A scramble at Cisco exposes uncomfortable
truths about U.S. cyber defense
Send a link to a friend
[March 29, 2017]
By Joseph Menn
SAN FRANCISCO (Reuters) - When WikiLeaks
founder Julian Assange disclosed earlier this month that his
anti-secrecy group had obtained CIA tools for hacking into technology
products made by U.S. companies, security engineers at Cisco Systems
<CSCO.O> swung into action.
The Wikileaks documents described how the Central Intelligence Agency
had learned more than a year ago how to exploit flaws in Cisco's widely
used Internet switches, which direct electronic traffic, to enable
eavesdropping.
Senior Cisco managers immediately reassigned staff from other projects
to figure out how the CIA hacking tricks worked, so they could help
customers patch their systems and prevent criminal hackers or spies from
using the same methods, three employees told Reuters on condition of
anonymity.
The Cisco engineers worked around the clock for days to analyze the
means of attack, create fixes, and craft a stopgap warning about a
security risk affecting more than 300 different products, said the
employees, who had direct knowledge of the effort.
That a major U.S. company had to rely on WikiLeaks to learn about
security problems well-known to U.S. intelligence agencies underscores
concerns expressed by dozens of current and former U.S. intelligence and
security officials about the government's approach to cybersecurity.
That policy overwhelmingly emphasizes offensive cyber-security
capabilities over defensive measures, these people told Reuters, even as
an increasing number of U.S. organizations have been hit by hacks
attributed to foreign governments.
Larry Pfeiffer, a former senior director of the White House Situation
Room in the Obama administration, said now that others were catching up
to the United States in their cyber capabilities, "maybe it is time to
take a pause and fully consider the ramifications of what we’re doing.”
U.S. intelligence agencies blamed Russia for the hack of the Democratic
National Committee during the 2016 election. Nation-states are also
believed to be behind the 2014 hack of Sony Pictures Entertainment and
the 2015 breach of the U.S. Government's Office of Personnel Management.
CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco
case, but said it was the agency's "job to be innovative, cutting-edge,
and the first line of defense in protecting this country from enemies
abroad."
The Office of the Director of National Intelligence, which oversees the
CIA and NSA, referred questions to the White House, which declined to
comment.
Across the federal government, about 90 percent of all spending on cyber
programs is dedicated to offensive efforts, including penetrating the
computer systems of adversaries, listening to communications and
developing the means to disable or degrade infrastructure, senior
intelligence officials told Reuters.
President Donald Trump’s budget proposal would put about $1.5 billion
into cyber-security defense at the Department of Homeland Security
(DHS). Private industry and the military also spend money to protect
themselves.
But the secret part of the U.S. intelligence budget alone totaled about
$50 billion annually as of 2013, documents leaked by NSA contractor
Edward Snowden show. Just 8 percent of that figure went toward “enhanced
cyber security,” while 72 percent was dedicated to collecting strategic
intelligence and fighting violent extremism.
Departing NSA Deputy Director Rick Ledgett confirmed in an interview
that 90 percent of government cyber spending was on offensive efforts
and agreed it was lopsided.
"It's actually something we're trying to address" with more
appropriations in the military budget, Ledgett said. "As the cyber
threat rises, the need for more and better cyber defense and information
assurance is increasing as well."
The long-standing emphasis on offense stems in part from the mission of
the NSA, which has the most advanced cyber capabilities of any U.S.
agency.
[to top of second column] |
The logo of Cisco is seen at Mobile World Congress in Barcelona,
Spain, February 27, 2017. REUTERS/Eric Gaillard
It is responsible for the collection of intelligence overseas and
also for helping defend government systems. It mainly aids U.S.
companies indirectly, by assisting other agencies.
“I absolutely think we should be placing significantly more effort
on the defense, particularly in light of where we are with
exponential growth in threats and capabilities and intentions," said
Debora Plunkett, who headed the NSA’s defensive mission from 2010 to
2014.
GOVERNMENT ROLE
How big a role the government should play in defending the private
sector remains a matter of debate.
Former military and intelligence leaders such as ex-NSA Director
Keith Alexander and former Secretary of Defense Ashton Carter say
that U.S. companies and other institutions cannot be solely
responsible for defending themselves against the likes of Russia,
China, North Korea and Iran.
For tech companies, the government's approach is frustrating,
executives and engineers say.
Sophisticated hacking campaigns typically rely on flaws in computer
products. When the NSA or CIA find such flaws, under current
policies they often choose to keep them for offensive attacks,
rather than tell the companies.
In the case of Cisco, the company said the CIA did not inform the
company after the agency learned late last year that information
about the hacking tools had been leaked.
“Cisco remains steadfast in the position that we should be notified
of all vulnerabilities if they are found, so we can fix them and
notify customers,” said company spokeswoman Yvonne Malmgren.
SIDE BY SIDE
A recent reorganization at the NSA, known as NSA21, eliminated the
branch that was explicitly responsible for defense, the Information
Assurance Directorate (IAD), the largest cyber-defense workforce in
the government. Its mission has now been combined with the dominant
force in the agency, signals intelligence, in a broad operations
division.
Top NSA officials, including director Mike Rogers, argue that it is
better to have offensive and defensive specialists working side by
side. Other NSA and White House veterans contend that perfect
defense is impossible and therefore more resources should be poured
into penetrating enemy networks - both to head off attacks and to
determine their origin.
Curtis Dukes, the last head of IAD, said in an interview after
retiring last month that he feared defense would get even less
attention in a structure where it does not have a leader with a
direct line to the NSA director.
“It’s incumbent on the NSA to say, 'This is an important mission',"
Dukes said. "That has not occurred.”
(Reporting by Joseph Menn in San Francisco. Additional reporting by
Warren Strobel in Washington.; Editing by Jonathan Weber and Ross
Colvin)
[© 2017 Thomson Reuters. All rights
reserved.]
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |