Cisco Systems is stonewalling—or should I say firewalling, since we’re talking networking? But it’s pretty darn clear now that the crown jewels of the latest version of its Internetwork Operating System’s source code have been swiped. This is bad news.
No, it’s not likely, as some have suggested, that some weekend cracker can find serious security vulnerabilities in the 800-or-so MBs of source code. But who says Cisco’s code is only going to be examined by script kiddies?
The Internetwork Operating System (IOS) is what the majority of Internet routers and switches run on. That in turn means that, for most practical purposes, the Internet runs on Cisco Systems Inc.
Now, say, oh, I don’t know, some government with tech-savvy workers that doesn’t care a lick for the West and its Internet decides to play games with the Net. What would happen? I suspect we’d see the biggest distributed-denial-of-service (DDoS) attack in history.
Yes, this is just potential, but it is a real threat. Why do you think the FBI is involved? In part, I’m sure it’s because they realize just how damaging an attack on the Cisco-based Internet infrastructure could be.
But there’s more. I have never had more trouble chasing a story than this one. Cisco’s partners, ISPs and resellers simply don’t want to talk about the situation. And I can’t blame them in one way.
Cisco has egg on its face thanks to this break-in, but no one wants to admit that the company looks bad. Heck, Cisco’s very own Web site still doesn’t have a word about the break-in.
One reason why Cisco has achieved its place in the networking community is that it has a reputation for being the absolute best of the best, for building routers and switches that set the industry standard. Well, now we know that Cisco isn’t perfect, and a lot of people don’t want to talk about it or even face it.
Our customers—the people who don’t know what IOS stands for and may not even know what Cisco is—deserve better. Cisco needs to make a statement. It needs to tell the reseller and integrator communities that yes, there was a break-in, but that Cisco will do better next time.
That’s a good start, but Cisco also needs to tell us what it’s going to do next to protect its products and the Internet.
Traditionally, Cisco never talks about new releases until they’re ready to land on the street. It’s time to throw that policy out. I understand Cisco IOS 13 was going to come out in June.
Well, is it, Cisco? Are you auditing the code to make sure that any vulnerabilities in the stolen code, IOS 12.3 and 12.3t, are being fixed?
Cisco needs to come out and start making strong statements, because even if there aren’t any successful attacks based on the theft, it’s not looking good.
Don’t think for a second that Juniper Networks Inc., Cisco’s biggest rival, won’t be telling users, resellers and integrators that maybe Juniper is the more prudent, more secure choice.
Indeed, I already have in front of me an announcement from DeepNines Technologies Inc.
“With this recent theft of code, Cisco is well on its way to becoming the kind of hacker target Microsoft is,” DeepNines president and chief operating officer Dan Jackson said in the statement.
“From a market-share standpoint, Cisco and Microsoft aren’t all that different, which makes this latest event so potentially disastrous for everyone who owns a Cisco router—thousands of networks could be crippled if that code gets into the wrong hands.
“There’s really only one way to protect those networks, and that’s to put security in front of the router, which is exactly where our technology sits.”
While I don’t think Cisco has become the kind of target Microsoft is, I can’t argue with DeepNines’ approach. Customers who really need 99.9999 percent reliability probably do need this kind of in-front firewall protection now more than ever.
And Cisco, if it wants to keep 99.9999 percent of its supporters happy, needs to talk to its partners and customers now about what’s really what with the code theft—and what it plans to do about it.
Steven J. Vaughan-Nichols is the editor of Channel Zone and has been covering the channel for more than a decade.