Cisco Is Shooting Itself in the Foot

Opinion: By trying to silence reports of old flaws in IOS, the network security company has done more than anyone to publicize vulnerabilities in its own products.

Im not sure who Cisco is trying to impress with its attempt to silence Michael Lynns revelation of holes in its Internetwork Operating System. At the same time, I wonder what point Mr. Lynn is trying to make, but its obviously something he feels is worth quitting his job and getting sued over.

Unless I am missing something, this hullabaloo is over vulnerabilities that Cisco has already fixed, though they may still exist in older products.

Nevertheless, Cisco is treating Lynns report that IOS wasnt completely secure as though it were a national security issue, which it may be. However, sending goons to remove pages from the Black Hat conference proceedings makes Lynns presentation seem more important than it probably is.

/zimages/5/28571.gifRead more here about Ciscos attempts to silence former ISS researcher Michael Lynn at the Black Hat conference.

Its also just foolish, since the real danger facing Cisco isnt Lynn; its the people who dont go public with findings of their vulnerability research, but use them to launch attacks.

If Cisco cant secure the operating system that effectively runs the Internet, thats important. And if Ciscos failings could cause the Internet to fail or be seriously compromised, as Lynn alleges was possible, thats something we all have a stake in seeing fixed.

If Cisco were doing its job, we might not need Michael Lynn to tell us about the companys shortcomings. But, because the bad guys already know—or could be presumed to know—about the problems, only Ciscos customers are out of the loop. Or were, until Lynn arrived on the scene.

/zimages/5/28571.gifClick here to read more about Cisco filing suit against the Black Hat conference and Michael Lynn.

On the other hand, Lynn may not be such a hero. Its hard to imagine that his disclosure didnt violate a number of legal agreements. Cisco and his former employer, Internet Security Systems, seem to have every right to sue. They also have every right to look really stupid in front of God and everybody.

Its not clear to me that Lynn is a whistleblower, except in blowing the whistle on Ciscos peevishness. The companys overreaction might be taken by potential attackers as a sign of weakness, that there are even more serious vulnerabilities waiting to be discovered.

As a media person, I always wonder what it is about companies that makes them address the problem of someone revealing confidential information in a way that only ensures that everyone—interested or not—will hear about it.

I hope Cisco and ISS will realize theyve made their point and walk away before this mess takes on an even larger life of its own. Let this continue and Michael Lynn could become quite the celebrity, especially if Cisco and ISS fail in their legal attempts to silence him.

Contributing editor David Coursey has spent two decades writing about hardware, software and communications for business customers. He can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.