I used to use linked'[email protected]. It (slightly) broke the interface for reasons I won't understand, but I eventually got lazy and changed it to a normal email. The extra page refreshes were driving me crazy. Seems I should have kept it.
I am a fan of NIST. They seem to be pushing forward with less than average amount of bureaucracy. By definition everything should be public and they don't have any responsiblity for enforcement of the rules which might be a slow pitch to your question.
Drawing from my roots the Canada Wheat board was always surrounded by heated arguments and controversal decisions. There was the UN wheat scandal but that is more a matter of if you believe they are evil and not their level of incompetancy.
They received a significant amount of name calling due to their decisions and policies, but I can't recall any significant missteps in their application of the policies they set out to act upon.
You could make a case for everyone being bumbling and third-rate today. Post an edge case and have a lack of information to counter. I think by not addressing concerns head on gov't agencies are inviting for this type of behavior. I don't agree that stating that you have white labs as a defense for possibly tainted equipment is a full answer. I assume there is more coming since having a white lab test of equipment would be unreasonable for every piece of equipment due to workload. Not testing every piece of equipment to be used isn't a solution either since if Huawei is "evil" then they will just taint the box going to the correct provider.
If the Canadian government doesn't want people talking negatively about them then there needs to be more transparency. Not to the level of risking a breach, but something along the lines of a list of safeguards they are implementing. I wouldn't ever consider one safeguard a solution. If somebody feels the need to call out where the information is, I would legitimately like to read it.
>Maybe i'm just being paranoid but I'm a security engineer. I'm supposed to be.
No, you really shouldn't. Every bad thing can happen unless you protect against it, but being paranoid isn't helpful for this industry.
This was going to happen eventually. If they didn't want this to happen then the funding would be there to have this system built up with triple redundancy (or possibly 7 times, maybe they have triple). We all do the best with the funding we have. The good thing about this is that they assessed the problem and they had remediations for it. They announced it publicly (using several methods) and they have an alternative line.