If the US government tapped Cisco routers, will your tech company be next?

Cisco NSA surveillance
Cisco CEO, John Chambers

When former National Security Agency (NSA) contractor Edward Snowden met with journalist Glenn Greenwald in Hong Kong, he arguably changed the face of US intelligence forever. After the release of Greenwald's book No Place to Hide in May, even more was learned about the NSA's alleged controversial actions.

Among the revelations in Greenwald's bestseller: A photograph showing a team of NSA employees intercepting and bugging a Cisco Systems router prior to it being sent to a customer who had been targeted for government surveillance. This photo originated from an internal NSA newsletter, which also includes the chief of the NSA's Access and Target Development Department explaining a "routine process" of intercepting routers, servers and additional hardware to install "beacon implants."

According to the June 2010 newsletter:

Shipments of computer network devices (servers, routers, etc.) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations (TAO)/Access Operations employees, with the support of the Remote Operations Center, enable the installation of beacon implants directly into our targets' electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.

Let the controversy begin.

Cisco's response

Cisco's SVP of General Counsel and Security Mark Chandler recently published an official response on the company's website claiming that Cisco "does not work with any government, including the United States government to weaken our products."

"There were allegations in Greenwald's book that the NSA intercepts and tampers with routers and servers manufactured by Cisco," says Nigel Glennie, Senior Manager of Corporate Communications at Cisco. "While the book had a photo that included a box with a Cisco logo, it didn't provide any information about specific Cisco products, possible NSA techniques, or product security vulnerabilities. If this indeed occurred, it happened without Cisco's knowledge or permission."

Despite questioning the legitimacy of the allegations, Cisco's chairman and CEO John Chambers wrote a letter to President Obama on behalf of the company asking for his intervention so that US technology sales were not negatively impacted by a loss in consumer trust.

Chambers' letter states:

We simply cannot operate this way, our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security. We understand the real and significant threats that exist in this world, but we must also respect the industry's relationship of trust with our customers … We are concerned that our country's global technological leadership will be impaired. Moreover, the result could be a fragmented Internet, where the promise of the next Internet is never fully realized.

The long-term effects on the tech industry

For a multinational company that strives to design and manufacture secure and stable networking equipment, these allegations could have detrimental consequences.

"If the leaked documents are to be believed, then the claims are probably pretty legitimate," says John Kindervag, Vice President and Principal Analyst at Forrester Research. "I suspect that most professionals inside the security industry take these documents at face value and do believe that the TAO program did compromise some technology, with or without the tacit approval of vendors."

"Since Cisco's CEO sent a letter to the president, I would assume these claims about equipment interception are true," says Ibrahim Baggili, Director of the University of New Haven's Cyber Forensics Research and Education group and Editor-in-Chief of the Journal of Digital Forensics Security and Law. "The purpose of such actions by the NSA could be to collect information, or to perform targeted collection of data and network traffic from organizations or individuals."

Although the claims are specific to Cisco, Kindervag believes the ramifications of the allegations will eventually apply to almost every technology vendor. "The idea that a company can do no evil is gone," he explains. "These programs and their revelations have been and will continue to be very harmful to the technology community overall."