Cisco Goes Straight To The President To Complain About The NSA Intercepting Its Hardware

from the NSA-vows-to-take-this-country-down-from-the-inside dept

One of the previously-unseen NSA documents released in conjunction with Glenn Greenwald’s book, “No Place to Hide,” contained this slide providing further details about the agency’s interception of computer hardware.

As part of the NSA’s Tailored Access Operations (TAO), shipments are grabbed en route and loaded up with physical spyware before they reach the end user. The slide notes that this “supply chain interdiction” is one of TAO’s “most productive operations.”

The people in the photo may have had their identities concealed, but there’s no mistaking the logo and name on the side of the box. Here’s a closer look:

Cisco was none too pleased to see its hardware being given a spyware payload by NSA operatives. Its general counsel, Mark Chandler, said the following in a blog post addressing the newly-leaked document.

As a matter of policy and practice, Cisco does not work with any government, including the United States Government, to weaken our products. When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred. We offer customers robust tools to defend their environments against attack, and detect attacks when they are happening. By doing these things, we have built and maintained our customers’ trust. We expect our government to value and respect this trust.

That the NSA has done what it can to ensure Cisco’s world dominance (via its Huawei-related espionage) is probably of little comfort at this point. Anyone looking to purchase Cisco equipment has probably decided to take their business elsewhere. Cisco expressed some concern about the NSA’s detrimental effect on its overseas sales last November. This photo only makes that situation worse.

Cisco has now decided to take its complaints right to the top.

Warning of an erosion of confidence in the products of the U.S. technology industry, John Chambers, the CEO of networking giant Cisco Systems, has asked President Obama to intervene to curtail the surveillance activities of the National Security Agency.

In a letter dated May 15 (obtained by Re/code and reprinted in full below), Chambers asked Obama to create “new standards of conduct” regarding how the NSA carries out its spying operations around the world. The letter was first reported by The Financial Times.

Chambers goes even further than Cisco’s counsel, decrying the NSA’s tactics and the damage they’re doing to his company’s reputation.

“We simply cannot operate this way; our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security,” Chambers wrote. “We understand the real and significant threats that exist in this world, but we must also respect the industry’s relationship of trust with our customers.”

The NSA’s self-destructive “no one can touch us” attitude is finally beginning to hurt it — and everyone it affects. This revelation will chase customers — including potential targets — to companies they believe are out of the agency’s reach. American companies will be able to offer no assurances that their products have been intercepted/sabotaged. The entire situation is beyond their control, but they’ll be the ones ultimately paying the price for the NSA’s overreach.



Filed Under: , , , , , ,
Companies: cisco

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cisco Goes Straight To The President To Complain About The NSA Intercepting Its Hardware”

Subscribe: RSS Leave a comment
100 Comments
Anonymous Coward says:

Re: Re: Re:2 Re:

My bigger point is if the threat is the NSA diverting a shipment and tampering with it, which they are already doing, fancy hologram stickers and packing tape even perfectly new counterfeit packaging are probably within the NSA budget. The amount of money you would need to invest in a GPS tracking system that could not easily be subverted by the NSA not likely possible so probably not going to be invested in. Even if you get the absolute best un-beatable the right NSA agent in a UPS uniform can pop the chip in and pack the box back up in the back of the truck on while it drives along its expected route 😉

John Fenderson (profile) says:

Re: Re: Re:3 Re:

At least it would make the inderdiction more difficult to pull off. That’s something, and is better than the absolutely nothing we’ll otherwise get.

“The amount of money you would need to invest in a GPS tracking system that could not easily be subverted by the NSA not likely possible so probably not going to be invested in.”

Such a system would not need to be prohibitively expensive, although it might double the cost of shipping, depending. However, that cost might be less than the loss of business will cost them.

Anonymous Coward says:

Re: Re: Re:2 Re:

The best Idea I have seen is over paint fasteners with glittery nail varnish, photograph them. Then get the other end to photograph them, and send them to you by secure means so that you can check that the same patterns exist over the fasteners. Cheap, and creates a unique pattern every time over every fastener.

John Fenderson (profile) says:

Re: Re: Perfect for KoolAid

It occurs to me that a common practice amongst the really paranoid (like me) of putting a permanent sniffer & tripwire system into your network should become standard practice all around.

You may not be able to tell if a given piece of hardware is compromised, but those beacons don’t work by magic — they have to communicate to pose any threat. A permanent sniffer would be able to stop that communication and raise an alarm.

Anonymous Coward says:

Re: Re: Re:3 Perfect for KoolAid

That works for small networks but I don’t get the feeling that small networks on the endpoints is where the majority of this is happening. Cisco makes a very wide variety of products for all levels of the networking infrastructure. Given the size of the box that they are opening, this likely a rather large piece of hardware designed to be installed at a much bigger choke point and handle a much larger amount of traffic. Using an old pc with a custom configured linux box to analyze traffic likely wouldn’t be a viable option. However, setting up a test environment to run an analysis on new equipment before final deployment might be a viable strategy.

Anonymous Coward says:

Re: Re: Re:5 Perfect for KoolAid

Really it depends on the traffic. I was running suricata on my lab with 10Gbps links mirrored on the wan side. Switch used if interested: MT CRS Dual Xeon 5400s were working fine, but I wasn’t pushing much traffic. I would expect that you would probably need several servers in any large network, and need to dig down to the access layer as much as possible. Lab is a basic IaaS with about 10 virtual networks currently running, so I guess like 10 SMBs.

Anonymous Coward says:

Re: Re: Re: Perfect for KoolAid

if you feel the need to verify, that demonstrates that you don’t trust.

That’s not true in a security sense. In the security world, trust is used to designate those things that can harm you – if you don’t trust something, you don’t interact with it, so it’s not relevant.

That is, it’s a perfectly valid idea to verify trust… depending on your level of trust you may want to do it more or less often.

The Wanderer (profile) says:

Re: Re: Re:2 Perfect for KoolAid

So they’re redefining “trust” from its commonly understood meaning, along with (and quite possibly predating) the other redefinitions we’ve seen, and who knows what others?

It may make sense in-industry and as jargon, but it’s not going to be understood that way by people not familiar with the industry enough to know the jargon, and I do find it rather questionable whether Reagan would have been using the term in that sense to betin with.

(I do acknowledge that there can be valid use for “trust the person you’re talking to, but verify that that person is the person you think you’re talking to”, and the like, but in that case what you’re trusting and what you’re verifying are different things.)

Anonymous Coward says:

Let’s face it in the long term, Cisco should move manufacturing overseas for their clients requesting equipment from the EU, Asia, et al. It will mean loss of US jobs, but that’s going to happen anyways with demand dwindling due to lack of trust.
Short term, offer existing customers a SmartNet replacement and for larger government/commercial organizations offer a consultation service to ensure that none of the equipment has been tampered with.

TheResidentSkeptic says:

I see Collateral Damage

1) Every company outside the US demands return/refund. Buys Huawei to replace all cisco gear.
2) Cisco loses 100% of its non-US market
3) 60,000 employees out of a job
4) taxpayers foot the bill as Cisco sues the gov’t
5) The USTR drops all “US Exports of Technology” from their negotiations – ’cause there won’t be any.

And exactly how many REAL threats were thwarted by this?

Applesauce says:

Winning a war

The US won WW II and won the Cold War. The US did not win thru superior intelligence or even military might (Tho both helped).

The reason the US won was because they had the strongest economy. In the Cold War the USSR couldn’t even feed itself, while the USA was feeding a good portion of the whole world.

Economies, not arms, win wars. The NSA is doing serious damage to the US economy and deluding itself (and its thoughtless apologists) into thinking they are winning.

Short-sighted stupidity in the extreme.

Barrack H. Obama says:

Re: Your recent letter.

Mr. John Chambers,

I have recently recieved a letter in which you expressed concern about how my people have beent reating your customers recent purchase. After much consideration, and serious contemplation, about your copmlaint I have finally decided in what way to resopnd;

Go Fuck Yourself!

Why? Because , Bitches! You cant do shit about it!

Anonymous Coward says:

Obama has long ago laid out his cares, not by what he says but by what he does. Every time something comes up that the NSA deals with, it has his approval or his reaching out to the public saying we need this. When the public says no, everyone in Washington seems to be deaf on hearing.

Obama is the one using the Espionage Act to prosecute whistle blowers to prevent leaks as retaliation.

He will not be interested in hearing Cisco’s moans and groans until it costs his party financial funding and influence. If Cisco wants a cure, it best get on with the moving out of country. Nothing short of that is going to stop this until the entire economy is up in arms over this.

Karl Bode (profile) says:

Showtime

Do we really know Cisco didn’t know about the “interception” of this gear? Isn’t it possible this is just a big show of faux shock? I simply don’t buy the NSA indignation and surprise from some of these companies post Snowden (Microsoft also comes to mind).

After all, Cisco is a big player behind the pushes to accuse Huawei of spying:

http://www.washingtonpost.com/business/technology/huaweis-us-competitors-among-those-pushing-for-scrutiny-of-chinese-tech-firm/2012/10/10/b84d8d16-1256-11e2-a16b-2c110031514a_story.html

That kind of protectionism goes hand in hand with doing what government wants.

John Fenderson (profile) says:

Re: Re: Showtime

You say that as if it were a known fact, when it’s far from it. The government hasn’t produced any evidence that this is true, and independent researchers can’t find any. So this is a case of the US government making completely unsupported accusations and asking us to take their word for it.

On the other hand, we know for a fact that the government has subverted at least some Cisco equipment.

wiserabbit says:

So No Place to Hide was released on 5/13. Various technology publications have been reporting specifically on the Cisco issue for over 12 hours.

Forbes just released (4 hours ago) a post about Cisco with hits on “product transitions” (no, I don’t think they were joking) and “uncertain environments” (also I’m not thinking they realize the funny/sad) with no mention of the “hey, your products just got outted as being hijacked by the NSA”.

…this is kind of important if you own Cisco stock, no?

aldestrawk says:

unscrambling image

I remember that a similar, photoshopped, image was unscrambled by U.S. law enforcement. That person was identified from the picture and arrested. It should be relatively easy to reverse the smearing of the face of the man on the right. Who applied the smearing? Glenn Greenwald, the publisher, or some NSA hack?

Anonymous Coward says:

Re: Tamper proof seals mean nothing

Here’s the easiest way to stop that. Simply set up a foreign distribution point where nothing is shipped directly to a foreign customer directly from a US distribution center. All shipments go to the foreign distribution center BEFORE they are addressed to the final customer. The US government will then have no way of knowing what specific equipment will be going where while it is on US soil as it won’t be addressed with it’s final destination until it is out of their reach.

Anonymous Coward says:

Re: Re: Tamper proof seals mean nothing

In fact, there is an opportunity here for an enterprising shipping service to emerge offering secure passage across borders by simply labeling packages with an internal tracking number and an address of a remote distribution center such that it’s final destination is not known at the point it passes through customs. All customs would be aware of is the address of the shipping services foreign distribution center. Where it was going after that they would not be able to tell.

Anonymous Coward says:

Re: Re: Re: Tamper proof seals mean nothing

I think you misunderstand what I am suggesting. I am suggesting that in order to counter this and restore faith in their brand in foreign markets, Cisco makes a business decision to open a distribution centers in all major locations and ceases to ship ANY product directly from the US to a foreign address. Instead ALL products bound for Asian customers would be instead shipped to their Asian distribution center. Employees in the US wouldn’t even know who the final customer is or what the actual address is where it is ultimately destined much less US Customs. Once a shipment reaches the Asia distribution center the employees there would fill the order and address it to the purchaser.

As I stated when the original story broke, this sort of technique by it’s very nature isn’t scalable and only works on a targeted basis. If all foreign shipments no longer have addresses identifying the who should receive it, it makes much harder to compromise it once it is outside of the point where they can assert their control.

Michael (profile) says:

Re: Re: Re:2 Tamper proof seals mean nothing

Instead ALL products bound for Asian customers would be instead shipped to their Asian distribution center. Employees in the US wouldn’t even know who the final customer is or what the actual address is where it is ultimately destined much less US Customs. Once a shipment reaches the Asia distribution center the NSA agents there would fill the order and address it to the purchaser

…all fixed.

Anonymous Coward says:

Re: Re: Re:3 Tamper proof seals mean nothing

How exactly? Unless Cisco is implicitly working with the NSA to compromise their products before they are delivered to foreign customers, in which case, interception would not be necessary as the compromise can be inserted before it is even packaged at the factory.

antymat says:

Re: Re: Re:4 Tamper proof seals mean nothing

Interception would be needed even if Cisco worked with NSA. First, because NSA would like to keep it secret as they already have some problems with their own employees sharing too much. So they would like to keep the number of informed people low and it’s much easier to have one mole tipping you off, than to hide whole NSA-cooperation department somewhere down your production line.
And second – so that Cisco would be able to plausibly deny any involvement.

Anonymous Coward says:

Re: Re: Re:5 Tamper proof seals mean nothing

Still my suggestion isn’t necessarily just about Cisco, but rather any large US company with a global presence that is worried about their reputation and wants to head off any attempts by the NSA to compromise their products by intercepting them prior to export to a foreign customer.

I disagree though about the need for actual interception in the case of cooperation. The compromise doesn’t have to occur on the production line. There could simply be a small number of units that are kept separate which are altered by a small team that is officially labeled as a “quality control” or “R & D” team and when requested, they package up one of their units to be shipped out instead of the one of the one’s from the normal stock.

As for the argument about plausible deniability, this is the NSA we are talking about here. Their hubris is legendary. They never believe any of their secrets are going to get out. This is one of the reasons they are so bad at dealing with the fallout when they do. To assume the plausible deniability idea theory you would have to assume that the NSA assumed that the public was going to find out about it and wanted to put a cover in place to protect Cisco when that happened. I think that would be giving a little too much credit in the forethought department to a group that has repeatedly demonstrated that they are far more reactionary than they are proactive.

antymat says:

Re: Re: Re:6 Tamper proof seals mean nothing

All I am trying to say is that there are sensible reasons for the cooperation to be kept secret, for Cisco’s sake. Interception limits the sources of disclosure and makes plausible deniability possible. I would not expect such an idea to come from NSA, as they do not have to care for Cisco’s business; but it looks sensible to me for Cisco to employ it to protect itself. In case of forced cooperation this is what I would do.

Anonymous Coward says:

Re: Re: Re:4 Tamper proof seals mean nothing

“How exactly? Unless Cisco is implicitly working with the NSA”

What make you think they aren’t?

“in which case, interception would not be necessary as the compromise can be inserted before it is even packaged at the factory.”

By letting the NSA do it off-premises, plausible deniability becomes much easier. It worked on you. See?

Anonymous Coward says:

Re: Re: Re:5 Tamper proof seals mean nothing

I didn’t say that they weren’t. That is certainly a possibility. However, if they were it would seem much harder for it to be detected if it wasn’t intercepted, broken into, altered and then repackaged carefully in an attempt to make it appear unaltered. The concept of it purposely being done this way for plausible deniability reminds me of a joke a friend used to make about people who drive Volvos because of their crash safety record. He would say you need to stay away from those people because the only reason anyone would drive one of them is that they were looking to get into a crash.

Anonymous Coward says:

How will anyone believe in reforms?

Since we have had nothing but lies, denials, cover-ups, excuses and so-on from the NSA, congress and the Whitehouse; how will anyone ever believe in reforms? Unless we have another leaker (assuming the leaks are real) show documents that prove reforms are in place, who would believe the government? They lie at every turn; especially the current administration.

Anonymous Coward says:

I tried to post this response on Cisco’s website.

“No politicians, governmental agencies, or laws can be relied on to protect security or privacy. Only technology that’s able to be audited for vulnerabilites and backdoors can accomplish this goal.

That means being able to examine and compile the source code, then reflash the resulting binary code onto NAND memory.

Hardware documentation and schematics would also be a big help for auditing the security of a device. Seeing as none of this will probably happen, potential customers will have no choice but to blindly trust the manufacturer and the shipping process.

Unless Cisco figures out a way for customers to audit the binaries on flash NAND memory using hashes, but then again if the hardware is compromised then it could output falsified hash values to the customer. Similar to what happened in Iran, and the falsified PLC diagnostic equipment outputs during Stuxnet.

No, I suppose open source software and documented hardware is the only way to be secure. I suspect it’s always been this way, but has just become more apparent post Snowden.”

Abroad says:

Only way to have government really listen

The only, surefire way to get governments to listen to your complaints is to threat (and possibly implement) moving your entire company to other countries with lesser invasive-spying intelligence services.
Yes, this means lay-offs to some extent, but perhaps employees are willing to move with the company. But having more and more companies moving out of United Spies of America will eventually get the government to pay attention.
And to be honest, life abroad can be pretty sweet too 🙂

Pass4surekey 400-101 (user link) says:

Cisco introduces IoT certification

Cisco, the brand synonymous with all things networking associated, these days announced a brand new certification especially for people keen on proving their expertise in IoT.

This certification, together with the improvement of synergies among IoT stakeholders through engagements like the IoT international discussion board, has proven the tech’s giant’s strong affirmation of IoT’s function in the future of IT. The certification was made possible thru Cisco’s partnership with Rockwell foundation. http://pass4surekey.com/exam/400-101.html
The certification, called the Cisco Industrial Networking Specialist certification.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...