[nknighthb]

One might hope the NSA audits their contractors' security, but I'm not sure I'd bet on it.

And somewhere along the way you have to accept that your most senior admins aren't always going to be the ones schlepping gear around, which means physical access.

I'm also not entirely convinced of the practicality of building a system where there isn't at least one person who can bypass everything, especially if they're prepared to go into exile as this guy was.

Given adequate resources, I'm sure it's possible, but there's gonna be a shitton of money and ridiculously careful planning involved. I expect the operational overhead to be similarly huge.