On 13 May 2014, a new book about the U.S. National Security Agency (NSA) was released. It includes allegations that the NSA has intercepted and tampered with technology products in transit from U.S. technology providers to customers, potentially including products intended for Cisco customers.
We take these allegations very seriously, and our Chief Executive Officer has communicated directly with leaders in the U.S. government to express our deep concern.
Our commitment to our customers is clear: as a matter of policy and practice, Cisco does not work with any government, including the U.S. government, to weaken or compromise our products. This document has been prepared to help you assess, secure, and manage your network.
We are proud of our global reputation as a trustworthy vendor, and we take industry-leading measures to safeguard the integrity, security, and reliability of our equipment.
Cisco's Trustworthy Systems initiative focuses on four key areas during product development:
It also includes our interlocking practices and procedures to embed physical and logical security throughout our supply chain. At each node of the supply chain, we apply some combination of:
We also validate supplier adherence to our security requirements in multiple ways, including physical audits, information security assessments, and embedding security into supplier ratings. The intended result of this validation process is continuous feedback, remediation, and enhancement.
The Cisco Product Security Incident Response Team (PSIRT) also operates an industry-leading security vulnerability disclosure program, while maintaining strong relationships with our customers, security researchers, and CERT organizations around the world.
Cisco has reviewed the most recent allegations, said to be sourced from a “June 2010 report from the head of the NSA's Access and Target Development department.” This document alleges that the NSA “intercepts and tampers with routers and servers manufactured by Cisco to direct large amounts of Internet traffic back to the NSA's repositories” through the installation of “beacon implants.”
Having reviewed this information, Cisco has concluded:
Based on the generic information published, we recommend that Cisco customers focus on two areas: network infrastructure hardening, and monitoring and analysis of network telemetry.
Network Infrastructure Hardening
Monitoring and Analysis of Network Telemetry
Support for some of these efforts may be available as part of a Cisco Advanced Services contract. You may also consider:
Cisco's Brand Protection program is focused on the protection of your investment in Cisco technology. Learn more about more about avoiding the introduction of counterfeit products and unnecessary risk into your network on the Brand Protection website.
For More Information
If you discover an anomaly or suspicious network activity, we recommend:
All vulnerability-related information reported to Cisco will be investigated, managed, and disclosed in accordance with our Security Vulnerability program.
If you would like additional information about Cisco services focusing on product and network security, please contact your Cisco account team or the Cisco PSIRT.
This document is part of Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.