Today’s security challenges are real and significant. We want governments to detect and disrupt terrorist networks before they inflict harm on our society, our citizens, and our systems of government. We also want to live in countries that respect their citizens’ basic human rights. The tension between security and freedom has become one the most pressing issues of our day. Societies wracked by terror cannot be truly free, but an overreaching government can also undermine freedom.
It is in this context that I want to offer some thoughts on actions by the US Government that in Cisco’s eyes have overreached, undermining the goals of free communication, and steps that can be taken to right that balance, and I do so on behalf of all of Cisco’s leadership team.
Confidence in the open, global Internet has brought enormous economic benefits to the United States and to billions around the world. This confidence has been eroded by revelations of government surveillance, by efforts of the US government to force US companies to provide access to communications of non-US citizens even when that violates the privacy laws of countries where US companies do business, and allegations that governments exploit rather than report security vulnerabilities in products.
As a matter of policy and practice, Cisco does not work with any government, including the United States Government, to weaken our products. When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred. We offer customers robust tools to defend their environments against attack, and detect attacks when they are happening. By doing these things, we have built and maintained our customers’ trust. We expect our government to value and respect this trust.
This past December, eight technology companies expressed concern to the President of the United States and Members of Congress that the US government’s surveillance efforts are in fact harmful. They stated, in part, “We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight.” We agree and support these positions – without customer confidence in the privacy and security of communications, the extraordinary steps toward freedom, productivity and prosperity that is the promise of the Internet can be lost.
This week a number of media outlets reported another serious allegation: that the National Security Agency took steps to compromise IT products enroute to customers, including Cisco products. We comply with US laws, like those of many other countries, which limit exports to certain customers and destinations; we ought to be able to count on the government to then not interfere with the lawful delivery of our products in the form in which we have manufactured them. To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry.
Bob Weber, the General Counsel of IBM, offered some strong basic principles. He blogged in March, in part:
“Governments must act to restore trust”, noting that his company “believes governments should take the following actions:
Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies.
Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data.
The U.S. government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.”
(full blog here: http://asmarterplanet.com/blog/2014/03/open-letter-data.html)
We support this approach, and offer the following additional suggestions:
- Governments should have policies requiring that product security vulnerabilities that are detected be reported promptly to manufacturers for remediation, unless a court finds a compelling reason for a temporary delay. By the same token, governments should not block third parties from reporting such vulnerabilities to manufacturers.
- Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers
- Clear standards should be set to protect information outside the United States which belongs to third parties, but are in the custody of subsidiaries of US companies, so that customers world-wide can know the rules that will apply and work with confidence with US suppliers.
The failure to have rules such as these does not enhance national security – that failure will simply cause customers to seek solutions that they perceive – rightly or wrongly – will take them outside the reach of government. Moreover, that failure only strengthens those who oppose a free and open internet, and who are exploiting recent allegations to try to justify changes in internet governance that would tighten state control and limit freedom of expression. A failure to establish a clear and transparent set of rules will produce a fragmented Internet, limiting free speech and global economic growth.
A serious effort to address these issues can build confidence, and most importantly, result in the promise of the next generation of the Internet being met, a world in which the connection of people and devices drives greater freedom, prosperity and opportunity for all the world’s citizens.
It is the time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.
What an insightful post!!
Worth reading it.
“Governments should have policies requiring that product security vulnerabilities that are detected be reported promptly to manufacturers for remediation, unless a court finds a compelling reason for a temporary delay. By the same token, governments should not block third parties from reporting such vulnerabilities to manufacturers.”
In the first three paragraphs, the author details the issues which brought about the article, to wit, removal of government abuse of surveillance and the eroding trust of citizenry due to privacy abuses by the government. Yet, the quote encourages more government oversight. If governmental entities do not follow current laws and policies regarding the sanctity of privacy, why would we expect them to supply information of manufacturers’ product vulnerabilities just because of policy?
It is of my opinion that government entities will not report the vulnerabilities if it benefits them not to do so – court order or not. Therefore, documenting through laws or policies will not encourage such information sharing. Manufacturers, working with clients and third parties, should seek to develop security solutions that withstand vulnerabilities; a collaborative effort. Upon discovering vulnerabilities, those same entities should be diligent with resolving and further enhancing the security features / application / solution. Solutions derived for the benefit of all trumps solutions exploited on all discovered by one.
It has been said that if “men were angels, governments would not be necessary.” Governments are necessary. However, our security derives from an open and free society able to exchange ideas through discussion. We should be developing solutions for all while continually improving on those solutions through a collaborative effort. I would be hesitant relying upon a benefactor who can exploit both the positive and negative of a solution. Therefore, reduce the government abuses and input through production of quality products and solutions that benefit the society; and trust that society to improve and grow the quality and benefits.
As a Cisco employee I saw this developing and decided I could no longer wait for governments to act accordingly. I ran this year for U.S. Congress in Texas (3rd District). And while I may have lost the primary this year, I intend to run again until this and similar issues are resolved. Maybe it’s time for some geeks (and CCIE’s) in Congress?
Josh Loveless
You don’t support net neutrality?
“Permanently defeat Net-Neutrality and other government intrusions on the free-market”
Good article.
Of course he doesn’t support net neutrality. Cisco sells a lot of devices to carriers so they can gouge us on pricing and permit our access to what they think we should see. Not to mention dictatorships like China.
Amusing to think Cisco didn’t know about the US Government doing this all along as I am sure they did.
Cisco better prepare to have their international market share, shrink considerably in the coming years. I personally have stopped using their products (along with many other US tech companies hardware products) a few years ago! I have resorted to building network appliances with off-the-shelf parts and open-source software solutions for the small to medium companies I support!
Although there is no such thing as complete internet security, I believe you can minimize the risk by using lower profiled technology companies solutions… mainly open-sourced solutions where more eyes are evaluating the under lying source code.
Just my 2 cents.. keep in mind that I’m a nobody in the grand scheme of things, so take my comment with a grain of salt!
Cheers!
@Cam: I salute you, Sir!
And yes, you are somebody – you are the customer. People forgot how to vote with their wallets…
And to Mr. Chandler and the likes – it’s funny that you all high-profile people and corpos protest only after everything was leaked by Snowden. Seriously? Do you really think people are that stupid? Do you really think that people believe that corpos didn’t know what NSA was doing with their hardware? Oh, come on… In the end, you’re all the same – corpos, NSA, government – you are all after the big money, nothing else. But keep it up, keep on pretending.
PS. Remember how the US government warned everyone about Huawei products that may have been tapped by China? Funny, isn’t it?
@Meh, Thank you for the kind words!
I’m a huge fan of pfSense, Asterisk, Snort, Squid, Varnish, OwnCloud, OpenVPN, TLS and lets not forget TrueCrypt for encyption. These technologies combined make for a sound, scalable, secure, network solution, that replaces many of the offerings that Cisco provide… at least for my customer and I.
The best part is that you are allowed to dive deep into the soure code to find flaws youself, if you choose. So you can have peace of mind that your, solution isn’t being tampered with, and all work on of-the-shelf hardware and open embedded hardware as well!
I remember when proprietary tech companies use to mock opensource technologies and didn’t considered it a threat, when the IT industry was booming. I was one that was on the side of proprietary solutions.
The US use to be the king of the IT industry as well as many other industries and like ever other empire in our history it is/will fall as well.
My 2 cents… Cheers!
It would be rather shortsighted to assume that only Cisco hardware was (and likely continues to be) intercepted and modified. Given the reach of the intelligence agencies, they could do the same anywhere with any vendor’s hardware. Short of building your own, there isn’t a surefire way to avoid the all seeing eye.
How many secret court orders did Cisco receive from FISC to built in backdoors or weaken the product?
Not good enough. Cisco doesn’t work with US government to weaken its products? When does Cisco work with US government then? This blog isn’t good enough answer. You have lost trust of people who buy Cisco products. You have lost support of systems and network engineers who know better. We’re not fooled and we’re not happy with Cisco. If you want to regain my business, you will fight US government. Until that time, Cisco, like other major US tech companies, cannot be trusted.
As a long time cisco employee, I would hope that we go farther and actually pressure the US government to stop this practice. Their actions have hurt our business and growth in emerging markets and elsewhere and left a black eye on the entire US technology sector. We may have no culpability here but I am certain that certain section of cisco are well aware that this has been happening and it’s not a new program. As a further step, I would like to see anti tampering technologies placed in our products so that any unauthorized access is noted in a show tech output.
Your products do have tamper-eviddnt shields and seals; that is, the ones ordered with hardware extention modules at least.
Cisco is named as a strategic partner in the NSA slides leaked by Snowden.
Well, that’s very nice. A Strongly Worded Letter (TM). Asking all the spies of the world to stop spying. Let us know how that works out for you.
Is your PAC money behind that? That might help you in one or two of the 206 states that are gunning for you.
Meanwhile, why don’t you actually DO something, instead of begging?
You could start by sealing the boxes better. Yes, there are seals that are at least a little tricky for the NSA.
You could go on to fix your extreme quality problems. You know, even if you have to ditch some of those “features” you’re always cranking out. And even if you have to actually punish people for screwups.
Speaking of features, why are your products still putting unencrypted data on the wire? And why is it so hard to set up crypto where all the gear is actually sure what it’s talking to? Where’s ubiquitous TLS? Where’s an ubiquitous PKI that actually works?
Hey, you might even have to work with other vendors! Worse, you might have to tell the people who make your products they all have to do the same thing! Couldn’t have that.
And let’s see something we can actually verify. Publish your source code. Publish your hardware designs. It’s not so scary. You’ll get over it. If you have other people’s code in your products, they let you publish it or you replace it.
And tell us who you let change that code, and how you know their changes are OK. Show us the logs.
And then you can get SERIOUS. Some nobody students at some random college can do this: http://ssrg.nicta.com.au/projects/seL4 . Why can’t you?
Or you can just keep asking.
Nice, but as far as I understand American companies must work together with the NSA, if the NSA asks for, but may be forbidden to talk about.
So, how ever again someone can trust in an American company?
I’m sitting right next to two large Cisco routers in my office. How can I be sure that any of the data I send through them is safe? And it’s not just the data – after all these revelations they might even be implanted with cancer-inducing high-power radio transmitters.
If I had the resources and authority, I’d replace them with non-US hardware today, and even then I wouldn’t feel safe. I fear the US government way more than any terrorist organization.
I’m wondering how this wasn’t found by Cisco through your RMA process. Surely some of the affected products failed and ended up back at Cisco.
And if it was done so that Cisco couldn’t identify that a product was compromised, what is to stop that product from going out to another customer who isn’t targeted through your RMA/refurbish process?
What a mess! Thanks NSA…
You guys buying your stock today? Because as your sector as well as the wider market crumbles, you’re up on this horrible news.
This is damage control from house counsel. You feign victimization when you’re in fact complicit with the US government. You don’t like that YOUR CUSTOMERS have been backdoored? Yet it was YOU, who told the government about the sale. How else does this happen? http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant
blah, blah, lawyer Marky choosing his words ever so carefully while saying nothing. Shame on you.
“We kill people based on metadata” – Michael Hayden.
So well Cisco, then do the following:
1) Offer software tools for download on your homepage, that allow to check the integrity of the firmware and hardware of your products
2) let every Cisco product come with a skrewdriver, and a detailed guide how the customer can open the product and check whether the parts in it are really original. That should not be too difficult
4) create a safer shipment process. Ship the products by yourself or seal your packets when you ship. Maybe one can put in a small device into the packet that comes with a gps receiver and a light detector or something. Whenever the box is opened somewhere that is no way near the customer, the device could send the coordinates to cisco and if not possible, just warn the recipient when it arrives later on.
4) As cisco is mentioned as having a partnership with the nsa. Tell us about the nature of this partnership. Since nsa has to intercept cisco shipments it seems that there is at least some truth when Cisco says it does never weaken its own hardware.
5) open up a lawsuit against us government. They have deliberately endangered the thrust in cisco products, letting cisco’s profit to decrease. Cisco deserves a repay from the government because of this.
Regarding item 2. Wouldn’t the NSA intercept the goods and replace the diagram with a tailored diagram, leaving the end-user ever so clueless? Maybe a diagram published on cisco.com would fare better, but I don’t see what can guarantee these diagrams to be genuine in the first place. In the worst case, Cisco is, or will be, infiltrated by the NSA, all the way from the engineers that design the hardware and the software, right up to the ones publishing the official documentation on cisco.com. What a nightware.
Regarding item 3. I’m sure the NSA will find a way to jailbreak any attempts at hardening the shipment process.
And I forgot
6) In order to better check your firmwares, make them all open source. Your company allone is unlikely to prevent nsa hackers to create malware for cisco products. But when your sources can be checked by everyone, you have a better chance that a security flaw is found by someone not working for nsa.
While this article strikes the right tone, it sounds more like a late reaction designed to take heat off the public outrage. For a bunch of Ivy Leaguers running these companies, they sure have not been very bright in chosing to be complicit in anti-Constitutional behaviour against the American people.
You have facilitated this. You complied with it. You enjoyed its benefits – who knows what the Government promissed you.
Your ‘fight’ against the surveilance state had better be more than simple blog posts. Participate in the public debate on the side of the people in an open and substantial manner.
Do you think people are so blind not to see you’re just interested in damage control?
http://dailycaller.com/2014/05/15/leaked-photos-show-nsa-hardware-interception-and-bug-planting-workstation/
Cisco: To regain trust simply arm all of us IT administrators with powerful tools and guides (we will supply the screwdrivers) to verify the integrity of your products at a every level to defeat this idiotic threat.
And it is a threat, make no mistake. The motives behind defeated security cannot be known; good guys and bad guys are indistinnguishable at a technical level.
Nothing other than loudly and publicly arming us to defend ourselves with verification tools will work. I, as a decision maker who is responsible for a heafty IT budget each year will absolutely move our global purchasing towards products I feel are trustworthy and which allow tamper detection and mitigtion. Period. We really don’t give a crap about Cisco’s political games and this blog post is useless to what really matters: “Can I regain trust in the heaps of Cisco hardware in my systems or do I start ripping it out for ebay vultures?”
Side note, if you don’t technically solve our trust issues its likely we won’t even be able to dump our Cisco stuff on the second hand market. Who would buy it if I wouldn’t?
The IT world now fears Cisco routers. We’ve been suspicious for years but a smoking gun has surfaced. Set this straight or fade away. You might think you sell network hardware but as a previously loyal customer of many years, I can tell you that trust was your only commodity and it fueled all of our past decisions to buy Cisco products. Fix please. We like your technology – would be a shame not to buy it for lack of trust.
And if it was done so that Cisco couldn’t identify that a product was compromised, what is to stop that product from going out to another customer who isn’t targeted through your RMA/refurbish process?
What a mess! Thanks NSA…
I, for one, welcome our new NSA overlords.
Words are cheap Cisco, here is what you need to do plain and simple to restore our trust in your company (I like cisco/linksis, but this issue has to be resolved):
-integrate a physical anti-tampering device into each product you sell. A more high tech version of “if this seal is broken please contact us immediatly”
-provide a way to authenticate the software on the device to make sure it is not currupt. Maybe have some online tool.
Again, pretty easy fix and it would restore trust in your company. While I do not accuse Cisco of working with the government, it is nevertheless your job to prevent this from happening in the future.
If it hits hard the quarter sales, start thinking about leaving USA (Irland ?). Would bring back the confidence.
Another style would be to set up a fountain. This may call for professional help especially for larger ponds,ray ban online shop, but for the smaller ones,ray ban eyeglass frames, there are home kits with instructions available for easy installation.Lotteries happen to be across for a while now,custom oakley sunglasses, the globe shoes to see the growth of the lottery at the begin of the 1960’s developed to increase earnings in addition to taxes. Find out what the latest training methods and tec
as a matter of policy and practice, i think Cisco does not work with any government…
Riiiiiight… Because Cisco’s CEO was mounting a staunch defense of the NSA and it’s practices about a year ago for no reason at all. He was just blabbing on about how justified they were as a coincidence… right?
I think it’s quite naive to think NSA would desire to cooperate with Cisco et.al., any cooperation creates more visible surface and shortens the lifetime of your attack. People are terrible at keeping secrets. If you ‘order’ feature in Cisco IOS as NSA, hundreds of people will know about it, you can’t gain leverage to them, you can’t pay them off reliably, many of them will be in another company or country in a year, it’s just exceedingly childish to view this as desirable vector from trade craft POV.
It takes skill to attack IOS but it’s not exceedingly hard, for NSA budget it falls into trivial. You can read about attacks Felix has described and done with 0 budget.
You would never know your box is compromised if rommon and/or ios is compromised, there is no new HW there to inspect.
Also any intrusion detection/prevention is also very naive, you can always destroy the packaging completely, and source packaging from the same public company producing it and repackage.
Resource need is trivial, remember NSA is funded in the billions per annum, sourcing packaging is nothing.
You can however be 100% sure that Cisco is aware of these high-profile, advanced attacks. I know personally company with CAT7600 who was targeted, and I’m almost certain the attack was so that TCAM was poked (which you can do from CLI) to create ERSPAN tap, 100% standard software, nothing pwned, nothing seen in config. Buf if you’d wiretap it, you’d see it.
What I want Cisco to do, is to come clean about these, when ever attack is seen in the field, document it publically, explain how it was done, how to detect it.
Also if your company is targeted, come clean, write blog about it.
As long as victim and Cisco stay quiet, these attacks don’t exist. Literally, mainstream media will label it just paranoid.
Without data, we have nothing. With data we can fix it, we can prove it, we can change it.
Now a days internet secruity plays a vital for major technology updates so from my point of view it is more important than any thing in internet.
Americans Right to Privacy has solutions and I am anxious to share them with you. We offer secure, encrypted email, a Virtual Private Network (VPN) which secures your computer’s internet connection, to guarantee that all of the data you’re sending and receiving is encrypted and secured from prying eyes. Also a “Swiss Bank Account for your Data” Digital Safe! And we have rolled out Secure Swiss Web Hosting! Why secure your data in Switzerland? Because Switzerland is known for its strict data privacy laws, has no back door access to encryption for any government agency, not even Switzerland itself
We offer a professional global email service solution for both personal and business use. PrivacyAbroad email service is free of advertising, SPAM and provides private communication with your emails saved and backed up in Switzerland, renowned for its strong data privacy protection laws. Email comes with 1 GB of expandable storage space.
If governments and “free” email providers can peek through your webcam, read your emails and look inside
your computer, so can the criminals.
There is data security, and then there is Swiss data security.
http://www.americansrighttoprivacy.com
Nice going NSA. You just caused Cisco and other US tech companies billions of dollars in lost revenue. Are you really that incompetent that you could not see this leaking out? What unbelievable shortsightedness and arrogance to hijack gear on it’s way to customers. I would say you just aided every terrorist in their goal of hurting the US, and thank you for the job losses this has caused. Talk about helping Bin Laden’s end game.
Show less
@CAM —
Open-source? … Heartbleed.
Es waren durchwegs kleinere Gebrauchsgegenstnde,louis vuitton taschen, wie Spielsachen,louboutin shoes, Zwirne,michael kors outlet, Schnrriemen und Bnder. Daher wurden die Hausierer auch Bandlkramer genannt. dachte er und ging der Gegend zu,michael kors online outlet, aus der die Stimme zu kommen schien. Er war nicht weit gegangen, so gelangte er zu einem schnen,gucci online shop, blauen See und erblickte am Ufer eine Krte,christian louboutin deutschland, die ihm immer zurief: Hansl,mich
It is high time for Cisco and other firms to move offshore to countries such as Switzerland, I know this will take time, but if you don’t, other firms in Europe will eventually eat ALL OF your lunch. Trust is like a beautiful mirror, once shuttered, it can NEVER be fixed!
USI (Università della Svizzera italiana, University of Italian Switzerland) is promoting local It expertise, as people all over Europe beg to buy products not associated with the USA!
As a Cisco employee I saw this developing and decided I could no longer wait for governments to act accordingly. I ran this year for U.S. Congress in Texas (3rd District). And while I may have lost the primary this year, I intend to run again until this and similar issues are resolved. Maybe it’s time for some geeks (and CCIE’s) in Congress?
eine Verletzten. Zhang Ben vorher einmal sanfte rhythmische Atmung bis drei?ig Minuten zu halten, aber dieses Mal anders ist, steuert Ben Zhang die Quelle des Lebens Federn Blutfluss langsam, und dann in die Alveolen zu einem Kreis eingedrungen,Salomon schuhe deutschland, ist wie das Essen Münzst?tten in der Regel klar, erfrischende Kühle einem Durchgang aus der Brust, dann gibt es einen W?sche schmutzig Vergnügen. Goodfellas …… Inspiratory Atmung, wenn ohne Ablenkungen erford
note on the leg whip, but also a bully smashed legs curved, soft on the ground, he took a reflexive cement pipes, other steel pipes blocked a bit later, a slap in the face fan at the bottom of the ears, this position is very fragile, people generally at least three seconds can cause dizziness,Gucci outlet, unsteady legs. Tiger into wolves, wolf dead tiger born. By this time, the siege of the people up, but that is not difficult Ben Chang, this stay in force melee is basically the body’s instinct
Security in the Internet today is to be layered, because the longer the increasingly sophisticated attacks and offending ..
We bought LANCOM router instead of Cisco ones.
Cisco – you can say thanks to the NSA for that …
Thanks for the letter, very well worded and beautiful to read. I, however, won’t be touching any Cisco equipment for the next few years.