in that allow a hacker to secretly take control of a system and intercept data, including trade secrets and communications.

Then there’s the so-called “bugdoor” – a backdoor dressed up as a bug, ideal for espionage since one cannot prove intent to spy even if you detect the error.

Every time software is updated, it’s possible for these vulnerabilities to be inserted into the code. Constant scrutiny is needed.

Not just anyone can audit Huawei’s source code. The 2019 report states that the work requires “exceptional technical skill and insight”, due to Huawei’s “exceptionally complex and poorly controlled development” process. In certain cases, the report states, Huawei developers “may be actively working to hide bad coding practice”.

To keep things under control, apart from sharp cybersecurity experts, you need even sharper intelligence agents.

Just how hard that job is, became clear when HCSEC tried to ensure consistently “clean” source code (ie, code free of bugs and backdoors) through the highly complex process of “demonstrating binary equivalence”. HCSEC has been trying to do this for a while now, at least as far back as 2016, according to that year’s annual report. But the experts cannot get it right because of Huawei’s complex development processes. In fact, the 2019 report shows that the more they try, the more flaws they uncover.

It’s a problem because it means the version of a product evaluated in the HCSEC lab may not be identical, or at least similar, to the same version of that product running in the actual network. An inability to compare apples to apples, roughly speaking.

Eventually, HCSEC hopes to routinely demonstrate binary equivalence with all Huawei products in UK networks, as “is usual with a well-managed software engineering process”, the 2019 report reads. But, at the time, even with skilled experts, it was declared “impractical at any useful scale”.

To keep things under control, apart from sharp cybersecurity experts, you need even sharper intelligence agents.

Securing critical infrastructure – like telecoms networks – is a standard component of the mandates of intelligence services the world over. In addition, commercial network operators cannot necessarily be left to their own devices, as the NCSC’s Levy explains.

Ultimately operators need to make a profit and if cheaper, less secure equipment does the job, they’ll buy it: 

“No one currently buys telecoms services based on how secure they are, so a company wouldn’t get rewarded if they invested more than their competitors in making a more secure service,” says Levy.

But if the government sets minimum cybersecurity standards for operators, it evens out the playing field. 

There is, however, a vast difference between UK and South African intelligence agencies. 

The UK’s GCHQ took the initiative to start engaging with Huawei in 2003, about two years before the company signed its first big UK contract with British Telecom (BT). The GCHQ did so without orders from any UK ministry. In fact, BT signed the deal with Huawei without consulting any ministers about security issues.

Despite this lack of ministerial involvement, the GCHQ went ahead and built working relationships with Huawei’s China-based research and development teams to resolve security issues, and established the same with Huawei’s Product Security Incident Response Team (PSRIT). This wasn’t always easy. The latter is a division dedicated to dealing with new vulnerabilities as they arise. The 2015 and 2016 HCSEC annual reports show that the relationship between HCSEC and the PSIRT got off to a tense, rocky start.

Apart from the rest of that last paragraph, the statement also leaves out details about just how the SSA will “continuously monitor” all that hardware and software.

In South Africa, the body ultimately responsible for leading the fight for national cybersecurity is the State Security Agency (SSA).   The Minister of State Security, Ayanda Dlodlo, has said the SSA has things “covered”.

In July 2019, she wrote a reply to a parliamentary question about 5G and national security that shed a rare bit of light on the SSA’s activities. (5G is a new technology standard that will allow for much faster internet speeds. South Africa is in the early stages of rolling out its 5G networks and Huawei will play a crucial role.) Dlodlo assured Parliament that existing 2G, 3G and 4G networks are “covered by the current security precautions and methods applied by SSA security advisory services and related stakeholders”.

She added: “SSA will [be required to] further verify and continuously monitor all hardware and software providing 5G services to detect potential threats and vulnerabilities as manda (sic).”

Apart from the rest of that last paragraph, the statement also leaves out details about just how the SSA will “continuously monitor” all that hardware and software.

The minister’s promise of security is made against the backdrop of an embattled organisation. It is still reeling from Jacob Zuma’s presidency; in 2018 a formal presidential review panel found that it had been turned into his private spy agency and that the agency had “an almost complete disregard for the Constitution, policy, legislation and other prescripts”. Now, corrupt officials need to be ousted, and the agency restructured simultaneously.

Legislation empowering the SSA to fight cybercrime is somewhere in the ether. The Cabinet approved the National Cybersecurity Policy Framework in 2012 as a blueprint to secure cyberspace, but the SSA only formally published it in 2015, and it’s nowhere near a stage of comprehensive implementation.

The legislation meant to give the framework teeth, the Cybercrimes and Cybersecurity Bill, was first published for public comment in August 2015. But it is now with the Select Committee on Security and Justice in the National Council of Provinces (NCOP). The NCOP is processing public comments on the bill, with a major issue being that, in its current form, it allows authorities to search people’s computers without warrants.

There is also doubt in the South African Police Service’s (SAPS) ability to implement sections of the bill for which they are responsible.

Then there is what may be a mere PR disaster or signs of institution-wide incompetence.

In February, Dlodlo, her deputy minister, Zizi Kodwa, and an undisclosed number of departmental officials had their cellphones cloned. Officials realised this when some of them received text messages from Kodwa that he didn’t send. At the time, the department said it didn’t know who the culprits were or if confidential information was stolen but had reported the case to the police. 

The public is unlikely to find out to what extent the cloning episode speaks to the SSA’s abilities to secure cyberspace. This brings us to a third prerequisite for establishing an HCSEC: parliamentary oversight.

Such oversight in the UK strongly contributed to HCSEC’s public accountability. HCSEC started off in 2010, but it was not until 2014 that oversight was ramped up. It was prompted by a scathing and public report from the UK’s parliamentary intelligence and security committee and a subsequent review of HCSEC’s governance by Britain’s National Security Adviser.

This resulted in establishing the HCSEC oversight board and its annual reporting to Cabinet. The report includes advice on Huawei’s risk levels and the results of Ernst & Young’s annual audits that aim to ensure that HCSEC is running without interference from its funder, Huawei. So far (and to Huawei’s credit), unlike Huawei’s code, those audits have come up clean.

But in South Africa, the parliamentary body that is supposed to hold the SSA publicly accountable – the Joint Standing Committee on Intelligence (JSCI) – never allows public attendance of its meetings. The JSCI is shrouded in as much mystery as the SSA itself.

In July 2019, President Cyril Ramaphosa came out guns blazing in support of Huawei, saying that “only this company Huawei can lead us to 5G”, and calling Huawei a “victim” of the US-China trade war.

Another way in which politicians can call the SSA to account in Parliament is to ask the minister of state security direct questions. But it is easy to provide evasive answers. A mainstay response for sensitive matters is that anything considered part of the SSA’s “broader operational framework” is “classified and privileged”. This is routinely followed by assurance from the minister that the SSA will be held accountable by the JSCI.

This leaves us with the fourth prerequisite for a transparent evaluation centre for Huawei products: political will.

When Boris Johnson was sandwiched between UK network operators’ commercial imperatives and pressure from the US to oust Huawei, he compromised by allowing Huawei only a limited share in future 5G networks. But, after giving Huawei the green light, Johnson faced, as the UK Independent put it, his “first major Commons rebellion”, with senior Conservative MPs wanting Huawei out of the UK’s networks by 2022.

Johnson is now facing renewed pressure from conservatives to backtrack on his decision after Covid-19 stirred an anti-China backlash in the British Parliament.

Quite the opposite has occurred in South Africa. In July 2019, President Cyril Ramaphosa came out guns blazing in support of Huawei, saying that “only this company Huawei can lead us to 5G”, and calling Huawei a “victim” of the US-China trade war.

Praise for Huawei from South African officials is nothing new. Ministers have a history of pleasant interactions with Huawei, attending marketing events, publicly expressing their dedication to cooperate with Huawei and handing out awards of excellence. 

The bond seems to have been strengthened by the Covid-19 disaster. In March, Huawei donated R1-million to battle the disease. According to the Huawei press release, Health Minister Zweli Mkhize “hailed the donation as a very important mark of friendship, solidarity and partnership from Huawei and other Chinese businesses”. The company also donated special diagnostic equipment.

Compared to the UK, South Africa also doesn’t face a strong external political push to oust Huawei. Britain’s 74-year membership to the Five Eyes Alliance contributed greatly to pressure from the US to ban Huawei. The alliance, born out of World War II, is an information-sharing espionage network that includes the US, Australia, Canada, New Zealand and the UK.

There’s also a Fourteen Eyes Alliance – the Five Eyes plus Denmark, France, the Netherlands, Norway, Germany, Belgium, Italy, Spain and Sweden. Since 2018, as US pressure has mounted, Huawei has established the Huawei Security Innovation Lab in Bonn, Germany, and the Huawei Cyber Security Transparency Centre in Brussels, Belgium.

In February 2019, Huawei offered to open up a security centre in Poland, after a Huawei employee was arrested for espionage, putting pressure on the company to prove its trustworthiness.

In South Africa, there is little sign of this kind of pressure. In World War II, the country was an intelligence ally to the UK but didn’t make it into any special clubs thereafter. 

In the end, there is no apparent pressure on the SSA to take the lead in securing South Africa’s telecoms networks. It seems highly unlikely that South Africa will establish something akin to the HCSEC to hold Huawei accountable to Parliament and the public. And that is the real risk.  DM

Daily Maverick sent questions to all five major network operators, the State Security Agency, the Joint Standing Committee on Intelligence and, of course, Huawei. We received answers from Huawei, as well as all operators except Cell C. Since the responses are detailed and technical, we’ve published them in full for our readers. The JSCI referred the questions to the SSA. The SSA did not answer our questions.

Read Huawei’s full response here.

Read MTN’s full response here.

Read Rain’s full response here.

Read Telkom’s full response here.

Read Vodacom’s full response here.

Heidi Swart is an investigative journalist who reports on surveillance and data privacy issues. This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s Department of Journalism, Film and TV and Unisa’s Department of Communication Science.