First  set  of  questions  to  Huawei  from  DM  :  17  May  2020  
 
 I  am  writing  an  article  for  the  Daily  Maverick  online  news  website  about  
the  findings  of  the  Huawei  Cyber  Security  Evaluation  Centre  in  Britain.  Last  
year,  the  HCSEC  oversight  board  reported  that  HCSEC  had  
detected    “significant  technical  issues”    in  Huawei’s  “unique  software  
engineering  and  cyber  security  processes”.    The  report  said  the  issues  
brought  “significantly  increased  risk”    to  the  UK’s  cellular  networks.  It  also  
stated  that  the  HCSEC  oversight  board  had  “not  yet  seen  anything  to  give  it  
confidence  in  Huawei’s  capacity”    to  implement  its  own  plans  to  fix  
“underlying  defects”.        The  report  also  said  that,  in  certain  cases,  Huawei  
developers  “may  be  actively  working  to  hide  bad  coding  practice”.      
   
I  also  understand  that  Huawei  has  allocated  US$2  billion  over  a  five-­‐year  
period  to  fix  the  problems  which  are  a  result  of  underlying,  company-­‐wide  
development  processes.    However,    the  National  Cyber  Security  Centre  in  
the  UK  has  said  that  they  have  yet  to  see  any  concrete  transformation  
plans.  
   
The  United  Kingdom  has  given  Huawei  a  35%  share  in  the  non-­‐core  parts  of  
its  5G  networks.    However,  the  National  Cyber  Security  Centre    has  said  
they  cannot  mitigate  the  risks  to  UK  national  security  brought  by  Huawei  
equipment  used  in  core  networks  (be  it  2G,  3G,  4G,  or  5G),  and  that  this  is  
why  they  do  not  use  Huawei  equipment  in  the  network  core.  
   
Huawei  has  opened  security  evaluation  centres  in  Germany  and  Brussels,  
and  offered  to  open  a  security  evaluation  centre  in  Poland  last  year,  
following  the  arrest  by  Polish  authorities  of  a  Huawei  employee    on  
espionage  charges,  and  increased  pressure  on  Huawei  to  prove  its  
trusworthiness.  Huawei  has  not  faced  this  kind  of  pressure  in  South  Africa.  
   
My  questions  are  as  follows:  
   
1.  Has  Huawei  made  any  progress  with  its  transformation  plan?    Could  you  
possibly  provide  some  detail  about  the  progress  you’ve  made?  
    
2.  In  the  light  of  the  fact  that    South  Africa  does  not  have  an  equivalent  to  
the  UK’s  HCSEC,  and  given  that  Huawei  equipment  is  used  in  core  and  non-­‐
core  sections  of  South  Africa’s  mobile  networks,  can  Huawei  assure  the  
South  African  public  that  the  country’s  networks,  and  cyberspace  in  
general,  are  not  put  at  increased  risk  because  of  Huawei  equipment?  
   
 
3.  Does  Huawei  plan  on  establishing  an  evaluation  centre  similar  to  the  UK’s  
HCSEC  in  South  Africa,  or  perhaps  for  the  Southern  African  region?    If  so,  is  
it  possible  to  provide  any  detail,  such  as  when  it  will  be  opened,  or  how  it  
will  be  funded?  
   
Please  provide  any  further  details  that  you  feel  are  important.  
   
 
Huawei  response  :  21  May  2020  
   
We  have  received  your  media  inquiry  and  would  like  to  express  the  
following:  
   
The  report  you  refer  to  was  published  more  than  a  year  ago  in  March  
2019  by  the  UK’s  Huawei  Cyber  Security  Evaluation  Centre  (HCSEC)  
established  by  the  Prime  Minister  in  2010.  
   
Thus  you  are  asking  Huawei  to  comment  on  old  information  published  14  
months  ago  and  which  has  since  been  surpassed.  
   
Critically  you  have  failed  to  acknowledge  the  decision  taken  by  the  British  
Government  in  January  2020  to  allow  Huawei  to  participate  in  the  country’s  
5G  roll-­‐out.  (Please  refer  to  the  attached  media  release  issued  January  
27th  of  this  year)  
   
This  decision  is  a  clear  indication  of  the  cooperation  between  Huawei  and  
the  British  authorities  which  have  the  toughest  oversight  requirements  in  
our  industry.  It  also  illustrates  that  the  HCSEC  report  on  which  you  base  
your  questions  has  been  superseded  by  recent  developments.  
    
For  the  sake  of  your  Editor  we  have  copied  the  full  report  here,  along  with  
our  response  at  the  time:  
 
https://assets.publishing.service.gov.uk/government/uploads/system/uplo
ads/attachment_data/file/790270/HCSEC_OversightBoardReport-­‐
2019.pdf      
 
Huawei  media  release  March  19th,  2019:  
 https://huawei.eu/press-­‐release/statement-­‐huawei-­‐huawei-­‐cyber-­‐
security-­‐evaluation-­‐centre-­‐hcsec-­‐oversight-­‐board-­‐annual    
   
Huawei  awaits  the  next  HCSEC  report  for  2019/20,  and  will  not  be  making  
any  commentary  at  this  point,  over  and  above  what  we  have  already  stated  
publicly.  
 
Furthermore,  professionals  in  the  telecommunications  sector  are  aware  of  
Huawei’s  position  in  relation  to  the  2019  HCSEC  report  and  the  
developments  to  include  our  company  in  the  5G  rollout  programme  in  the  
United  Kingdom.  
   
We  therefore  prefer  not  to  engage  on  speculative  or  outdated  matters.  
   
With  regards  to  our  work  with  locally  based  telecommunications  
companies  Huawei  remains  committed  to  building  and  improving  networks  
for  the  benefit  of  the  people  of  this  country.  Huawei’s  equipment  meets  
the  requirements  and  laws  of  South  Africa  and  it’s  regulatory  agencies.  We  
have    a  proven  track  record  in  cyber  security  and  we  are  a  trustworthy  
supplier  to  our  South  African  partners.  
   
Globally  Huawei’s  technologies  have  introduced  cost  effective,  
rapid  advances  in  telecommunications  networks  across  the  world.  
Huawei  should  not  be  discriminated  against,  based  on  its  country  of  
origin,  nor  be  maligned  in  the  media  on  the  basis  of  suspicion  
without    evidence.  We  view  such  reporting  as  unethical  and  discriminatory.  
   
Although  we  trust  that  it  will  not  be  necessary  to  enforce  them,  all  our  
rights  herein  as  well  as  that  of  all  other  Huawei  Group  companies  remain  
strictly  reserved.  
 
DM's  response  to  Huawei's  first  reply  (abridged  version)  :  24  May  2020  
   
On  28  January  2020,  NCSC  published  an  article  titled  “NCSC  guidance  for  
the  risk  management  of  high  risk  vendors  in  telecommunications  
networks.”  The  article  to  which  I  am  referring  is  
here:    https://www.ncsc.gov.uk/guidance/ncsc-­‐advice-­‐on-­‐the-­‐use-­‐of-­‐
equipment-­‐from-­‐high-­‐risk-­‐vendors-­‐in-­‐uk-­‐telecoms-­‐networks  
   
In  it,  the  NCSC  provides  a  “non-­‐exhaustive  list  of  criteria  which  NCSC  applies  
when  identifying  vendors  as  HRVs  (High  Risk  Vendors)  ”.  One  of  the  criteria  
is    “The  past  behaviour  and  practices  of  and  practices  the  vendor”.  HCSEC  
oversight  board  reports  detail  Huawei’s  past  behaviour  and  practices.    
   
I  would  like  to  point  out  to  you  the  statements  made  on  February  13,  2019,  
by  Huawei’s  rotating  chairman  Eric  Xu  when  he  held  a  press  conference  
with  six  UK  media  outlets.  The  press  release  I  am  referring  to  is  
here:    https://www.huawei.com/za/facts/voices-­‐of-­‐huawei/interview-­‐with-­‐
xu-­‐zhijun  
     
Mr  Xu  makes  the  following  statements:  
   
“Enhancing  software  engineering  capabilities:  ‘We  realized  that  this  is  
definitely  not  just  about  addressing  the  concerns  of  the  UK;  it  carries  a  lot  
of  weight  and  to  a  certain  degree  is  the  foundation  to  Huawei's  future  
development...  It's  not  just  about  addressing  the  requirements  coming  
from  NCSC;  this  is  something  that  Huawei  must  be  doing  for  our  long-­‐term  
development...  We  think  of  this  as  the  cornerstone  that  enables  Huawei  to  
realize  our  long-­‐term  aspiration.’"  
   
“US$2  billion  fund:  ‘This  US$2  billion  budget  is  just  an  initial  fund...  I  hope  
through  our  efforts  in  the  next  three  to  five  years,  we  can  truly  build  
products  that  would  be  trusted  by  governments  and  by  customers,  so  as  to  
support  and  sustain  Huawei's  long-­‐term  development.’"  
   
Mr  Xu  is  acknowledging  that  the  findings  of  the  2019  HCSEC  oversight  
board  report  relate  to    long-­‐term  issues.  Additionally,  Mr  Xu  indicated  that  
the  allocation  of  US$  2billion  would  be  spent  over  a  five  year  period,  with  
that  being  only  an  ‘initial’  amount.  This  suggests  that  the  transformation  
programme  may  even  last  longer  than  three  to  five  years  
 
If,  however,  Huawei  has  cancelled  its  transformation  plan,  I  would  very  
much  appreciate  it  if  you  can  confirm  that  fact  for  me  as  soon  as  possible.  
 
IN  LIGHT  OF  THE  ABOVE,  I  WOULD  LIKE  TO  REITERATE  MY  QUESTIONS,  AND  
ASK  YOU  A  FEW  ADDITIONAL  QUESTIONS:  
   
1.  Has  Huawei  cancelled  its  US$2  billion  transformation  plan?  If  so,  could  
you  kindly  provide  reasons.  
   
2.  If  Huawei  has  not  cancelled  its  transformation  plan,  has  the  company  
made  any  progress  with  said  plan?    Could  you  possibly  provide  some  detail  
about  the  progress  you’ve  made?  If  you  have  not  made  progress,  could  you  
provide  reasons  why?  
   
3.  In  the  light  of  the  fact  that    South  Africa  does  not  have  an  equivalent  to  
the  UK’s  HCSEC,  and  given  that  Huawei  equipment  is  used  in  core  and  non-­‐
core  sections  of  South  Africa’s  mobile  networks,  can  Huawei  assure  the  
South  African  public  that  the  country’s  networks  that  use  Huawei,  and  its  
cyberspace  in  general,  are  not  put  at  increased  risk  because  of  Huawei  
equipment?  
   
4.  Does  Huawei  plan  on  establishing  an  evaluation  centre  similar  to  the  UK’s  
HCSEC  in  South  Africa,  or  perhaps  for  the  Southern  African  region,  or  any  
other  African  country?    If  so,  is  it  possible  to  provide  any  detail,  such  as  
when  it  will  be  opened,  or  how  it  will  be  funded?    
   
5.  Why  has  Huawei  paid  for  the  establishment  of  three  security  
evaluation/transparency  centres  (all  located  Europe  and  the  UK)  but  has  
not  done  so  for  South  Africa,  or  Africa  as  a  whole  for  that  matter?  Why  
does  Europe  appear  to  get  preferential  treatment  over  Africa  when  it  
comes  to  cyber  security?  
    
6.  What  are  your  comments  about  the  UK’s  decision  to  phase  Huawei  out  
of  UK  telco  networks  by  2023?    
   
Please  feel  free  to  add  any  additional  information  that  you  deem  to  be  of  
interest.    
 
Huawei's  second  reply  to  DM:    26  May  2020  
   
We  have  noted  the  additional  questions  you  have  provided,  as  they  relate  
to  the  United  Kingdom  and  the  HCSEC.  Our  previous  reply  also  refers.  
   
Huawei  has  been  working  tirelessly  with  the  British  Government  to  address  
concerns  through  the  HCSEC.  
   
Our  $2billion  transformation  plan  has  not  been  cancelled.  This  is  a  five  year  
long  programme  and  has  already  yielded  positive  results  and  we  are  
confident  this  will  continue  allowing  us  to  also  better  serve  other  markets  
from  the  progress  made.  
   
Huawei  places  cybersecurity  above  our  business  interests.  It  is  important  to  
note  that,  cybersecurity  has  never  been  the  sole  responsibility  of  a  country  
or  an  enterprise.  Only  through  the  joint  efforts  of  the  entire  industry  
ecosystem  and  society  as  a  whole  working  together,  will  we  systematically  
solve  cybersecurity  challenges.  
   
We  reject  your  assertion  that  Europe  gets  preferential  treatment  over  
Africa  when  it  comes  to  cyber  security.  
   
In  every  country  that  we  operate  in,  we  remain  a  committed  and  
trustworthy  partner  to  the  telecommunications  industry  and  abide  fully  by  
the  laws  and  regulations  required  by  the  Government,  including  South  
Africa.  
   
We  continue  to  enjoy  an  open  and  progressive  relationship  with  all  our  
South  African  partners.