Avatar

This week, Cisco provided comments on the Department of Commerce’s Bureau of Industry and Security (BIS) proposed cybersecurity regulations. These comments reflect the realities of how Cisco looks to protect both our customers and our products. They also emphasize the critical role that security researches, access to tools, and qualified talent have in cybersecurity.

Cisco has hundreds of dedicated security engineers and researchers throughout the company and around the globe, who use the latest and greatest tools and techniques to test our technology. We proactively attempt to break into our own products, our own services, and our own networks, in order to close identified weaknesses and vulnerabilities as soon as possible and to develop better protections against attack. Many of these same people are responsible for investigating reported vulnerabilities or compromises of our products and running these reports to ground with absolute certainty. In doing this, we have resolved countless bugs and vulnerabilities and continue to improve the security of our products with what we learn. Along the way we have discovered many interesting and creative adversaries and certainly learned that there are some very resourceful people out there. 

This security function is critical to ensuring that we offer Trustworthy products and services to our customers and the downstream impact of this activity is huge. By working to identify as many vulnerabilities as possible internally, our products are more robust when they are deployed in our customer’s networks where in many cases they are a part of the lifeblood of a business, or even the Internet. We also use what we learn to inform improvements to the Cisco Secure Development Lifecycle that we use to manage risks associated with our technologies from inception through the end of life. We must remain vigilant and having access to research, technology, and qualified talent is paramount to our success.

We look forward to working with BIS to help revise the proposed rules in a way that balances the need we have to protect our products and our customers with the desire to regulate the export of weaponized software.