Cisco’s General Counsel Mark Chandler on May 13 reacted strongly to further news of NSA exploiting Cisco gear, sparked in part by the publication of Glenn Greenwald’s book on Snowden and the leaked documents.
Chandler protested that the US government is causing damage to the tech industry. Along with the publishing of No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, Greenwald posted supporting documents that had not been previously disclosed.
One of the new documents (p. 149 of No Place to Hide) depicted the interdiction lab at the NSA’s Tailored Access Operations (TAO) with three operatives, faces averted, unpacking a box with conspicuous Cisco branding on the side.
The bellicose document goes on:
“Such operations involving supply-chain interdiction are some of the most productive operations of TAO, because they pre-position access points into hard target networks around the world.”
In his reaction to these documents Chandler speaks strongly:
“The tension between security and freedom has become one the most pressing issues of our day. Societies wracked by terror cannot be truly free, but an overreaching government can also undermine freedom.”
And then he goes on to claim:
“When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred.”
John Chambers, CEO of Cisco, has lodged a formal protest with President Obama over the NSA’s interdiction and compromising of US tech gear. His letter, published by re/code, repeats Mr. Chandler’s claim:
“…when we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it as soon as possible.”
Both the General Counsel’s statement and the CEO’s letter to the President make valid points. But where are the responses that are within Cisco’s power and fulfill the statements above? For that matter, Dell, HP, Juniper, and several hard drive manufacturers have also been implicated in the TAO ANT Catalog published by Der Spiegel last December.
On December 29, 2013 these vendors did indeed learn of vulnerabilities in their products; vulnerabilities that the NSA claims cannot be removed even with a complete wiping and updating of firmware.
What has been done to “validate” the existence of the code named malware such as BANANAGLEE in Cisco PIX and Juniper firewalls? Or ZESTYLEEK, malware crafted by the NSA’s Cryptanalysis and Exploitation Services (CES) for Juniper?
Has there been any communication between these compromised vendors and their customers? Were any procedures recommended for determining if their gear had NSA backdoors? Have any such infected devices been located?
From the pictures, the TAO interdiction lab is not set up for large scale operations, so it may be difficult and up to customers to identify compromised machines. Greenwald provides a document that may lend a clue to finding them (p. 145 of No Place to Hide).
In the document titled CLOSE ACCESS SIGADS, 10 Sep 2010, the HIGHLANDS mission is identified as “Collection from implants.” Implant is the NSA’s term for backdoors. The embassies of Brazil in Washington D.C. and New York City are identified with the HIGHLANDS mission as are those of EU/UN, France, Greece, India, and Japan. It is highly likely that these embassies are customers of either Cisco or Juniper, or Dell or HP.
What have these vendors done to fix the problem, as John Chambers claims are the normal practice?
Strongly worded protests can put elected officials on notice, especially coming from those with successful lobbying teams. But words of protest fall short of allaying distrust of customers worldwide. Actions are needed to back those words.
The full scope of the NSA’s activities can be terrifying to contemplate for a technology vendor, but a technological response is possible. It will be important for the entrenched vendors to act before smaller or foreign vendors take the lead in producing surveillance-proofed solutions.
Pressure from the big vendors with a voice in D.C. can be applied to limit the surveillance state from continuing to spend taxpayer dollars to counter the defenses devised to protect privacy and security. But action must be taken immediately to reassure customers.