Today’s security challenges are real and significant. We want governments to detect and disrupt terrorist networks before they inflict harm on our society, our citizens, and our systems of government. We also want to live in countries that respect their citizens’ basic human rights. The tension between security and freedom has become one the most pressing issues of our day. Societies wracked by terror cannot be truly free, but an overreaching government can also undermine freedom.
It is in this context that I want to offer some thoughts on actions by the US Government that in Cisco’s eyes have overreached, undermining the goals of free communication, and steps that can be taken to right that balance, and I do so on behalf of all of Cisco’s leadership team.
Confidence in the open, global Internet has brought enormous economic benefits to the United States and to billions around the world. This confidence has been eroded by revelations of government surveillance, by efforts of the US government to force US companies to provide access to communications of non-US citizens even when that violates the privacy laws of countries where US companies do business, and allegations that governments exploit rather than report security vulnerabilities in products.
As a matter of policy and practice, Cisco does not work with any government, including the United States Government, to weaken our products. When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred. We offer customers robust tools to defend their environments against attack, and detect attacks when they are happening. By doing these things, we have built and maintained our customers’ trust. We expect our government to value and respect this trust.
This past December, eight technology companies expressed concern to the President of the United States and Members of Congress that the US government’s surveillance efforts are in fact harmful. They stated, in part, “We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight.” We agree and support these positions – without customer confidence in the privacy and security of communications, the extraordinary steps toward freedom, productivity and prosperity that is the promise of the Internet can be lost.
This week a number of media outlets reported another serious allegation: that the National Security Agency took steps to compromise IT products enroute to customers, including Cisco products. We comply with US laws, like those of many other countries, which limit exports to certain customers and destinations; we ought to be able to count on the government to then not interfere with the lawful delivery of our products in the form in which we have manufactured them. To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry.
Bob Weber, the General Counsel of IBM, offered some strong basic principles. He blogged in March, in part:
“Governments must act to restore trust”, noting that his company “believes governments should take the following actions:
Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies.
Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data.
The U.S. government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.”
(full blog here: http://asmarterplanet.com/blog/2014/03/open-letter-data.html)
We support this approach, and offer the following additional suggestions:
- Governments should have policies requiring that product security vulnerabilities that are detected be reported promptly to manufacturers for remediation, unless a court finds a compelling reason for a temporary delay. By the same token, governments should not block third parties from reporting such vulnerabilities to manufacturers.
- Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers
- Clear standards should be set to protect information outside the United States which belongs to third parties, but are in the custody of subsidiaries of US companies, so that customers world-wide can know the rules that will apply and work with confidence with US suppliers.
The failure to have rules such as these does not enhance national security – that failure will simply cause customers to seek solutions that they perceive – rightly or wrongly – will take them outside the reach of government. Moreover, that failure only strengthens those who oppose a free and open internet, and who are exploiting recent allegations to try to justify changes in internet governance that would tighten state control and limit freedom of expression. A failure to establish a clear and transparent set of rules will produce a fragmented Internet, limiting free speech and global economic growth.
A serious effort to address these issues can build confidence, and most importantly, result in the promise of the next generation of the Internet being met, a world in which the connection of people and devices drives greater freedom, prosperity and opportunity for all the world’s citizens.