In a bid to restore foreign buyers' trust in IT vendors' products, Cisco has called for spy agencies to be forced to disclose security flaws to the affected vendor, unless a court decides otherwise.
"Governments should have policies requiring that product security vulnerabilities that are detected be reported promptly to manufacturers for remediation, unless a court finds a compelling reason for a temporary delay. By the same token, governments should not block third parties from reporting such vulnerabilities to manufacturers," Cisco's general counsel Mark Chandler said this week in a company blogpost.
The proposal would be a reversal of the current way the National Security Agency determines whether or not to disclose security flaws in vendors' software, hardware and services. As things stand now, the NSA makes such decisions with no independent oversight.
Having a third party decide on disclosures might have reduced the harm the NSA's spying revelations are thought to have had on Cisco's business in China and emerging economies. Analysts believe Cisco has been disproportionately affected by the claims.
Cisco's proposal follow claims in journalist Glen Greenwald's new book that the NSA intercepts networking equipment from US vendors destined for overseas customers.
Though Cisco wasn't mentioned in the relevant section of the book, Chandler said the company should be able to rely on the government not to intercept its products.
"We comply with US laws, like those of many other countries, which limit exports to certain customers and destinations; we ought to be able to count on the government to then not interfere with the lawful delivery of our products in the form in which we have manufactured them," Chandler wrote.
Other suggestions from Cisco include:
- Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers;
- Clear standards should be set to protect information outside the United States which belongs to third parties, but are in the custody of subsidiaries of US companies, so that customers world-wide can know the rules that will apply and work with confidence with US suppliers.
According to Chandler, the absence of rules governing these matters and lack of transparency will cause customers to seek products they believe — rightly or wrongly — are outside of the government's reach.
Cisco's proposals add to suggestions outlined by Bob Weber, IBM's general counsel. It too has been harmed by NSA spying. IBM shareholders this month dropped a lawsuit against the company that alleged it cooperated with the NSA and was behind declined revenues in China.
Weber also denied it plants backdoors in its equipment on behalf of the government.
IBM's own proposals to rein in US government spying include:
- Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies;
- Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data;
- The US government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.