National Cyber Security Centre
Advice for users of Huawei enterprise equipment
This guide explains implications of US action against Huawei, its US suppliers and affiliates.
It also recommends actions which UK organisations, with Huawei products in use, can take to prepare for and mitigate resulting security concerns, particularly if the current licensing regime is not renewed.
On Wednesday 15 May 2019, the United States of America’s Commerce Department placed Huawei and 70 affiliates on its “Entity List”. This meant that suppliers who normally supply Huawei with US products (including software updates and other technology) were no longer able to do so without a licence from the US Government.
On Monday 20 May 2019, the US Commerce Department issued a temporary general licence (TGL) restoring suppliers’ ability to provide Huawei with what it needs to maintain some existing products.
The NCSC understands that the TGL allows companies (at their discretion) to provide support and services to equipment that was made available to the public before 16 May 2019. The TGL is currently set to expire on 19 August 2019. If it is not extended or replaced, Huawei’s suppliers may be unable to provide future support unless they are granted individual licences from the US government enabling them to do so.
For customers of Huawei enterprise equipment, this could hamper the ability to obtain new or replacement hardware and receive software updates, including security updates for existing products. This will apply to devices such as routers, switches, wireless access points and compute/storage appliances. Managed services and support contracts are also likely to be impacted.
What should Huawei enterprise IT customers do?
Customers with Huawei equipment currently deployed should continue to use it as normal.
In the short term, it is unlikely that any issues will be encountered obtaining spares and updates. As such, there is currently no need to replace otherwise operational infrastructure.
If equipment that is deployed has not been updated for some time, ensure that current available updates are applied. This will minimise disruption in the event that these updates become unavailable in the future.
You should also seek to understand the extent of your use of this equipment, and ensure you have plans in place should it become unsupportable. This includes how issues arising would be dealt with in your environment. For example, security vulnerabilities that cannot be patched.
If you are currently undergoing a procurement exercise ensure that the potential unavailability of support is taken into account when making decisions on the intended lifetime of equipment, as you usually would.
The NCSC continues to assess the situation and will provide further advice for Huawei customers as appropriate.
Latest News from
National Cyber Security Centre
First threat assessment for universities produced by the NCSC19/09/2019 09:15:00
The NCSC has published a threat assessment aimed at supporting universities.
Declassified: cyber security recruitment fair takes to the road16/09/2019 08:20:00
CyberFirst bursary students shown the varied career opportunities within the cyber security community.
NCSC advice to organisations to mitigate against DoS attacks09/09/2019 16:15:00
A suspected Denial of Service (DoS) attack resulted in Wikipedia experiencing intermittent outages in the early hours of Saturday September 7.
NCSC CEO receives international award for cyber security leadership09/09/2019 12:15:00
Ciaran Martin has received an award for leadership at a major summit in the United States.
Government plans to safeguard the future security of UK Telecoms23/07/2019 16:15:00
New telecoms security legislation to be introduced and cyber security risks to be prioritised across the sector.
Second CyberThreat summit announced by the NCSC and SANS Institute23/07/2019 08:10:00
CyberThreat 2019, hosted by the NCSC and the SANS institute, will return to London in November.
Cyber strategy update shows how UK intelligence is thwarting attack16/07/2019 14:15:00
The NCSC's Active Cyber Defence report for 2019 has been published.
Ongoing DNS hijacking and mitigation advice15/07/2019 14:15:00
This NCSC advisory highlights further hijacking activity of Domain Name Systems, and provides mitigation advice.