Today’s security challenges are real and significant. We want governments to detect and disrupt terrorist networks before they inflict harm on our society, our citizens, and our systems of government. We also want to live in countries that respect their citizens’ basic human rights. The tension between security and freedom has become one the most pressing issues of our day. Societies wracked by terror cannot be truly free, but an overreaching government can also undermine freedom.
It is in this context that I want to offer some thoughts on actions by the US Government that in Cisco’s eyes have overreached, undermining the goals of free communication, and steps that can be taken to right that balance, and I do so on behalf of all of Cisco’s leadership team.
Confidence in the open, global Internet has brought enormous economic benefits to the United States and to billions around the world. This confidence has been eroded by revelations of government surveillance, by efforts of the US government to force US companies to provide access to communications of non-US citizens even when that violates the privacy laws of countries where US companies do business, and allegations that governments exploit rather than report security vulnerabilities in products.
As a matter of policy and practice, Cisco does not work with any government, including the United States Government, to weaken our products. When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred. We offer customers robust tools to defend their environments against attack, and detect attacks when they are happening. By doing these things, we have built and maintained our customers’ trust. We expect our government to value and respect this trust.
Read More »
Tags: global, internet, NSA, security
UPDATE 2: On Monday, December 30th, Der Spiegel magazine published additional information about the techniques allegedly used by NSA TAO to infiltrate the technologies of numerous IT companies. As a result of this new information coming to light, the Cisco Product Security Incident Response Team (PSIRT) has opened an investigation. Customers can stay informed of the progress of this investigation via the previously posted Cisco Security Response.
December 29th -- An article was published in Der Spiegel today about the alleged capabilities of the United States National Security Agency (NSA) Tailored Access Operations (TAO) organization. The article says that TAO “exploits the technical weaknesses” of Information Technology products from numerous companies, and mentions Cisco.
We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information.
We are committed to avoiding security issues in our products, and handling issues professionally when they arise. Our Trustworthy Systems initiatives, Cisco Secure Development Lifecycle, Cisco Common Crypto models, and Product Security Incident Response Team (PSIRT) and Vulnerability Disclosure policies are all industry-leading examples of our commitment to our customers. This is central to how we earn and maintain trust.
At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it.
As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.
UPDATE 1: Customers seeking additional information may refer to the Cisco Security Response.
Cisco Trustworthy Systems: http://www.cisco.com/web/solutions/trends/trustworthy_systems/index.html
Cisco Secure Development Lifecycle: http://www.cisco.com/web/about/security/cspo/csdl/index.html
Cisco Security Advisories, Responses and Notices:http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Cisco Security Vulnerability Policy:http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Cisco Blogs on Security and Cryptography http://blogs.cisco.com/tag/crypto/
Tags: Cisco, NSA, Spiegel, TAO