Re: same logic, Microsoft and Google
All very true. But many Western countries have also banned Huawei under the same principle: that, in the real world, it is almost impossible to oversee what a company may be [forced] to do behind the scenes. There are just too many variables to look over in a timely manner, before any damage is done.
Not necessarily. It just comes with a price attached. So Huawei's a good example. What's the threat? This?
https://en.wikipedia.org/wiki/Huawei#NSA_infiltration
The NSA was concerned that Huawei's infrastructure could provide China with signals intelligence capabilities. It also wanted to find ways to exploit the company's products because they are used by targets of interest to the NSA.
So the UK and Huawei did this-
https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-hcsec-oversight-board-annual-report-2021
So a partnership between Huaweii and HMG with the NCSC / GCHQ providing oversight and assurance. Kind of an open book or open technology venture to provide reassurance that Huawei kit isn't a threat to national security and/or critical national infrastructure. But of course this wasn't enough for politicians, who just decided to ban Huawei products from the UK. But I used to design Huawei networks and came across this concern in the past, and the answer is usually in the design.
If the control and data plane are seperated, how would Huawei compromise the network, or spy on users? Especially any wholesale spying. Basic stuff like Huawei's EchoLife GPON NIDs used by BT are pretty dumb devices that just connect an Ethernet to a VLAN, then switch, then gateway. So how would Huawei access that, without anyone noticing? Also true for a lot of other kit, eg Huawei make repeaters for submarine cable systems. Ripping & replacing those is very expensive, and probably unnecessary.
But Kaspersky seems to be proposing an HCSEC-like model, and is arguably a good idea. Especially if it's a scalable solution that can evaluate other products. Which sort of happens already with security assurance levels for kit used in classified networks. But that's also an expensive game, even though it provides industry and users with a higer degree of confidence.