One of the most successful U.S. National Security Agency spying programs involved intercepting IT equipment en route to customers and modifying it.
At secret workshops, backdoor surveillance tools were inserted into routers, servers and networking equipment before the equipment was repackaged and sent to customers outside the U.S.
The program, run by the NSA’s Tailored Access Operations (TAO) group, was revealed by documents leaked by former NSA contractor Edward Snowden and reported by Der Spiegel and Glenn Greenwald.
One of the leaked Snowden documents, dated June 2010, has two photos of an NSA interdiction operation, with a box that said Cisco on the side.
The document, labeled top secret, goes on to say that supply-chain interdiction operations “are some of the most productive operations in TAO, because they pre-position access points into hard target networks around the world.”
During a panel session at the Cisco Live conference in Melbourne last week, Cisco’s chief security and trust officer John Stewart disclosed that the company had started shipping equipment to alternative addresses with fake information for its most sensitive customers.
“We ship [boxes] to an address that’s has nothing to do with the customer, and then you have no idea who ultimately it is going to,” Stewart said. “When customers are truly worried … it causes other issues to make [interception] more difficult in that [agencies] don’t quite know where that router is going so its very hard to target – you’d have to target all of them.”
In theory, that makes it harder for the NSA to target an individual company and scoop up their package. But supply chains are tough to secure, Stewart said, and once a piece of equipment is handed from Cisco to DHL or FedEx, it’s gone.
“If a truly dedicated team is coming after you, and they’re coming after you for a very long period of time, then the probability of them succeeding at least once does go up,” Stewart said. “And its because they’ve got patience, they’ve got capacity and more often than not, they’ve got capability.”
Stewart said some customers had also begun driving up to distributors to pick up their hardware at the door.
Stewart was asked if Cisco ever identified any strange hardware put inside any of its products. “No, we couldn’t, because the only people who would know that for sure is the NSA,” Stewart responded.
In May 2014, Cisco CEO John Chambers sent a letter (PDF) to President Barack Obama, arguing that the NSA’s alleged actions undermine trust with its customers and more broadly hurt the U.S. technology industry. Cisco also asserted that it does not work with any government to intentionally weaken its products.