Cisco, Dell and others are investigating claims that the NSA compromised their products
Cisco Systems was one of several top-tier tech companies to respond to reports that the National Security Agency had compromised various systems – from network switches to smartphones – to help with its spying activities, promising to investigate the allegations that first arose in a report on 30 December in Germany’s Der Spiegel publication.
The Der Spiegel report said that for years, the NSA’s Tailored Access Operations (TAO) group had taken advantage of security holes in the systems and used backdoors and other techniques to monitor and collect data from a wide range of electronic and computing devices, including iPhones from Apple, networking routers from Cisco, software from Microsoft and hard drives from Western Digital. Other vendors mentioned include Juniper Networks, Samsung, Dell, Seagate and Huawei Technologies.
In the days that followed, officials from many of the companies named in the report publically came out against any NSA intrusion and denied working with any government agencies in efforts that would compromise the security of their customers’ data. In a post on the company blog site, John Stewart, senior vice president, chief security officer and head of Cisco’s Threat Response, Intelligence and Development organisation, said the company’s Product Security Incident Response Team (PSIRT) was investigating the allegations.
“We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information,” Stewart wrote. “We are committed to avoiding security issues in our products, and handling issues professionally when they arise.”
Cisco officials don’t know of any new vulnerabilities in company products, and will address any issues that arise, he said. “As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” Stewart wrote.
On the company’s Security Response site, Cisco officials said they have requested leaked documents cited in the Der Spiegel report, though they have yet to receive any. In addition, they encourage customers to sign up to receive notifications regarding vulnerabilities in Cisco products.
Other tech vendors came out against the TAO and its programme. In a post on the company blog, John McClurg, vice president and chief security officer for Dell Global Security, said the vendor’s top priority is protecting customer data.
“We take very seriously any issues that may impact the integrity of our products or customer security and privacy,” McClurg wrote. “Dell does not work with any government – United States or otherwise – to compromise our products to make them potentially vulnerable for exploit. This includes ‘software implants’ or so-called ‘backdoors’ for any purpose whatsoever.”
Dell’s statement echoed those of other vendors. Apple officials said in a statement that the company “has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA programme targeting our products”. Microsoft officials said that the software giant “does not provide any Government with direct or unfettered access to our customers’ data. We would have significant concerns if the allegations about Government actions are true.”
A spokesman for Huawei, which has found itself under suspicion by US lawmakers for its alleged close ties to the Chinese government, told The Wall Street Journal that the NSA allegations could lead to fractures in the tech industry along geopolitical lines.
“There’s a very real concern for political or geography-based balkanisation, which is in nobody’s best interest,” Bill Plummer, vice president of external affairs for Huawei, told the news site, adding that the company is “conducting audits of its products to determine if any compromise has occurred”.
Chinese tech security threat
US lawmakers in a report in October 2012 said Huawei and fellow Chinese company ZTE represented national security threats because of close ties with the Chinese government, which US officials feared would use Huawei and ZTE equipment to compromise US systems. The US government cautioned telecommunications companies from doing business with the Chinese companies, both of which denied the allegations.
Huawei executives have since said they are no longer trying to sell networking gear into the US market.
Other tech vendors coming out with statements against the NSA programme include Hewlett-Packard and Juniper Networks. Tech companies worry the reports like the ones in Der Spiegel and others stemming from the leaks from Edward Snowden could affect customer trust in their products. Tech officials met with President Obama last month to talk about these issues.
Are you a security pro? Try our quiz!
Originally published on eWeek.