Re: Not much left then...
I'd say those are not key areas. How well a country protects it's citizens data has nothing to do with typical vendor selection of tin. Mainly because that's a political issue rather than technical, ie any legislation like GDPR. You could also argue it'd rule out any US kit given Facebook, Google etc, and being mixed up with TLAs.
It's also where security theatre and trust, or lack of trust becomes a big issue. Saying stuff has 'military grade' security can be used in marketing, but generally meaningless. Saying it meets EAL 7 may give more confidence given that's an ISO(15408). But then getting kit certified and granted an EAL rating is expensive, time consuming and may only be applicable to a specific model, or implementation.
It's an area where the TLA's could do more to help, assuming they are trusted. So CESG does do evaluations, but could arguably do more. Problem is the usual one, funding, or lack thereof. The Huawei 'Cell' is a good example. It gives a thorough hairy eyeball to Huawei tin, but as it's a JV between CESG and Huawei, it doesn't examine other vendors. One solution could be to expand that model using some industry and government funding.
But it's still going to face trust issues, especially when TLAs are suspected of having backdoors. Or even legislating for back doors, eg my usual example of US CALEA compliance. Mandatory for tin used in the US, and there's a trust element that any back doors will only ever be used by their intended audience. Again that's where the 'key area' is problematic given legislation in countries generally has a requirement for lawful intercept.
Rest is part of doing business. Issue an RFP stating how tin will be used, standards it must comply with, service and support levels required etc and wait for responses. Then shortlist suppliers, possibly down to 1 and invite them to supply tin for your R&D site, where it'll be given a thorough going over by your test engineers.. Which BT did with Huawei and 21CN, so lots of compliance, interoperability and other testing. But that's expensive, time consuming and assumes you haven't RIF'd lots of engineers & flogged off your R&D site to property developers. And most non-BT's don't have that kind of luxury anyway, so often wait for an anchor customer like BT to adopt a vendor's kit before buying it yourself. Or you may be forced/better off buying that kit anyway because it needs to interoperate with Openreach.
SDN's one example where the dream requires interoperability, along with exposing control plane functionality you'd normally want to keep hidden. Or there's stuff like optical networking and OTN ONI's for wholesale interconnects. If vendor's tin came with an NSA/GCHQ seal of approval, it may provide more confidence though.
What doesn't help is simply saying 'This is not secure because China'. Test and tell us what is secure. Enough. At that point in time. In a given configuration.. So nice idea, but non-trivial..
Biting the hand that feeds IT
