‘Unacceptable’: Cisco’s Chambers tells Obama re NSA interceptions

22

Oracle

news Long-time Cisco Systems chief executive John Chambers has written a strongly worded letter to US President Barack Obama stating that the company “simply cannot operate” if the National Security Agency continues intercepting its routers and injecting spyware onto them before they are delivered to customers.

Last week journalist Glenn Greenwald, who has access to the National Security Agency treasure trove of whistleblower Edward Snowden, published an article in The Guardian newspaper which referred to a June 2010 report from the head of the NSA’s Access and Target Development department

The report reportedly baldly states that the the NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.

The report has huge significance for countries outside the US, including Australia, because the US is home to some of the world’s largest network equipment manufacturers — companies such as Cisco Systems, Juniper, Alcatel-Lucent (courtesy of its Lucent merger in 2006) and many smaller companies all have substantial US facilities. These same companies supply equipment to Australia’s largest telcos — Telstra, Optus, TPG, iiNet, Vodafone, and of course NBN Co. The Guardian report implies that the NSA may have compromised the security of Australia’s largest telecommunications networks, through networking equipment exported from the US.

In a letter to US President Barack Obama, obtained and published by US technology media outlet Re/Code, Chambers stated clearly that the NSA’s practice was unacceptable. “… if these allegations are true, these actions will undermine confidence in our industry and in the ability of technology companies to deliver products globally,” the Cisco chief executive wrote.

“We simply cannot operate this way, out customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security. That is why we need standards of conduct, or a new set of ‘rules of the road’, to ensure that appropriate safeguards and limits exist that service national security objectives, while at the same time meet the needs of global commerce. We understand the real and significant threats that exist in this world, but we must also respect the industry’s relationship of trust with our customers.”

Chambers asked Obama to “take more steps” and a leadership role, to ensure that new guidelines and reforms are put in place with relation to the equipment interception issue, that could be honoured across the world. And he also warned the US President that Cisco would patch any holes it found in its products.

“As a matter of policy and practice since our inception, Cisco does not work with any government, including the United States Government, to weaken our products,” he wrote. “And when we learn of a security vulnerability, we respond by validating it, informing our customers and fixing it as soon as possible.”

“By adhering to these — and many other standards — we have built and maintained our customers’ trust. Trust with our customers is paramount, and we do everything we can to earn that trust every day.” Chambers’ letter broadly repeated comments made last week in a blog post by Cisco general counsel Mark Chandler.

opinion/analysis
Wow. We live in incredible times when we are witnessing this kind of high-level dialogue between the head of Cisco Systems and the US President, where Cisco is beseeching the US Government not to merely intercept its routers and install spyware in them before they are delivered to customers.

I would never have thought the US Government would have abused its power in this manner; perhaps that makes me naive. I’m sure, however, that quite a lot of people at Cisco are shocked as well. I think most people have been taking the security of this fundamental network infrastructure for granted up until now. Greenwald’s incredible revelations have starkly demonstrated that that belief was a fallacy.

What we are seeing here from Chambers is the three-pronged approach that Cisco Systems absolutely must take immediately if it is to retain any credibility with its large customers.

Firstly, Chambers has gone on a public relations offensive, signalling Cisco’s independence from the US Government through this letter to Obama (which was no doubt judiciously leaked by Cisco to the US technology press). Don’t be fooled: Although Obama will take the letter seriously, I don’t think either Chambers or anyone else really expects it to have much of an impact on Obama’s approach to this issue. The President has generally shown a degree of unwillingness to rein the US security establishment in too sharply; and even if he did in this case, that action would take place in too slow a fashion for Cisco’s liking. The company has its market share to think of, and customers are already threatening to ditch US networking vendors over this issue. This letter is all about reassuring Cisco’s customers.

Contained in this letter is Cisco’s next necessary move: Chambers has pledged that his company will patch any NSA-sourced vulnerabilities which it finds in its routers. This, also, is an action which must be taken by Cisco immediately, to retain any credibility.

And thirdly, no doubt behind the scenes, the cautious Chambers has already ordered a comprehensive review of Cisco’s manufacturing and delivery processes. I would bet that the company will quietly shift as much of its manufacturing outside of the US as possible and to countries where it can use its huge financial muscle to much more closely control its manufacturing process. No doubt it will do something similar with its delivery processes, focusing much more closely on which delivery partners it uses and how those partners can be monitored.

Meanwhile, Australia still has to consider its own response to this issue. Cisco routers are used everywhere in Australian business and in government, having long been considered the gold standard for networking gear. I suspect that Greenwald’s article kicked off immediate network security reviews at companies like Telstra and Optus, as well as in major banks, at Defence, and other major security-conscious Australian organisations.

The revelation that the NSA was intercepting US network routers before delivery was like a stone dropped into a calm pond. Things may look relatively peaceful on the surface. But we’ll be feeling the ripple effect from this one for years. Chambers’ letter to Obama just represents the public commencement of high-level discussion.

Photo credit: Oracle_Photos_Screenshots via photopin cc

22 COMMENTS

  1. This will just give the Attorney-General Brandis some new ideas about making Australia a safer ( and better ) place. This is giving too much power to too few.

  2. I fear that Carl is correct.

    There are a raft of things here that have been done in the US that I think are likely to raise one of two questions with high level bureaucrats.
    1.) Why didn’t we think to do that?;
    or if they have already committed similar transgressions here in Australia,
    2.) What can we do to continue operating this way whilst making sure it never becomes public knowledge.

  3. I can’t help but think this is just damage control. I would not be surprised to find out that Cisco have been well aware of this practice for a long time but turned a blind eye to it. Now that the practice has been exposed, they’ll make all this noise so that there’s no long term damage to their reputation but the practice will continue.

    • Usually I don’t go for the conspiracy angle, but find it hard to believe that Cisco has not been able to determine what NSA is actually doing to their devices. Suggests to me that Cisco are protesting a bit too much.

      Our governments may think they have nothing to fear from the NSA, but how do they feel about (criminals/hackers/bad guys on the other side) discovering and using these vunerabilities?

    • >Now that the practice has been exposed, they’ll make all this noise so that there’s no long term damage to their reputation but the practice will continue.

      There’s damage to their reputation whether they knew about it or not.

      Once the genie is out of the bottle, it’s hard to get it back in. Even if the US government (or Cisco) gives “assurances” that the practice has stopped, noone will ever be sure and many will not believe it.

  4. Does this mean that we don’t need any new data retention legislation since the NSA is doing it for us already?

  5. With the US and their unlimited spying potential in any other country, I am really surprised that Australia bothers with any internal spy network at all. Aren’t we a member of the Five Eyes Alliance?

    • i doubt its for us; more that its for ‘legal’ end runs about US domestic law – the incident where we passed on intel to the US via 5 eyes is particularly in my mind. the US could say ‘we weren’t surveilling this alleged terrorist’ – but they wound up with privileged attorney-client dealings via the Australian arm of Five Eyes that they wouldnt have been able to legally access otherwise.

      the number of times and ways our government has bent over backwards to ‘assist’ the US in various ways and means – and our altogether too eager, uncritical speed to do so, at times – is one of the things that really bugs me about our international relations of the past decades. i really wish there was more pushback on it, but sadly it seems it is another of those things we are happy to be apathetic about.

  6. so much for “don’t buy Huawei; the Chinese may have built in backdoors to those products compromising data security”…. turns out they’ve been beaten to the punch … by the US. :rolleyes:

    i certainly have no doubt that this one will be resounding for many years; taking production out of the physical jurisdiction – jobs walking offshore – will be the least of the effects seen. im not expecting any shame or regret to be shown for this; more a ‘bugger we got busted’ attitude, and a greater effort to hide such activities – showing they STILL don’t get it. id like to be proven wrong, but given recent history – NSA backdoors in encryption (the broken elliptical curve iirc) – i doubt this is the last of this type of behaviour we will see in the name of ‘security’.

    Unacceptable is the kindest thing i could say of it.

    • Big problem for them is that the only way we will learn the truth of if they actually “got it”, is when they fail and get exposed again.

      It’s impossible to confirm they have learnt their lessons when their whole business is based on deceit and secrecy and when they have the treason charge they can swing at any whistleblowers brave enough to speak out.

    • >so much for “don’t buy Huawei; the Chinese may have built in backdoors to those products compromising data security”

      It was the US government saying that and they were probably right. They may have reasoned that since they were doing it, the Chinese government was doing it too.

  7. I expect there will be Cisco, Juniper, HP, A/L et al gear filling up landfills right now, which is a shame cause much of it is really good gear. But it doesn’t matter how stable, reliable and powerful it is if it is vulnerable by design and you have no confidence that even patched gear can’t be unlocked again in the future. Many corporate and government policies don’t even allow this stuff to be resold, it has to be physically disabled (ie smashed and crushed) when it comes out of service. Such a shame.

    The US Government. Undermining their own tech industries since 1854 (except this time it might be lethal).

    • “I expect there will be Cisco, Juniper, HP, A/L et al gear filling up landfills right now…”

      Which government agencies have funding to review their suppliers and replace their core networking products?
      How many of them can afford to care about it?

      Think this just proves even more that you can’t trust anyone, and especially not your allies.

    • >you have no confidence that even patched gear can’t be unlocked again in the future

      I wonder whether the US government is compromising the lowest level boot code or the firmware. Given enough resources you could do either but if it’s only the latter then the network equipment is not a complete dead loss, so no need for landfill.

      • There’s no way they’re just compromising the firmware – that is (or at the very least should be) updated regularly by engineers with vendor code. Network devices (particularly edge routers, but even switches and wireless APs) have vulnerabilities that are discovered fairly regularly and failing to update them is the equivalent of not patching zero-day OS vulnerabilities. Vendor firmware would overwrite NSA firmware in such a case, patching the backdoor – for any network engineers worthy of the title this would happen on day one before the devices were even rolled into production.

        No, what they’re doing is adding some piece of hardware that is either snooping traffic or actually capable of interacting. Snooping is actually worse – it can be electrically isolated and use electromagnetism to pull bits off the ports with zero interference and no chance of detection, and they can communicate back to the NSA using an undisclosed network protocol, which would show up on network packet analysis tools as background noise as it isn’t a form of recognisable data. Good luck figuring out the difference between background noise and this kind of traffic unless you’re using fibre, where you can completely isolate and analyse every data stream – on copper they act like antennas and pick up every bit of radio and electromagnetic signal that passes by them. Positively identifying encrypted traffic in that mess would take years and some highly specialised skills.

        The take-home message is, if such techniques were being used (and I guarantee they are, or something even harder to detect is) then you simply cannot trust the device. I don’t care how expensive it is to completely replace your network, if you need to adhere to any sort of compliance program to standards requiring protection of data, your business is now on the line if you don’t do everything necessary to secure your environment. Australia is pretty lax with standards compliance, but you can bet European and Asian companies and standards bodies are rushing to review their practices and advisories to ensure this stuff gets covered – if it’s a choice between ripping out the network and shutting down the business (or government departments being in breach of privacy and data protection laws) those networks have their days numbered.

        Besides, you can probably claim the whole thing on insurance… I wonder how corporate/government insurers are responding to this?

        • Right. (I should have read the original article.) Inserting hardware is yet another potential headache.

          Now that the cat is out of the bag, there must be some sharp-eyed person who can open up their Cisco router and tell us what is really going on. Perhaps someone in the Middle East or former USSR.

    • Not at all. What are they going to replace that gear with? Huawei?

      While the “details” may have been previously secret, virtually nobody in the security world was surprised by the ability of US intelligence to intercept traffic on Cisco-powered networks. Of course they can. With the huge chequebook, manpower and knowledge available to them, you would be incredibly naive to think otherwise. It was just a question of how, but everybody assumes such a thing is possible if “the Feds” are determined enough.

      But that’s just life. There’s no manufacturer in the world who could guarantee their gear is free from government interception or surveillance – they are not in a position to guarantee that. So all customers can do is pick the best available equipment, remembering that “most secure” does not actually mean “secure”.

      • There’s a big difference between unsubstantiated suspicions that can readily be labelled as conspiracy theories and mainstream media coverage of substantiated facts supported by acknowledgement from network vendors themselves. You wouldn’t have seen a single compliance program previously that acknowledged even the possibility of network hardware being permanently compromised, but everyone will be scrambling to include such criteria now because we know, for a fact, that there are new vectors of exposure that cannot be guarded against following any existing best practices. If you think this is ‘business as usual’ you are very much mistaken.

        It isn’t just that the NSA have been doing this, it is that the NSA have information sharing relationships with other departments and even key commercial bodies. If that wasn’t enough, now that we know there are vulnerabilities in these devices by design, there will be criminal organisations and foreign governments spending up big trying to reverse engineer the communications protocols in use. Sure, it might be a long shot – the NSA may have done their crypto and engineering perfectly. But they may not – usually when someone considers a device ‘unhackable’ some smart people manage to figure out how to compromise it, so this may be no different. And if it isn’t, if the NSA relied on obscurity to keep the technique uncompromised until now, the potential payoff for criminal organisations is staggering.

        And the only way to ensure your network is secure is to remove offending devices. Sure, you could wait until the vendor does their own analysis and provides some sort of resolution, but how much do you trust them at this point?

        No, the only safe assumption is the devices are compromised and you either start encrypting all network traffic (so it doesn’t matter), or remove the compromised equipment.

  8. Glad I don’t and have never used Cisco gear.

    I have nice German firewall products.

  9. Renai you need look at 283 of the Telecommunication Act, the bit where it gives carte blanche for federal agencies to take everything anything they want.

    Basically the feds/asio have core router access (you might recall why someone like would know this).

    I don’t think the carriers would be worried that the feds had compromised their cisco routers when they already had core access.

    Though I’d be worried if I was a law firm and was using Cisco hardware. All that client in confidence material that the spies would love to get their hands on.

    All of those barristers and lawyers thinking their safe behind their firms equipment when in fact its been compromised in a big way.

    The million dollar question though is if you’re being compromised what to do about about (and how would you work it out – what strip all your blade servers down to look for a little chip??).

    And how would you avoid being compromised by any other hardware supplier by their national government?

  10. The $64k question (or add a few zeroes) … Is Cisco suing the arse off the US government? Commonsense says that this will cost Cisco dollars and that on the face of it Cisco has a case. Some possible answers:

    * No, because the US government has indemnified itself in legislation (i.e. yes we can do these bad things *and* you can’t sue us for the consequences).

    * No, because the US government has or will quietly pay Cisco compensation in return for Cisco being quiet.

    * No, because this would result in the further revelation that Cisco knew about it (in which case Cisco may not have a case).

    Is someone in the media going to pursue this angle?

Comments are closed.