You talked a lot about how bad it is for governments to outsource stuff to Huawei and a handful of US clouds, but didn't really touch on what drive all those decisions beyond claiming it's due to non-technical leadership. It'd be great to see a somewhat deeper analysis than that in future. There are plenty of tech companies that also outsource a lot to the cloud, so it has to be more complicated than that, and there are European mini-clouds that don't get much love from European governments also.
The basic problem is fundamental: outsourcing is a very common thing you find in all walks of life, it is often the most reasonable choice due to comparative advantage. This is the reason I eventually gave up on "decentralization" as a worthwhile technical goal (after years spent working on Bitcoin). Everyone is trying to outsource everything that isn't their key competitive advantage, and that's because specialization is the heart of progress. The costs of centralization are obvious in terms of loss of resiliency, but when people aren't actually needing that resiliency for entire lifetimes it's hard to convince anyone to take the loss of progress that decentralization may appear to entail.
So what to do? As you found with your 1,600 line imgur alternative just starting over to make stuff be secure is ... hard. You wrote in C++ (not the most security conscious choice) and some of those vulnerabilities are very basic, like the one where you discover that due to a bug some users are getting empty passwords. You also sort of assume that your users will keep your app up to date, but we know they won't. So simply demanding programs be smaller isn't going to work. You'll just speedrun the history of vulnerabilities. Indeed, one reason to outsource stuff to a handful of giant providers is that they do a much better job of security overall. Yeah Microsoft may have problems with Chinese hackers, but government IT routinely has problems with greedy teenagers. So MS is still ahead of the pack.
IMO the most critical thing is really whole-systems analysis to find sources of unnecessary complexity and fix it. That won't necessarily turn the tide, but it can at least help. As a trivial example, HTTP stacks don't understand the concept of load balancing. They're still stuck in a world where every website is run by a single computer. That entails a lot of server-side complexity like dedicated LBs, maybe even DNS LB, replicated databases, health checks, drain periods etc just to avoid users seeing little dinosaurs due to normal maintenance. The complexity of this is overwhelming. When users accepted things like "This service will be offline on Sunday due to maintenance" you could get away with it but now people expect everything to be 24/7, so that complexity drives people to the cloud where it's somewhat handled for them.
Thus an obvious quick win - extend HTTP and DNS to understand IP address globbing and maybe even static route matching. If a connection to a server fails, have the stack transparently fail over to another one. Now you can scrap your server side LBs and reverse proxies but still have an HA service.
> Indeed, one reason to outsource stuff to a handful of giant providers is that they do a much better job of security overall.
Is that really true?
Shifting infrastructure to the cloud makes it cheaper, it reduces the incidence of security problems, but it magnifies the impact of security problems when they do occur.
Well, fair point. If you consider blast radius of failure then maybe it's worse off yes. But then the issue is not them doing a bad job but that too many people rely on them doing a good job,
It is the most reasonable choice when you get to disregard the long-term risks because by the time they are likely to manifest in a problem, it's no longer your concern anyway.
I don't think it's accurate to describe it as "loss of progress", either. It just makes progress more expensive. There's no reason why e.g. those support & maintenance jobs cannot be located in the same country, or at least a friendly one - it's not like there's something magical about China that makes Chinese inherently better at 5G maintenance. Nor is there any reason why the data centers cannot be run by different companies in the same country.
2. They designed the equipment that's being managed.
Those two reasons are sufficient on their own to make them inherently better at managing 5G networks. The first reason in particular is lost if you relocate the jobs to the west.
That's exactly my point. The first reason can be reformulated as, "security isn't free". The problem, of course, is that expenditures are immediate, while any mitigated attacks would be in the future. So any politician and any businessman who tries to solve it gets held accountable for the expenditures, and loses to competitors who just promise cheaper everything (and who won't even be there when SHTF as a result of those policies).
The second reason is largely the consequence of the first. There's no reason why that equipment couldn't be designed locally, either, except that costs of labor would be higher.
Tangentially I will also note that the main reason why costs of labor are lower in China is because the quality of life is so much shittier. I think it behooves us all in First World countries to consider what it really means for our societies if they truly cannot function without relying on the kind of cheap labor elsewhere that we made impossible in our own countries, largely for ethical reasons (labor rights, social welfare etc).
The basic problem is fundamental: outsourcing is a very common thing you find in all walks of life, it is often the most reasonable choice due to comparative advantage. This is the reason I eventually gave up on "decentralization" as a worthwhile technical goal (after years spent working on Bitcoin). Everyone is trying to outsource everything that isn't their key competitive advantage, and that's because specialization is the heart of progress. The costs of centralization are obvious in terms of loss of resiliency, but when people aren't actually needing that resiliency for entire lifetimes it's hard to convince anyone to take the loss of progress that decentralization may appear to entail.
So what to do? As you found with your 1,600 line imgur alternative just starting over to make stuff be secure is ... hard. You wrote in C++ (not the most security conscious choice) and some of those vulnerabilities are very basic, like the one where you discover that due to a bug some users are getting empty passwords. You also sort of assume that your users will keep your app up to date, but we know they won't. So simply demanding programs be smaller isn't going to work. You'll just speedrun the history of vulnerabilities. Indeed, one reason to outsource stuff to a handful of giant providers is that they do a much better job of security overall. Yeah Microsoft may have problems with Chinese hackers, but government IT routinely has problems with greedy teenagers. So MS is still ahead of the pack.
IMO the most critical thing is really whole-systems analysis to find sources of unnecessary complexity and fix it. That won't necessarily turn the tide, but it can at least help. As a trivial example, HTTP stacks don't understand the concept of load balancing. They're still stuck in a world where every website is run by a single computer. That entails a lot of server-side complexity like dedicated LBs, maybe even DNS LB, replicated databases, health checks, drain periods etc just to avoid users seeing little dinosaurs due to normal maintenance. The complexity of this is overwhelming. When users accepted things like "This service will be offline on Sunday due to maintenance" you could get away with it but now people expect everything to be 24/7, so that complexity drives people to the cloud where it's somewhat handled for them.
Thus an obvious quick win - extend HTTP and DNS to understand IP address globbing and maybe even static route matching. If a connection to a server fails, have the stack transparently fail over to another one. Now you can scrap your server side LBs and reverse proxies but still have an HA service.