* * *

By James Blitz and Daniel Thomas

Ever since Huawei signed a contract to provide equipment for the UK telecommunications network, intelligence experts have had a nagging concern: could the group present a risk to the security of Britain’s critical national infrastructure?

The Chinese company, which is now the second-largest provider of telecoms equipment in the world, fiercely rejects such claims.

But in several countries – most notably the US and Australia – strong concerns have been expressed about Huawei’s links to the Chinese state and People’s Liberation Army.

Security analysts fear that such links mean that any nation embedding Hua­wei’s equipment in its telecoms infrastructure might be vulnerable to cyber espionage by Beijing. It might also allow China to cripple another state’s IT network “via the back door” in the event of a conflict.

Thursday’s publication of a report by parliament’s intelligence and security committee (ISC) is the first definitive investigation into these issues within the UK.

The ISC raises two questions about the 2005 decision to allow Huawei to provide equipment for BT’s £10bn network upgrade.

First, did the UK government go to sufficient lengths to evaluate the national security risks when the contract was signed? Second, now that Huawei enjoys this foothold in Britain, what are the risks to national security?

On the first question, the ISC’s report is unreservedly damning. It says government officials were first informed in 2003 of Huawei’s potential interest in the £10bn contract. But those officials “chose not to refer the matter to ministers” – something the committee says has “shocked” them and amounts to “complacency” by Whitehall.

Officials did not consult ministers for a variety of reasons, the report says. At first they thought the BT-Huawei deal could not be legally blocked by government. They then realised it could be, but “the potential trade, financial and diplomatic consequences . . . would be too significant”.

Patricia Hewitt, the trade and industry secretary in the previous government, did discuss commercial as­pects of the deal with BT in 2005, the report says. “But officials did not . . . raise the security issues with her.”

Meanwhile, the report says Whitehall procedures for considering foreign investment in critical national infrastructure are no better now than they were 10 years ago.

The ISC then examines whether Huawei poses a security threat today. Here, the committee is more nuanced in its judgments – but still admits to concerns.

On the one hand, the committee is reassured by statements from GCHQ, the UK security service in charge of telecommunications, saying all the right technical safeguards are in place. GCHQ told the committee that it was “confident the UK network has not been at risk . . . at any stage because of the mitigations that BT have put in place from the outset”.

But the ISC also notes GCHQ’s view that “the risk of unauthorised access [to the network] cannot be completely eliminated”.

The committee says the software embedded in telecoms equipment “consists of over a million lines of code”. GCHQ feels it is “impossible to go through that much code and be absolutely confident you have found everything”.

Throughout the report, there is at no time any categorical claim – or “smoking gun” – pointed at Huawei. The ISC also accepts that it would be impractical for Britain to seek to block all Chinese companies from any future contracts relating to critical national infrastructure. “There are probably only two companies worldwide that would be able to create an end-to-end 4G system using their own equipment: Huawei and Sweden’s Ericsson.”

The ISC notes that any use of telecoms equipment sourced abroad involves a risk that needs to be managed and, in the case of Huawei, such risk management is inadequate.

The UK authorities and Huawei have set up a centre to study regularly the physical equipment and software used by Huawei. But the ISC says the centre is under Huawei’s control, and is therefore “unlikely to provide, or to be seen to provide, the required levels of security assurance”.

Copyright The Financial Times Limited 2013.