Should we force governments to get a court order before they can conceal zero-day flaws?

Cisco wants the US government to get court approval before it can sit on security flaws without telling the vendor.

In a bid to restore foreign buyers' trust in IT vendors' products, Cisco has called for spy agencies to be forced to disclose security flaws to the affected vendor, unless a court decides otherwise.

"Governments should have policies requiring that product security vulnerabilities that are detected be reported promptly to manufacturers for remediation, unless a court finds a compelling reason for a temporary delay. By the same token, governments should not block third parties from reporting such vulnerabilities to manufacturers," Cisco's general counsel Mark Chandler said this week in a company blogpost.

The proposal would be a reversal of the current way the National Security Agency  determines whether or not to disclose security flaws  in vendors' software, hardware and services. As things stand now, the NSA makes such decisions with no independent oversight.

Having a third party decide on disclosures might have reduced the harm the NSA's spying revelations are thought to have had on Cisco's business in China and emerging economies. Analysts believe Cisco has been disproportionately affected by the claims.

Cisco's proposal follow  claims in journalist Glen Greenwald's new book  that the NSA intercepts networking equipment from US vendors destined for overseas customers.

Though Cisco wasn't mentioned in the relevant section of the book, Chandler said the company should be able to rely on the government not to intercept its products.

"We comply with US laws, like those of many other countries, which limit exports to certain customers and destinations; we ought to be able to count on the government to then not interfere with the lawful delivery of our products in the form in which we have manufactured them," Chandler wrote.

Other suggestions from Cisco include:

  • Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers;
  • Clear standards should be set to protect information outside the United States which belongs to third parties, but are in the custody of subsidiaries of US companies, so that customers world-wide can know the rules that will apply and work with confidence with US suppliers.

According to Chandler, the absence of rules governing these matters and lack of transparency will cause customers to seek products they believe — rightly or wrongly — are outside of the government's reach.

Cisco's proposals add to suggestions outlined by Bob Weber, IBM's general counsel. It too has been harmed by NSA spying. IBM shareholders this month  dropped a lawsuit against the company that alleged it cooperated with the NSA and was behind declined revenues in China. 

Weber also denied it plants backdoors in its equipment on behalf of the government.

IBM's own proposals to rein in US government spying include:

  • Governments should reject short-sighted policies, such as data localization requirements, that do little to improve security but distort markets and lend themselves to protectionist tendencies;
  • Governments should not subvert commercial technologies, such as encryption, that are intended to protect business data;
  • The US government should have a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected.

Read more on data security