In a surprising turnaround, the Chinese information and communications technology vendor Huawei Technologies Co. Ltd. has extended a qualified welcome to criticism from a white hat hacker.
Earlier this month, the House Intelligence Committee issued a report concluding that Huawei could not "be trusted to be free of foreign state influence and thus [posed] a security threat to the United States and to our systems." It urged both government and the private sector to avoid purchasing equipment from Huawei.
The committee was investigating allegations that Huawei products incorporated security flaws, which provided a "back door" to purchasers' systems, a breach that might be exploited by the Chinese authorities to gather intelligence. Huawei has consistently denied wrongdoing. With the global nature of the supply chain, and many vendors sourcing software or hardware from China, Huawei has claimed unfair victimization.
In an apparent attempt to demonstrate openness, Huawei announced today that it's sending a team of engineers to meet one of its most severe critics, German hacker Felix Lindner. Known as "FX," Lindner runs Recurity-Labs, a security analysis service for enterprise.
Lindner has represented Huawei products as riddled with so many vulnerabilities that "back doors" would hardly be needed to effect dangerous breaches. Essentially, Lindner accuses Huawei of being inept rather than sinister. I suppose that, when under attack by the government of an important market (Huawei is a big player in emerging markets, but still has its sights set on the US), you take what you can get.
Huawei's global cybersecurity officer, John Suffolk, said:
We've very much taken on board Felix's views and you'll see over the coming period we've got a whole host of significant operations to deal with these issues... Sometimes you need a bit of a slap in the face to step back, not be emotive in your response, and say what do I systematically need to change so over time any these issues begin to reduce?
The advantages which accrue to Huawei are obvious: The appearance, at least, of increased openness and receptivity to critics, and an emphasis on the fact that whatever suspicions have arisen from flaws in their products, nobody -- including the House Intelligence Committee -- has yet demonstrated bad intentions.
The advantage to Lindner? Another big client, maybe.
The move also sends a message to the rest of the enterprise. Instead of dismissing and hounding white hat hacker criticism, there may be political, PR, and practical advantages in embracing it. Apple is just one example of a business that has responded aggressively to white hat hackers in the past.
Security expert Charlie Miller was bounced from Apple's app developer program after he revealed a flaw in iOS. Apple's relationship with iPhone jail-breaker Nicholas Allegra was abruptly terminated after just a year. Apple's reaction to Alexey Borodin's successful in-app purchases hack was not to debate with him, but to battle with him.
When a company with as significant and delicate a reputation problem as Huawei can engage with critics like Lindner, perhaps it's a sign of growing maturity. Or perhaps it's just a short term public relations win.
To be continued.
— Kim Davis , Community Editor, Internet Evolution