A Security Company’s Security Headaches


Four years ago, former Cisco Systems engineer Peter Morch was charged with downloading blueprints, e-mail and other property from Cisco’s servers-and taking the information to his new employer, Calix Networks.

Morch pushed Cisco to develop software that would combine voice calls with data on existing networks. He told Cisco he was resigning to work at Calix “because the company had more drive and the people there were hungrier,” according to court documents.

But after he loaded personal files onto Calix’ network in November 2000, the FBI arrested him. Then, investigators raided both his apartment in San Francisco and Calix’ offices in Petaluma, Calif., to seize the property.

Ultimately Morch was not charged with trade secret theft. He pleaded guilty to exceeding authorized access to a protected computer and served three years’ probation. Had he wanted to hurt Cisco, he writes he could have copied “all of Cisco’s source code, lots of marketing information outlining future directions, etc.” because he had access to “all developer information in Cisco Systems.” Instead, he simply wanted to keep a private record of what he’d done at Cisco. His attorney, Nanci Clarence, says, “The FBI is trying to spin this case into something it never was.”

Still, Cisco counts itself among the three most trusted vendors in the network security business, according to John Stewart, vice president of security. Yet the company has been the victim of trade secret theft three times in the past two years:

  • In January 2003, Cisco sued Huawei, a Chinese manufacturer of routers and switches, alleging that Huawei copied Cisco’s Internetworking Operating System (IOS) source code, user interfaces, manuals and patented technologies. The companies settled in July 2004, after Huawei agreed to change its interface, manuals, help screens and portions of its source code, according to Cisco.
  • In May 2004, portions of Cisco’s IOS source code were reported to have appeared briefly on a Russian security site.
  • Six months later, an organization called the Source Code Club briefly offered portions of what it claimed was Cisco’s PIX firewall code for sale for $24,000.

    In a press release, Cisco called the Huawei case “a victory for the protection of intellectual property rights.” But the CEO of InfoTech Essentials, a Menlo Park, Calif., maker of industrial energy-saving devices with offices in Beijing, says Cisco essentially withdrew from the Huawei case because “there was no way to win.”

    As InfoTech has discovered, says CEO Leo Young, the Chinese are relentless about copying any company that makes a profit. Plus, Chinese laws vary from province to province and offer little protection. Imitators may form a new company with your name, make a product that looks like yours and copy your label, or claim a product works just like yours but is cheaper. “You have to plan ahead,” Young told the Asia America MultiTechnology Association conference in Palo Alto, Calif., in October. “The key is to continuously upgrade your product.”

    Besides the Huawei case, twice this year Cisco has confronted claims that portions of its source code were posted on the Internet. Cisco declines to comment on the incidents.

    The FBI is investigating both cases and made an arrest in September. But Cisco’s Stewart says the company is no closer today to understanding exactly what happened in these cases, and he has not ruled out the worst-case scenario—that its source code is “out there.”

    Even so, Cisco tells customers it has made no changes to its network topology. According to Stewart, customers should take that as a vote of confidence. Steve Orrin, vice president at security vendor WatchFire, agrees.

    Postings in February of source code from Microsoft gave hackers access to portions of the Windows NT and Windows 2000 operating systems. By contrast, Cisco gear mainly re-routes data already speeding between networks. “Routers have a limited set of functionalities,” Orrin says. He adds that Cisco has done a good job of updating software and sending out patches.

    Nonetheless, since its products run the Internet, Cisco is an attractive target for hackers. Cisco has seen a 100-fold increase in alarms on its own network this year, Stewart says. That compares to a fourfold increase of targeted probes on all companies, as noted by the Gartner Group and others. “This not a matter of accidentally looking at Cisco,” he says. “This is where we can watch our entire network being probed.”

    In response, Cisco has boosted its internal security team to 60 employees, from three in 1997, and is spending money on security even in this time of tight technology budgets.

    For example, Cisco is among a small number of companies combining its physical and information-technology security, according to consultant Ray Bernard. Since 1997, the company has been consolidating many of its systems that control a person’s ability to walk around its facilities—including video cameras, badge readers and motion detectors—onto a global Cisco network that ships data in great volume at high speeds.

    It’s a tough job for any company because there are so many types of people who need access—the cleaning crew, the contractors, the board members—and they may be in different databases or in no database at all. “Who authorizes what—that’s the part that hangs people up,” Bernard says.

    Companies that sell high-tech products do tend to be more aware than others of the need to protect intellectual property, according to Naomi Fine, a former lawyer who advises Fortune 500 companies from Silicon Valley. On a recent assignment as an expert witness, Fine says, she called construction companies in the Bay Area to ask which information was confidential. Many couldn’t tell her-or if they could, they hadn’t labeled it as confidential or told their employees.

    Even so, in the Morch case it took three weeks before a Cisco program manager examined the CD-ROM Morch had left in his colleague’s CD burner. At that point, he found information Cisco had deemed proprietary, according to court documents. FBI Agent Don Przybyla says the agency then waited to see if Morch would load the information onto Calix’s network before arresting him.

    Today, Cisco has a former FBI agent, Rob Rolfsen, whose sole job is to protect Cisco’s intellectual property-looking at how information flows from employee to employee and what employees need to do to share information safely. Besides sealing off employees from parts of its networks to which they don’t need access, Stewart says, Cisco requires all of its workers to sign the company’s security policy every year and to wear “culture cards,” which set the company’s priorities and have emphasized security of late.

    Sun Microsystems is one of the first companies to have created such a position, according to Fine, assigning a law school graduate, Yolanda M. Harris, to the task. Harris says a turning point for Sun came a couple of years ago when an employee—simply by searching on Google for the phrase “Sun Confidential”—turned up Sun internal memos and other intellectual property on the Web.

    Sun is also a party to one of the highest-profile economic espionage cases the government has yet tried. In U.S. v. Ye et al., which is scheduled for trial next April in San Jose, two engineers were arrested at San Francisco International Airport in November 2001 as they boarded a plane for China. The men allegedly possessed schematics and other materials deemed trade secrets from Sun and three other Silicon Valley companies—Transmeta, NEC Electronics and Trident Microsystems—that were intended for Supervision, a project to produce and sell microprocessors on behalf of the People’s Republic of China.

    Among the issues to be raised in the case, according to court documents, are what measures these companies took to protect their information and whether it was readily accessible using lawful methods; also, whether the Economic Espionage Act applies to processes and products that are in R&D.

    Both Sun and Cisco have launched numerous programs to bolster their security, such as training employees, monitoring hacker conferences, running risk assessments on partners and standardizing the devices that connect to their networks.

    In the last six months, the companies have also sponsored two summits for vendors and their customers to share ideas on protecting intellectual property. Attendees have included chipmaker Intel—which was already talking with Cisco about the problem when Sun’s Harris started calling companies a year ago—Microsoft and Nike. Bernard reports similar efforts at Blue Cross, T-Mobile and Washington Mutual.

    Cisco project manager Dennis Rolleri says the companies are discussing ways to value and classify information so that access rights can be defined and then controlled. For example, a document classified “internal public” might mean that everyone within the company could see it but it couldn’t be released.

    Fifty such classifications might be burdensome, according to Rolleri, and two would be too few. Although Rolleri declined to discuss matters internal to Cisco, no classification would have much impact on a case like Morch’s. As a Cisco engineer, Morch contends on his Web page, he was authorized to collect the information he took—just not to leave Cisco with it. But controls would at least limit the number of people exposed to information and theoretically cut down the odds of a leak.

    Ultimately, Rolleri says, the companies at the summit are trying to help employees, vendors and contractors “do the right thing” every day: “If sensitive information comes across your desk mixed with non-sensitive information, how do you know what you can and cannot talk about?”

    Another thing Cisco has learned is to adopt chipmaker Intel’s practice of handling competitors’ intellectual property—if you don’t think you should have it, tell them you’ve got it.

    As Stewart points out: “It’s better than being sued over it.”