There is no way to put this nicely.
Cisco Systems considers itself above the law. (Did you know Cisco chairman CEO John Chambers (right, from USA Today) was an alumnus of West Virginia University? I didn't, until now.)
Justin Rood of Congressional Quarterly looked into the recent Black Hat incident and shared his story with Dave Farber's Interesting People list.
Apparently Cisco didn't even tell the Department of Homeland Security about the bug in its software that leaves the Internet as we know it vulnerable to hacker attack. This despite the fact that Cisco's notification would have been confidential, and that it is required.
DHS learned of the flaw just like you and I did -- through the presentation of Michael Lynn at the Black Hat conference in Las Vegas. Before his talk, Cisco sued to prevent it, Lynn's employer (ISS) demanded he desist, and Lynn quit his lucrative job at ISS.
In other words, had Lynn not been willing to quit his job, the Department of Homeland Security would still not know about a critical flaw in Cisco equipment impacting the entire Internet, a flaw the vendor was supposed to notify it of.
It's not much of a surprise that Cisco would consider itself above the law in this way.
There are plenty of other examples.
Canadian ISP Telus Communications has been blocking Web sites of its union during a contract dispute, and collateral damage impacted over 700 other sites.
The Bush Administration routinely sets itself up as above-the-law, refusing to acknowledge any international jurisdiction, stonewalling Congress, endorsing torture and secrecy, all in the name of national security.
That's the very same excuse Cisco is doubtless using. And, with the Administration, it might get away with it.
But if we're above the law, and if our companies are above the law, how can we demand that anyone else sit beneath the law? How, in fact, can we have law if the powerful can ignore it?
Dana Blankenhorn has been a business journalist for over 25 years and has covered the online world professionally since 1985. He founded the "Interactive Age Daily" for CMP Media, and has written for the Chicago Tribune, Advertising Age, and dozens of other publications over the years.
1. Eitan Caspi on August 4, 2005 04:38 PM writes...
Above Which law?!
Is there a law forcing software and hardware companies to disclose vulnerabilities of their products?
I am not aware of any, please share any with us.
Yes, there should be one set up, with a proper period (but not too long) for the vendor to come up with a fix prior to publication.
And why the DHS? Why should it have any priority knowledge about vulnerabilities over any other country or SMB client of Cisco around the world?
The internet is a global shared resource – if you are the last one standing, you are alone and no one can play with you, so there is no need for a network in the first place.
If customers are not rejecting such vendor (lack of) action, or think it is OK – it is their problem. Others can go find their IT solutions with vendors that give greater respect for their product's security.
Regards,
Permalink to CommentEitan Caspi
Israel
Blog (Hebrew): http://www.notes.co.il/eitan
Blog (English): http://eitancaspi.blogspot.com
"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)