Comment on Der Spiegel articles about NSA TAO Organization (UPDATE 2)
UPDATE 2: On Monday, December 30th, Der Spiegel magazine published additional information about the techniques allegedly used by NSA TAO to infiltrate the technologies of numerous IT companies. As a result of this new information coming to light, the Cisco Product Security Incident Response Team (PSIRT) has opened an investigation. Customers can stay informed of the progress of this investigation via the previously posted Cisco Security Response.
December 29th – An article was published in Der Spiegel today about the alleged capabilities of the United States National Security Agency (NSA) Tailored Access Operations (TAO) organization. The article says that TAO “exploits the technical weaknesses” of Information Technology products from numerous companies, and mentions Cisco.
We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information.
We are committed to avoiding security issues in our products, and handling issues professionally when they arise. Our Trustworthy Systems initiatives, Cisco Secure Development Lifecycle, Cisco Common Crypto models, and Product Security Incident Response Team (PSIRT) and Vulnerability Disclosure policies are all industry-leading examples of our commitment to our customers. This is central to how we earn and maintain trust.
At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it.
As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products.
UPDATE 1: Customers seeking additional information may refer to the Cisco Security Response.
Cisco Trustworthy Systems: http://www.cisco.com/web/solutions/trends/trustworthy_systems/index.html
Cisco Secure Development Lifecycle: http://www.cisco.com/web/about/security/cspo/csdl/index.html
Cisco Security Advisories, Responses and Notices:http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Cisco Security Vulnerability Policy:http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Cisco Blogs on Security and Cryptography http://blogs.cisco.com/tag/crypto/