It ultimately comes down to trust. For example, if the Chinese president decided to make a law that they can't demand data from Chinese companies any more, it's not like Trump would roll this back. Similar to Snowden, do you still trust our government isn't spying on us anymore?
USA is not a communist country, big difference. With political administration changes, also do foreign policy opinions change, along with whatever CIA has to do with foreign sovereignties. One USA regime pardons Manning, another jails him/her. One USA regime bombs Syria, another doesnt. Also, CIA seeded companies are just a few and none of the big ones. Palantir and Oculus are their biggest, not sure Oculus can spy on foreign countries but ok.
I know right? If you ship horrible security flaws so often, eventually no one will think they're intentional :D
Honestly you could probably do it without engineers knowing about it simply by cutting QA and red team budgets.
I'm not saying I think that's what happens at Cisco. Having worked at large companies that actively try to ship secure products, and having observed (as a paying end user) the general terrible-ness of networking hardware, that it is more plausible that they're just not being careful - I want to say incompetent by that is likely unfair to the majority of engineers there.
Of course nothing says that various gov. agencies in many countries aren't auditing the equipment themselves and making use of flaws without publicizing them.
the problem with that statement though is that's also what happens with every internet attached device people buy. At this point I would be surprised if an off the shelf IoT/IoS device didn't have at least one root login and RCE via a command line passed in a url.
I'm talking about the big iron that provides core infrastructure to corporate intranets, and the Internet at large. Comparing that to fly by night IoT shovelware is a bit disingenuous, IMO.
But look at the industry - "Big iron" (Cisco, network solutions?, juniper, dynalink ...) have all had these issues, over and over and over again.
Given the lack of subtlety and the wide spread existence of these same exploits/backdoors/bugs indicates there's a level of care that is missing in engineering of these devices that makes it plausible that this is by ignorance rather than malice.
So your entire argument that when US does it is okay is based on
1. US administration may change and might outlaw whatever unholy thing CIA is doing today;
2. CIA does it at a smaller scale, seeding smaller companies;
I am saying having the US do it is less frightening than China doing it. The Chinese government is still, after all, a communist dictatorship censoring everything. Their internet is more censored than Iran’s. This same Chinese government killed 30 million people during the revolution.
It doesn't mean big companies are not in bed with the defenses industry/CIA. We have plenty of cases we know about and we also know you guys spy the on allies too. Even if the argument is all super powers do it, international vetting is a good way to put pressure on. If all countries join in, the money and influence is there.
