news Long-time Cisco Systems chief executive John Chambers has written a strongly worded letter to US President Barack Obama stating that the company “simply cannot operate” if the National Security Agency continues intercepting its routers and injecting spyware onto them before they are delivered to customers.
Last week journalist Glenn Greenwald, who has access to the National Security Agency treasure trove of whistleblower Edward Snowden, published an article in The Guardian newspaper which referred to a June 2010 report from the head of the NSA’s Access and Target Development department
The report reportedly baldly states that the the NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.
The report has huge significance for countries outside the US, including Australia, because the US is home to some of the world’s largest network equipment manufacturers — companies such as Cisco Systems, Juniper, Alcatel-Lucent (courtesy of its Lucent merger in 2006) and many smaller companies all have substantial US facilities. These same companies supply equipment to Australia’s largest telcos — Telstra, Optus, TPG, iiNet, Vodafone, and of course NBN Co. The Guardian report implies that the NSA may have compromised the security of Australia’s largest telecommunications networks, through networking equipment exported from the US.
In a letter to US President Barack Obama, obtained and published by US technology media outlet Re/Code, Chambers stated clearly that the NSA’s practice was unacceptable. “… if these allegations are true, these actions will undermine confidence in our industry and in the ability of technology companies to deliver products globally,” the Cisco chief executive wrote.
“We simply cannot operate this way, out customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security. That is why we need standards of conduct, or a new set of ‘rules of the road’, to ensure that appropriate safeguards and limits exist that service national security objectives, while at the same time meet the needs of global commerce. We understand the real and significant threats that exist in this world, but we must also respect the industry’s relationship of trust with our customers.”
Chambers asked Obama to “take more steps” and a leadership role, to ensure that new guidelines and reforms are put in place with relation to the equipment interception issue, that could be honoured across the world. And he also warned the US President that Cisco would patch any holes it found in its products.
“As a matter of policy and practice since our inception, Cisco does not work with any government, including the United States Government, to weaken our products,” he wrote. “And when we learn of a security vulnerability, we respond by validating it, informing our customers and fixing it as soon as possible.”
“By adhering to these — and many other standards — we have built and maintained our customers’ trust. Trust with our customers is paramount, and we do everything we can to earn that trust every day.” Chambers’ letter broadly repeated comments made last week in a blog post by Cisco general counsel Mark Chandler.
Wow. We live in incredible times when we are witnessing this kind of high-level dialogue between the head of Cisco Systems and the US President, where Cisco is beseeching the US Government not to merely intercept its routers and install spyware in them before they are delivered to customers.
I would never have thought the US Government would have abused its power in this manner; perhaps that makes me naive. I’m sure, however, that quite a lot of people at Cisco are shocked as well. I think most people have been taking the security of this fundamental network infrastructure for granted up until now. Greenwald’s incredible revelations have starkly demonstrated that that belief was a fallacy.
What we are seeing here from Chambers is the three-pronged approach that Cisco Systems absolutely must take immediately if it is to retain any credibility with its large customers.
Firstly, Chambers has gone on a public relations offensive, signalling Cisco’s independence from the US Government through this letter to Obama (which was no doubt judiciously leaked by Cisco to the US technology press). Don’t be fooled: Although Obama will take the letter seriously, I don’t think either Chambers or anyone else really expects it to have much of an impact on Obama’s approach to this issue. The President has generally shown a degree of unwillingness to rein the US security establishment in too sharply; and even if he did in this case, that action would take place in too slow a fashion for Cisco’s liking. The company has its market share to think of, and customers are already threatening to ditch US networking vendors over this issue. This letter is all about reassuring Cisco’s customers.
Contained in this letter is Cisco’s next necessary move: Chambers has pledged that his company will patch any NSA-sourced vulnerabilities which it finds in its routers. This, also, is an action which must be taken by Cisco immediately, to retain any credibility.
And thirdly, no doubt behind the scenes, the cautious Chambers has already ordered a comprehensive review of Cisco’s manufacturing and delivery processes. I would bet that the company will quietly shift as much of its manufacturing outside of the US as possible and to countries where it can use its huge financial muscle to much more closely control its manufacturing process. No doubt it will do something similar with its delivery processes, focusing much more closely on which delivery partners it uses and how those partners can be monitored.
Meanwhile, Australia still has to consider its own response to this issue. Cisco routers are used everywhere in Australian business and in government, having long been considered the gold standard for networking gear. I suspect that Greenwald’s article kicked off immediate network security reviews at companies like Telstra and Optus, as well as in major banks, at Defence, and other major security-conscious Australian organisations.
The revelation that the NSA was intercepting US network routers before delivery was like a stone dropped into a calm pond. Things may look relatively peaceful on the surface. But we’ll be feeling the ripple effect from this one for years. Chambers’ letter to Obama just represents the public commencement of high-level discussion.