First, Huawei's cyber security centre, no doubt in my mind that the people there I have spoken with don't care who pays their wages when it comes to finding and getting discovered issues fixed. Their stuff has got a lot better in recent years as a result.
My concern comes from ways that other variants of the tested firmware and software might end up in the field and I think that Huawei UK and Huawei CN are different beasts in terms of trustworthyness, and I'm pretty sure the latter don't tell the former everything. Yeah they do crypto signed builds and other niceties now, but that's relying on the staff on the ground to be policing the build and checking its signature through their end to end into live process. Which I strongly suspect still doesn't happen nearly enough.
The other poster saying "hey this isn't just China", yes, absolutely, there's equipment in the CNI from Israel (mossad?), Cisco (USA) and a whole host of other nation state companies. Lets not just make this about bashing China covertly, due diligence and investment in good practice should be spread across the board.
Final point, we're all missing because we're jumping into the China vs the West debate only, passwords and credential management. We're not doing enough. Things are STILL making it out to the CNI as defaults. Either the deployment process doesn't change them, or the kit stops working if you change it, but nobody modelled that in test, or your staff don't know how to change them. I'm not just talking web page logins, or default users, I'm talking cli interfaces, jmx consoles, everywhere. And even if they are changed, credential management is a massive overhead, its unlikely that every cli or machine credential is going to work with a remote password solution, some of these are passwords of last resort designed to work when the device is out of comms from the password management solution, etc etc. But nobody really wants to invest in the engineering work towards putting together a proper solution that scales, because everyone just wants to buy a solution in that claims to do it, but in reality will only cover 10% of credentials in a large multi vendor system.
You could probably finish half the technical people in your org, and spend that money on just changing passwords and applying some patches and be in a better place security wise. That's the sad truth of things.
Biting the hand that feeds IT
