The Bloomberg report is an impressive act of journalistic contortionism. It begins with an unsubstantiated story – one that was supposedly kept secret for almost a decade – and ends with wild speculation. Despite claims of "evidence", it's unclear why their sources didn't go public with this story sooner.
Huawei has been operating in Australia for nearly 20 years, and this is the first time we're hearing of what would normally be considered a fairly headline-worthy event. Two Australian telecom operators, Optus and TPG, have already publicly denied any knowledge of the alleged incident. What's more, the report refers to a type of threat that is highly technical and sophisticated in nature, but it only cites the opinions of politicians and former government officials. Again, it's unclear why Bloomberg was unable or unwilling to include the analysis of respected, independent third party security experts.
The facts are as follows:
First, Huawei equipment doesn't have malware. Huawei goes to great lengths to prevent bad actors from compromising the security of our products. Our software packages include a robust set of mechanisms to ensure that if someone were to tamper with a software update, it couldn't be uploaded or installed.
Second, networks are owned and managed by operators. Huawei is just one of many equipment providers in the telecoms industry, and we have no means of accessing an operator's networks without their express written permission. Operators also have strict security verification processes for installing software and patches. Like our industry peers, Huawei has to follow these processes to the letter. The claim that "Huawei's software updates can push whatever code they want into those machines, whenever they want, without anyone knowing" is simply not true.
Third, Huawei has a comprehensive set of procedures and mechanisms for managing our engineers. These include but are not limited to additional vetting (to the extent permitted by law), software and equipment management, and mandatory compliance training. Our service engineers can't access or compile source code.
Fourth, we have and will always be open to collaboration, and we welcome scrutiny with open arms. Governments, customers, and other stakeholders within the security ecosystem are always welcome to systematically review our products and provide feedback on any design weaknesses, network vulnerabilities, or lapses in code quality. The fact of the matter is that no other telecom vendor's products are subject to the amount of rigorous outside scrutiny and testing that Huawei's are. Openness and transparency are key to continually enhancing the trustworthiness and security of our products, and we embrace feedback from the security community.
Huawei has maintained a proven track record in cyber security for more than 30 years. Despite this, there continues to be an ongoing, concerted effort to find proof of intentional wrongdoing by our company. The Shotgiant program leaked by Edward Snowden is one of many examples, and yet no one has ever produced any concrete evidence of Huawei engaging in malicious cyber activity.