At the Black Hat USA conference in July, Cisco Systems Inc. and Atlanta-based Internet Security Systems Inc. tried to stop security researcher Michael Lynn, until then an ISS employee, from giving a scheduled talk about a flaw in Cisco’s router software. The companies also prodded Black Hat’s organizers to remove Lynn’s slides from the conference proceedings, and they secured a court injunction preventing him from further spreading information about exploiting the flaw. Jeff Platon, vice president of product marketing for security and application networking technology at Cisco, spoke this week with Computerworld about Cisco’s handling of the Black Hat dispute, among other topics.
Has Cisco’s reputation been helped or hurt by the events at Black Hat? We remain vigilant in trying to protect our intellectual property and fulfilling our obligations around full and prompt disclosure of vulnerabilities and solutions that customers need to resolve any potential risks they have with (a) vulnerability.
So a great example was this issue with Michael Lynn. This was a previously disclosed vulnerability with patches already out. What was inappropriate with that issue was the perspective of that individual. It would be akin to (saying), “Here’s an atomic bomb diagram, and I’m going to show you some shortcuts on how to build one in your kitchen.” That was really what he did. And it was inappropriate and bordering on the criminal, which is why law enforcement got involved. Those are criminal acts, to exploit vulnerabilities with the intent to harm.
So I would summarize by saying we remain vigilant in fulfilling our obligations to customers to ensure that they have the highest reliability of network-connected systems possible.
But do you think that Cisco’s image was enhanced or not as a result of your handling of the Lynn presentation? I think we were consistent in terms of the proactive nature of early disclosure and going out to customers and helping them with methods to mitigate the liability.
Still, there were news reports that Cisco had told people to rip the pages out of Lynn’s Black Hat presentation, among other things. Have you heard any backlash from customers? We’ve had no negative comments from customers. I believe customers continue to trust us to do the right thing. What happened, it is what it is. Were there other ways it could have been handled? Certainly. But it is what it is, and we were trying to fulfill our obligations.
What if something like this happened again at next year’s Black Hat conference, or elsewhere? Have you put anything in place to change how you’d react? Yes, we have a better process in place than we had before.
Different lawyers? We have the same people involved. It wasn’t so much about our lawyers. It was the (public) perception. We have a better methodology to handle that. The methods may change slightly.
You mentioned that many of Cisco’s large customers had made the fix to the router software before the Black Hat incident. Are there any contractual terms that require users to install the patches you give them? No, I think it’s a “trusted adviser” status, where they trust us to recommend good, proper configurations. (But) when we make a strong recommendation, it’s really not like you have a choice. You do really need to make this change.
By Matt Hamblen, Computerworld