Despite the title of this piece, the problem isn't actually really Huawei: it's how we are approaching this issue.
What's the issue? Technology meets sovereignty, or perhaps the Twenty-First Century meets the Twentieth. There is a fundamental disconnect between what global technology represents - a horizontal, global reality, and what a country does - a vertical, local reality. And whilst we might think it's only technology that is causing this horizontal/vertical farrago, it's not: the same is present in financial markets and the environment. Despite what some nationalists might wish, we all live in the same pond, and the ripples from a pebble chucked into the middle will affect all. To illustrate the point, think of three rather delightful pebbles thrown into the global pond by Russia over the past 40 years. The Chernobyl accident sent plumes of contamination into Scandinavia, the debt default of 1998 almost destroyed US financial markets, and its gentle export of the NotPetya virus into Ukraine forced Maersk, the global shipping company, back into the stone age to continue operating, also causing $10bn of damage in the wider global economy.
So, back to Huawei. The knee jerk reaction is to think of it in terms of "us" and "them", "here" and "there". Huawei, so the script goes, is in hock to its government, so "letting them in" risks a concerted effort at government espionage, shout the Americans. Well, they would know. Whilst have no doubt that Huawei is indeed a risk for the reasons identified by the Americans (and others), it is simply the wrong way to look at all of this. There is no "us" and "them, "here" and "there" in technology: in the words of one senior tech exec, "we all use the same sh*t". Whilst there is a risk of a Huawei backdoor, so there is at Cisco. Buying "western" stuff may sound a good plan until you realise it's all assembled in China.
Where am I going with this, given that it's meant to be a blog to help companies with their IT? Well, the Huawei problem is a high profile example of the dangers of the perimeter illusion: that somehow you are "in" and others are "out". First, it is simply not how the world works. A company network cannot be impermeable, because if it was, it would be useless. Holes have to be opened up to receive stuff from "outside". Companies have spent gazillions on fancy vendor products to police the holes, which is good for the vendors, but will never fix anything properly (which of course is also good for the vendors). The second pernicious consequence of the perimeter illusion is that we falsely mistrust too much from the "outside" and wrongly trust too much on the "inside". Too much mistrust in the outside is bad for business, and too much trust on the inside is disastrous. To take a non-tech example of this, just look at Guy Burgess, the Russian spy in the heart of the British Establishment. He was allowed to get away with it as people felt he was one of "us". To bring it back to tech and to Maersk, NotPetya was so devastating as the computing environment inside the network pre-supposed trust among the machines, facilitating the flow of the virus (delivered using a mechanism designed by the Americans, ironically).
This is not to criticise Maersk particularly: whilst they could have been better at upgrading their PCs, their network architecture reflected the same fundamental illusion as almost everyone else: that there is a "here" and "there" in technology, and you base your trust judgement on whether they are one or the other. So, what is the advice? For this we need to go back to another horizontal horse of the apocalypse, pestilence. We have long understood that whilst quarantine and other physical measures can help, the best defence against infection is good personal habits wherever you are - hygiene, diet and inoculation. To take that back into the tech space, do not base your precautions on "where" you are, but navigate by a simple set of standard rules: keep operating systems up to date, connect not to other machines but to independent cloud-based apps and manage your credentials carefully, avoiding duplicate passwords and your mother's maiden name.
The "Huawei Problem" is not the vendor, but the way we look at technology. Huawei is not "them" whilst, say, Ericsson, is "us". Network kit should be managed and monitored, wherever it's "from".