Monday 30 June 2014

If the US government tapped Cisco routers, will your tech company be next?

If the US government tapped Cisco routers, will your tech company be next?

Did the government tap Cisco routers?


When former National Security Agency (NSA) contractor Edward Snowden met with journalist Glenn Greenwald in Hong Kong, he arguably changed the face of US intelligence forever. After the release of Greenwald's book No Place to Hide in May, even more was learned about the NSA's alleged controversial actions.


Among the revelations in Greenwald's bestseller: A photograph showing a team of NSA employees intercepting and bugging a Cisco Systems router prior to it being sent to a customer who had been targeted for government surveillance. This photo originated from an internal NSA newsletter, which also includes the chief of the NSA's Access and Target Development Department explaining a "routine process" of intercepting routers, servers and additional hardware to install "beacon implants."


According to the June 2010 newsletter:


Shipments of computer network devices (servers, routers, etc.) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations (TAO)/Access Operations employees, with the support of the Remote Operations Center, enable the installation of beacon implants directly into our targets' electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.


Let the controversy begin.


Cisco's response


Cisco's SVP of General Counsel and Security Mark Chandler recently published an official response on the company's website claiming that Cisco "does not work with any government, including the United States government to weaken our products."


"There were allegations in Greenwald's book that the NSA intercepts and tampers with routers and servers manufactured by Cisco," says Nigel Glennie, Senior Manager of Corporate Communications at Cisco. "While the book had a photo that included a box with a Cisco logo, it didn't provide any information about specific Cisco products, possible NSA techniques, or product security vulnerabilities. If this indeed occurred, it happened without Cisco's knowledge or permission."


Despite questioning the legitimacy of the allegations, Cisco's chairman and CEO John Chambers wrote a letter to President Obama on behalf of the company asking for his intervention so that US technology sales were not negatively impacted by a loss in consumer trust.


Chambers' letter states:


We simply cannot operate this way, our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security. We understand the real and significant threats that exist in this world, but we must also respect the industry's relationship of trust with our customers … We are concerned that our country's global technological leadership will be impaired. Moreover, the result could be a fragmented Internet, where the promise of the next Internet is never fully realized.


The long-term effects on the tech industry


For a multinational company that strives to design and manufacture secure and stable networking equipment, these allegations could have detrimental consequences.


"If the leaked documents are to be believed, then the claims are probably pretty legitimate," says John Kindervag, Vice President and Principal Analyst at Forrester Research. "I suspect that most professionals inside the security industry take these documents at face value and do believe that the TAO program did compromise some technology, with or without the tacit approval of vendors."


"Since Cisco's CEO sent a letter to the president, I would assume these claims about equipment interception are true," says Ibrahim Baggili, Director of the University of New Haven's Cyber Forensics Research and Education group and Editor-in-Chief of the Journal of Digital Forensics Security and Law. "The purpose of such actions by the NSA could be to collect information, or to perform targeted collection of data and network traffic from organizations or individuals."


believes the ramifications of the allegations will eventually apply to almost every technology vendor. "The idea that a company can do no evil is gone," he explains. "These programs and their revelations have been and will continue to be very harmful to the technology community overall."


Although the claims are specific to Cisco, Kindervag believes the ramifications of the allegations will eventually apply to almost every technology vendor. "The idea that a company can do no evil is gone," he explains. "These programs and their revelations have been and will continue to be very harmful to the technology community overall."


Fighting back...or giving in?


Eight vendors out


In fact, last December eight technology vendors, including AOL, Apple, Dropbox, Facebook, Google, Linkedin, Microsoft, Twitter and Yahoo, united to draft and send a letter to the president and members of Congress expressing that the US government's surveillance efforts were harmful. They urged the US to establish reforms to ensure government surveillance is "clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight."


Despite concerns, U.S. intelligence officials continue to defend surveillance procedures and claim all practices are focused on gathering intelligence against legitimate foreign threats.


Surveillance as the new normal


As Greenwald's book continues to grow in popularity in the US and abroad, consumers cannot deny that surveillance is a widespread phenomenon.


"There was a sort of inevitability to this," says Kindervag. "It's only natural that the NSA was going to push the boundaries of acceptable behavior until they got disciplined. The digital world in general and the Internet specifically are very young in the scope of world history. We have not yet found the equilibrium between national security and privacy in the digital age."


In addition, the government's actions can be argued as lawful. According to the Foreign Intelligence Act of 1978 (FISA), physical and electronic surveillance and collection of foreign intelligence information between foreign powers and agents of foreign power, including American citizens or permanent residents suspected of espionage or terrorism, within the US is permitted.


FISA has undergone several amendments over the past several decades, most notably with foreign intelligence in 2008 when the director of national intelligence and the attorney general were authorized to jointly conduct warrentless electronic surveillance to foreigners abroad.


The timeless conundrum


Of course, striking a balance between privacy and data collection on behalf of national security remains a controversial issue in the US. Many worry that government surveillance will become commonplace and used against them, however national security is ubiquitously high priority. The solution? For Baggili, who has devoted his academic and professional career to studying cyber security and the law, the answer will stem from conducting more research.


"As we continue to enter the age of big data, the situation will only worsen," he says. "These challenges need some serious multidisciplinary research in order to understand both the technical component, and the human and psychological components in both organizations and individuals."


Or, perhaps simply more time needs to pass.


"A century from now, we will look back at the Snowden event and see it as a positive moment in history where balance began to be restored," predicts Kindervag. "There is still too much emotion inherent in the Snowden and NSA debacle right now."


Stay tuned, however, history moves quickly.

















http://ift.tt/1nYHt10

No comments:

Post a Comment