Cisco Failed to Alert DHS, Agencies About Software Security Flaw

August 3, 2005

By Justin Rood, CQ Staff

If you learn of a security hole that could bring down a nuclear power plant, a bank, major corporate networks - or all of the above - do you have to tell the Department of Homeland Security?

According to at least one company, the answer appears to be no.

Despite knowing since at least April of a security flaw in the software that runs on its computers, Cisco Systems did not tell DHS, one of its customers. But with more than 37,000 employees and annual revenues topping $20 billion, the San Jose, Calif.-based company is much more than a vendor to DHS. It is the world's largest maker of networking hardware and software - including the routers that keep most of the Internet and corporate and government networks humming.

The company did not alert anyone about the flaw. Instead, it made a software update available to fix the problem - but did not tell its customers the update was urgently needed to fix a hole that could allow hackers to gain control of their computers and wreak malicious havoc.

"They deliberately kept this from their customers, and now everyone is scrambling to patch [it]," said Raven Alder, a Seattle-based computer security expert who consults for several government agencies and private companies, in an interview. "By keeping the seriousness of the threat away from paying customers - that has outraged a lot of people."

Alder declined to name the government agencies for which she consulted or to say if she had worked for DHS. "They may not want that to be public," she said by telephone Tuesday.

Cisco's actions outraged Michael Lynn, a 24-year-old computer security expert who worked for a Cisco contractor, Atlanta-based Internet Security Systems (ISS), and who had worked on the problem quietly for months.

Before a crowd of fellow computer security experts assembled at the Black Hat hacker conference in Las Vegas last week, Lynn demonstrated how the flaw could be exploited. It was the first public announcement of the security hole Cisco and its contractor discovered at least four months earlier.

Cisco and ISS filed for an injunction to prevent Lynn from talking about the flaw. The parties reached an out-of-court agreement the next day that simply prevented him from giving the same presentation elsewhere. A subsequent FBI investigation has led Lynn to decline further press interviews, his attorney, Jennifer Granick, said Aug. 1.

Possibilities for Hackers

The possibilities the security hole presents to a sophisticated hacker are significant, according to several experts.

If the conditions were right, hackers "can mess with a bank . . . [or] a nuclear power plant," said Alder. "They would be able to take [a network] over, and do anything they want."

"It could allow criminals to . . . steal identity information, engage in [network] attacks and blackmail," said Bruce Schneier of Mountain View, Calif.-based Counterpane Internet Security. "It's a major vulnerability." His company does not compete with ISS, Schneier said, but offers complementary security services.

Despite the seriousness of the flaw, Lynn's presentation at Black Hat last week was the first the department heard of the problem.

"We just found out about it at Black Hat," DHS spokesman Kirk Whitworth told CQ Homeland Security July 28.

Jeff Moss, founder and president of the Black Hat conference, said he spoke to several representatives from DHS and other government agencies at his event. All were surprised by Lynn's presentation, he said - and none was particularly pleased with Cisco.

"They seemed kind of unhappy that Cisco never gave them a heads up that any of this was possible," Moss said Tuesday by phone. "This huge thing got dropped in their lap, and they had to learn about it [by] coming to Black Hat."

DHS Coordination

The Homeland Security Department coordinates the federal government's infrastructure protection efforts. It has established a complex web of information-sharing systems to pass along critical information on vulnerabilities such as the Cisco security hole.

The department has also worked to create legal shields for such "critical infrastructure information," which exempts it from public release under federal law. That protection is meant to ease companies' fears that handing the government such delicate information means it could be widely shared.

"This sort of thing is a pretty strong argument for eliminating that exemption," said David McGuire of a Washington-based think tank, the Center for Democracy and Technology. "Not only do we not know what information they're sharing, we now know they're not sharing any information at all."

For its part, Cisco declined to confirm it did not tell DHS of the flaw before Lynn's presentation. "Because of the number of touch points between Cisco and any of its customers, there is no way for Cisco to determine when any one customer organization became aware" of the flaw, wrote company spokesman Robert Barlow in an e-mail Tuesday to CQ Homeland Security.

"What we can state," wrote Barlow, "is that we did issue a security advisory on July 29th" - which was two days after Lynn's presentation in Las Vegas.

In a phone interview Tuesday, Barlow downplayed the seriousness of the flaw. It only affects a portion of Cisco customers who have their machines set a particular way - a "very small" number of users, he said, although he did not have statistics to demonstrate that.

Some observers expressed disbelief at Cisco's failure to notify DHS of its problem.

"I'm really surprised they didn't disclose [the flaw] earlier," said Michael Wendy, spokesman for the Washington policy office of the Computing Technology Industry Association. "It's in their best interests to head this off at the pass."

Justin Rood can be reached at

Source: CQ Homeland Security 2005 Congressional Quarterly Inc. All Rights Reserved

main page ATTRITION feedback