On 13 May 2014, a new book about the U.S. National Security Agency (NSA) was released. It includes allegations that the NSA has intercepted and tampered with technology products in transit from U.S. technology providers to customers, potentially including products intended for Cisco customers.
We take these allegations very seriously, and our Chief Executive Officer has communicated directly with leaders in the U.S. government to express our deep concern.
Our commitment to our customers is clear: as a matter of policy and practice, Cisco does not work with any government, including the U.S. government, to weaken or compromise our products. This document has been prepared to help you assess, secure, and manage your network.
We are proud of our global reputation as a trustworthy vendor, and we take industry-leading measures to safeguard the integrity, security, and reliability of our equipment.
Cisco's Trustworthy Systems initiative focuses on four key areas during product development:
Cisco's Secure Development Lifecycle is a repeatable company-wide methodology for secure product development to mitigate the risk of vulnerabilities and increase product resiliency
Deploying Trust Anchor Technologies to assure customers that they are using genuine hardware and software and offer increased physical security protection for their networks
Physical security — Component-to-finished good traceability, real-time transport tracking, security checkpoints, segregation of high-value materials, and role-based access control
Logical security (rules-based) — Encrypted data transmission, material reconciliation, and data destruction, and scrap handling processes
Security technology — Anti-counterfeiting chips, insertion of immutable identity during test, data extracting test beds, and tamper resistant labeling and packaging
We also validate supplier adherence to our security requirements in multiple ways, including physical audits, information security assessments, and embedding security into supplier ratings. The intended result of this validation process is continuous feedback, remediation, and enhancement.
Cisco has reviewed the most recent allegations, said to be sourced from a “June 2010 report from the head of the NSA's Access and Target Development department.” This document alleges that the NSA “intercepts and tampers with routers and servers manufactured by Cisco to direct large amounts of Internet traffic back to the NSA's repositories” through the installation of “beacon implants.”
Having reviewed this information, Cisco has concluded:
No information about specific Cisco products was included
No information about interdiction or implant techniques was included
No new security vulnerabilities were identified or disclosed
Based on the generic information published, we recommend that Cisco customers focus on two areas: network infrastructure hardening, and monitoring and analysis of network telemetry.
Network Infrastructure Hardening
Implementing a regular and periodic software upgrade routine using current software versions obtained from Cisco.com
Engaging Cisco Services to determine the suitability of Cisco's traffic and threat-based products and services
Cisco's Brand Protection program is focused on the protection of your investment in Cisco technology. Learn more about more about avoiding the introduction of counterfeit products and unnecessary risk into your network on the Brand Protection website.
For More Information
If you discover an anomaly or suspicious network activity, we recommend:
Added a link to network integrity resources on the Cisco Security portal.
Included a link to the Cisco IOS XE Software Integrity Assurance white paper in the "Network Infrastructure Hardening" section and added a link to the Telemetry-Based Infrastructure Device Integrity Monitoring white paper in the "Monitoring and Analysis of Network Telemetry" section.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.