[kevin_nisbet]

Pretty much yes, combined with having to fully audit the software top to bottom every couple of weeks for every patch, piece of firmware, etc with pressure to get into production fixes for issues that affect customers service.

From my experience in the industry, most of the protections being offered are hand-wavy things, like a software patch from Huawei being scanned by a desktop virus scanner for viruses or remote access gateways that record the screens of external employees accessing equipment where the demo I got for the solution the security prime couldn't figure out how to actually view the screen recordings. Huawei employees weren't allowed to give us any USB devices either. (I didn't work with Huawei routinely, although I know many who do. I tended to work with Cisco, Nokia, and several smaller vendors).

The only model I could see sort of working is forcing them to hand over the sources to an industry group or government entity, that is then responsible for auditing, building, and signing the software. But there are so many moving components slipping something past that is still plausible, and many barriers towards that sort of model.