In a surprising turnaround, the Chinese information and communications technology vendor Huawei Technologies Co. Ltd. has extended a qualified welcome to criticism from a white hat hacker.
Earlier this month, the House Intelligence Committee issued a report concluding that Huawei could not "be trusted to be free of foreign state influence and thus [posed] a security threat to the United States and to our systems." It urged both government and the private sector to avoid purchasing equipment from Huawei.
The committee was investigating allegations that Huawei products incorporated security flaws, which provided a "back door" to purchasers' systems, a breach that might be exploited by the Chinese authorities to gather intelligence. Huawei has consistently denied wrongdoing. With the global nature of the supply chain, and many vendors sourcing software or hardware from China, Huawei has claimed unfair victimization.
In an apparent attempt to demonstrate openness, Huawei announced today that it's sending a team of engineers to meet one of its most severe critics, German hacker Felix Lindner. Known as "FX," Lindner runs Recurity-Labs, a security analysis service for enterprise.
Lindner has represented Huawei products as riddled with so many vulnerabilities that "back doors" would hardly be needed to effect dangerous breaches. Essentially, Lindner accuses Huawei of being inept rather than sinister. I suppose that, when under attack by the government of an important market (Huawei is a big player in emerging markets, but still has its sights set on the US), you take what you can get.
Huawei's global cybersecurity officer, John Suffolk, said:
We've very much taken on board Felix's views and you'll see over the coming period we've got a whole host of significant operations to deal with these issues... Sometimes you need a bit of a slap in the face to step back, not be emotive in your response, and say what do I systematically need to change so over time any these issues begin to reduce?
The advantages which accrue to Huawei are obvious: The appearance, at least, of increased openness and receptivity to critics, and an emphasis on the fact that whatever suspicions have arisen from flaws in their products, nobody -- including the House Intelligence Committee -- has yet demonstrated bad intentions.
The advantage to Lindner? Another big client, maybe.
The move also sends a message to the rest of the enterprise. Instead of dismissing and hounding white hat hacker criticism, there may be political, PR, and practical advantages in embracing it. Apple is just one example of a business that has responded aggressively to white hat hackers in the past.
Security expert Charlie Miller was bounced from Apple's app developer program after he revealed a flaw in iOS. Apple's relationship with iPhone jail-breaker Nicholas Allegra was abruptly terminated after just a year. Apple's reaction to Alexey Borodin's successful in-app purchases hack was not to debate with him, but to battle with him.
When a company with as significant and delicate a reputation problem as Huawei can engage with critics like Lindner, perhaps it's a sign of growing maturity. Or perhaps it's just a short term public relations win.
I agree with others that this is certainly an interesting development. But while it is commendable on Huawei's part, there are still a number of issues that they have yet to address, like the one Mary pointed out (the government connection.) They might merely be going this route to gain US credibility--and that is not a bad thing straight away. But I believe that must do more than this and address all the other issues hounding them.
I wonder if this is a sign that the global security officer John Suffolk, who Huawei recruited about a year ago, is getting a chance to steer policy. He's a former CIO with a UK government background.
It's a good way to make a living and be your own boss -- if you have the skills, and the temperament to cross swords with the companies that won't view your hacking as a favor.
I'm impressed. I wonder if they would have embraced the white hat hacker if they didn't have the U.S. government on their back? It's an interesting turn of events regardless, and honestly I only see good coming out of it.
There's a long tradition of companies cooperating with and even rewarding white hat security researchers who find flaw. The first time I encountered it was Netscape in about 1995. It was breathtakingly refreshing of Netscape, because until then companies were more likely to prosecute white hat hackers than reward them.
And companies should reward the white hat hackers, because somebody's going to find out about those security flaws. Better the white hat than the black hats.
If Huawei proves serious in its efforts to support white hats, that could be a boon to their US credibility. Still, they have that nagging question of government association that dogs them here. This may not address that issue in full.
I put my money on Dillon Beresford and his crew when it comes to Chinese security - He's done a bit of Chinese network research a few years ago that's the reason I started my blog. While we have been at war the last 10 years China has been building business relationships and as the Elderwood Gang sucked every bit of Itellectual property they could get thier hand on we did nothing.
The West need to look for something more than xBox users to turn to hackers - "complex systems break in complex ways" I seen one update from one vendor break and open holes from something else unrelated down the software chain. I have been following Huawei problems since last year with the Aurora break-in on RSA and other defense contractors and just wondered ---
Why do we have so much of Huawei in the U.S.A infrastructure. Australia did the right thing the ties with PLA will never go away - It was a PLA loan that got this company going and in China old friends and trusted friends go hand in hand it a cultural thing. I just don't think you can seperate the PLA and Huawei but they are still number 2 in the world I think now... Time wll tell - I'm looking forward to the facts from this test...
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Edward Snowden was so convinced that the Prism program involved secretive surveillance through Internet backdoors that he walked out on his job and his girlfriend, spoke to the media, and resigned himself to jail, or worse. It turns out, he might just be wrong.
In one of the nastiest -- not to mention large scale and long-term -- hacking exploits yet to be reported, it appears that the Chinese army has been rummaging through the data of those who have served in the US Armed Forces.
ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that "nations will need to come to an agreement on how cyber warfare should be handled."
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
It wouldn't be the first time, but a group of Chinese engineers has proposed a means by which the Internet's root could be split, enabling secondary, independent networks that could be government-controlled. The Internet's root security committee is taking such proposals seriously.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
The world’s most powerful supercomputer now resides in Japan, but the US would like to reclaim the lead. The Oak Ridge National Lab in Tennessee, which is part of the US Department of Energy, is building a supercomputer that will be used for such tasks as simulating nuclear explosions.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
In the wake of an earthquake and tsunami in Japan, enterprises should be reconsidering their supply chains and establishing backup plans for when disaster strikes.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
