Should we force governments to get a court order before they can conceal zero-day flaws?

Should we force governments to get a court order before they can conceal zero-day flaws?

Summary: Cisco wants the US government to get court approval before it can sit on security flaws without telling the vendor.

SHARE:

In a bid to restore foreign buyers' trust in IT vendors' products, Cisco has called for spy agencies to be forced to disclose security flaws to the affected vendor, unless a court decides otherwise.

"Governments should have policies requiring that product security vulnerabilities that are detected be reported promptly to manufacturers for remediation, unless a court finds a compelling reason for a temporary delay. By the same token, governments should not block third parties from reporting such vulnerabilities to manufacturers," Cisco's general counsel Mark Chandler said this week in a company blogpost.

The proposal would be a reversal of the current way the National Security Agency determines whether or not to disclose security flaws in vendors' software, hardware and services. As things stand now, the NSA makes such decisions with no independent oversight.

Having a third party decide on disclosures might have reduced the harm the NSA's spying revelations are thought to have had on Cisco's business in China and emerging economies. Analysts believe Cisco has been disproportionately affected by the claims.

Cisco's proposal follow claims in journalist Glen Greenwald's new book that the NSA intercepts networking equipment from US vendors destined for overseas customers.

Though Cisco wasn't mentioned in the relevant section of the book, Chandler said the company should be able to rely on the government not to intercept its products.

"We comply with US laws, like those of many other countries, which limit exports to certain customers and destinations; we ought to be able to count on the government to then not interfere with the lawful delivery of our products in the form in which we have manufactured them," Chandler wrote.

Other suggestions from Cisco include:

  • Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers;
  • Clear standards should be set to protect information outside the United States which belongs to third parties, but are in the custody of subsidiaries of US companies, so that customers world-wide can know the rules that will apply and work with confidence with US suppliers.

According to Chandler, the absence of rules governing these matters and lack of transparency will cause customers to seek products they believe — rightly or wrongly — are outside of the government's reach.

Cisco's proposals add to suggestions outlined by Bob Weber, IBM's general counsel. It too has been harmed by NSA spying. IBM shareholders this month dropped a lawsuit against the company that alleged it cooperated with the NSA and was behind declined revenues in China. 

Weber also denied it plants backdoors in its equipment on behalf of the government.

IBM's own proposals to rein in US government spying include:

  • Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies;
  • Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data;
  • The US government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.

Read more on data security

Topics: Security, Cisco, Government US

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Makes you wonder

    How many commercial domestically sold electronic communication and computing devices does the NSA have trojan horses built into?
    Dr_Zinj
  • I asked the monitor that last night ;}

    While I was talking to a friend, we wondered about that question, so I asked the NSA person listening in on our call. He said he couldn't tell me.

    (Just a joke, spies; based on real life conversations broadcast on public radio in the 1980s, in which an American talk show host, Michael Jackson, was talking to Bishop Tutu about, what else, apartheid. At the end of all such calls, Jackson always politely said good night to Tutu and also the presumed South African phone call monitor. And no, this radio host was NOT related to the rock singer.)
    jallan32
  • Don't be absurd

    They should NEVER be allowed to hide things like this. Just like we need to hunt down the NSA criminals who intercept shipments (Federal crime for everyone else) and "modify" the products.

    Why ANY person or country in the world will still buy from an American source is beyond me. If I wasn't here in America, I certainly would not. The American Federal Government can't be trusted. By anyone.
    timspublic1@...
  • Governments will notify the vendor of the vulnerability

    and simultaneously request that it not fix the vulnerability until given the green light to do so.
    Rabid Howler Monkey
  • Sorry, that's classified

    It is public knowledge that we, the US, have cyber weapons. Any vulnerabilities discovered during research get the "Top Secret Classified Stamp" and the courts are locked out of even knowing they exist.

    See article here for some info or use Bing to find more info... http://www.salon.com/2013/04/10/air_force_classifies_cybersecurity_tools_as_weapons/

    It's a balance of power issue between nations and we will keep making them as long as others are making them.

    Move on to the next topic and ignore the wizardry behind the closed door because this dog does not hunt!
    rrathbun