US companies again suspect defects in Huawei equipment, Huawei responds with a report of thousands of words!

Huawei stated that given Company F’s practices and the shortcomings of its tools and methods, its analysis results were questionable at best and inaccurate at worst.

WASHINGTON (Reuters) - China’s Huawei Technologies Co Ltd has disputed the findings of a U.S. cybersecurity firm that found Huawei equipment was much more likely to have flaws than its competitors’ equipment, calling its analysis incomplete and inaccurate, U.S. media reported on July 9.

According to a report by the US website on July 8, Finite State, a US company headquartered in Columbus, Ohio, recently released a report that was widely circulated among senior officials of the Trump administration before being publicly released.

In response to the above report from the US "Limited State" company, Huawei said that it is willing to cooperate with cybersecurity researchers and welcomes independent testing of Huawei's products and solutions. Huawei has already established a Product Security Emergency Response Team (PSIRT) to collect, investigate, coordinate internally and responsibly disclose security vulnerability information related to Huawei products. Once a vulnerability is confirmed, PSIRT will promptly pass the information to the team of the affected product and actively track until the problem is resolved.

Huawei said it has established and implemented a layered, end-to-end cybersecurity assessment process to ensure that products are reviewed at all stages (concept, design, development, to deployment and maintenance in global customer networks) to identify potential security issues.

Huawei recently wrote in a thousands-word article titled "Huawei PSIRT: Technical Analysis Report on Finite State Supply Chain Assessment" that on June 26, 2019, the American company Finite State (hereinafter referred to as "F Company") published Huawei Technologies Co., Ltd.'s "Supply Chain Assessment" report on its official website. The report focused on its use of firmware (binary software package) static analysis tools to analyze more than 500 Huawei enterprise network products, and conducted a comparative analysis of Huawei's CE12800 and Juniper's EX4650 and Arista's 7280R products. The results showed that Huawei's products had poor security, suspected "backdoors", and were less secure than those of its competitors.

"We are surprised and disappointed by F's unconventional practices. We cannot confirm whether the channels through which F obtained the software were legal, nor can we guarantee the integrity of the software it obtained. At the same time, Huawei has never received any communication requests from F. They did not learn about these products through Huawei and refused to provide the report to Huawei before publication. Unfortunately, this means that this report lacks insight, completeness and accuracy, and F's practices are not the usual practice of a professional, serious and capable security company."

The article states that given the practices of Company F and the shortcomings of its tools and methods, its analysis is at best questionable and at worst inaccurate. This could have been avoided through cooperation rather than taking a political stance on security.

Huawei also questioned Company F's purpose: why they did not choose products from market leader Cisco for comparison, why they evaluated older versions of Huawei products, and found problems that had already been fixed in newer versions.

Company F spent several months conducting a problematic analysis, and Huawei PSIRT investigated all issues mentioned in the report as soon as it was released. Huawei believes that Company F's methodology has serious operational and technical flaws, the test lacks neutrality, and the report is seriously inaccurate.

Huawei also pointed out that Huawei welcomes any well-intentioned, fact-based suggestions that are helpful for the stable operation of the network. The more people supervise and inspect Huawei, the greater the chance of discovering problems, and Huawei's products will be safer. Huawei has always attached great importance to network security and regards network security as the company's highest principle. Huawei has never and will not install "backdoors" in the future. It will never allow others to do so on Huawei's equipment. Network security issues are technical issues and should be solved by technical means.