The headline says it all, Cisco posts kit to empty houses to dodge NSA chop shops: Kit sent to SmallCo of Nowheresville to avoid NSA interception profiles. If only this were a joke. But it’s not.
Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.
The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers.
This is a predictable reaction from Cisco, who like a lot of U.S. tech vendors is under increased pressure by overseas customers to insure its products are not trojan horses on their networks. When Cisco’s John Chambers wrote to the U.S. President in May that the NSA’s campaign to hijack its shipments would “undermine confidence in our industry and in the ability of technology companies to deliver products globally”, he knows whereof he writes.
What should be of greater concern to all those involved, whether vendors, customers or governments, is just what is causing businesses to be so concerned with government efforts to inject themselves into private data centers. The answer may not be as obvious as what vendors like Cisco need to do in response. I think they break down into two broad categories, neither of which should be satisfied by the “if you have nothing to hide” test that politicians and government bureaucrats have offered.
First, software and hardware agents open a back door that can be used not just by intelligence agencies, but also potentially by freelance criminal hackers and contractors for business competitors. Espionage is not just a game for nation states. Many businesses actively engage in efforts to ferret out the secrets of others. It is the proverbial broken lock in a back door that’s been left swinging in the wind by a departed burglar.
Second, the vast amounts of information being aggregated by these agencies and their partners (mostly telecommunications companies who are now being required to retain data well after they’d normally have purged it in the normal course of business) themselves become targets of not only hacking but good old-fashioned theft by unethical actors who may even legally be on their premises and have access to that data.
As I’ve pointed out before, Edward Snowden was able to make off with a metric ton of highly classified intelligence without raising an alarm. If he had been a corrupt contractor on the take who had turned over what he took to a shady third party, no one would have been the wiser (this is the real reason that the then Director of NSA should have been fired and denied his pension). Imagine yourself as the CEO of a tech company sitting on billions of dollars worth of trade secrets that finds out all your engineering diagrams and test results are sitting on a hard drive somewhere outside Washington, D.C. (or Salt Lake City). What does your next 10K statement of risks look like?
So I applaud Cisco for taking these kinds of steps to prevent the complete implosion of its business. Maybe if we reach some sort of critical mass of awareness on the subject there may even be calls for meaningful reform — by which I mean the eradication of Soviet style surveillance of… everything.