National Cyber Security Centre publishes advice for users of Huawei enterprise equipment

The guide explains implications of US action against Huawei, its US suppliers and affiliates. It also recommends actions that UK organisations with Huawei products in use can take to prepare for and mitigate resulting security concerns, particularly if the current licensing regime is not renewed.

In May 2019, the United States of America’s Commerce Department placed Huawei and 70 affiliates on its “Entity List”. This meant that suppliers who normally supply Huawei with US products (including software updates and other technology) were no longer able to do so without a licence from the US Government.

Later that month, the US Commerce Department issued a temporary general licence (TGL) restoring suppliers’ ability to provide Huawei with what it needs to maintain some existing products.

The NCSC understands that the TGL allows companies (at their discretion) to provide support and services to equipment that was made available to the public before 16 May 2019. The TGL is currently set to expire on 19 August 2019. If it is not extended or replaced, Huawei’s suppliers may be unable to provide future support unless they are granted individual licences from the US government enabling them to do so.

For customers of Huawei enterprise equipment, this could hamper the ability to obtain new or replacement hardware and receive software updates, including security updates for existing products. This will apply to devices such as routers, switches, wireless access points and compute/storage appliances. Managed services and support contracts are also likely to be impacted.

Customers with Huawei equipment currently deployed should continue to use it as normal.

In the short term, the NCSC says that it is unlikely that any issues will be encountered obtaining spares and updates. As such, there is currently no need to replace otherwise operational infrastructure.

If equipment that is deployed has not been updated for some time, customers should ensure that current available updates are applied. This will minimise disruption in the event that these updates become unavailable in the future.

Customers should also seek to understand the extent of their use of this equipment, and ensure plans are in place should it become unsupportable. This includes how issues arising would be dealt with in your environment, e.g. security vulnerabilities that cannot be patched.

Customers currently undergoing a procurement exercise should ensure that the potential unavailability of support is taken into account when making decisions on the intended lifetime of equipment.

The NCSC says that it continues to assess the situation and will provide further advice for Huawei customers as appropriate. To read the advice in full, click here.