CSO said Cisco security is growing up

John Stewart doesn't talk like your typical corporate executive. He said that his company, Cisco, has been lucky when it comes to security and that his company's Self-Defending Network marketing push has painted "a big bull's-eye" on its products.

But then again, Stewart has more important things to worry about. As chief security officer, he's the man responsible for directing Cisco corporate and business unit security practices. That means he gets the call whenever there's an important security bug in Cisco's products or if hackers were to hit the Cisco.com Web site. The way he puts it, it's his job to help lock down Cisco's products before he's forced to deal with what he calls "the burning platform" -- a serious flaw or attack against the most widely used routers on the Internet.

Maybe Cisco needs someone like Stewart, to steer clear of the mistakes that other major technology companies have made on security. Take Microsoft, for example. Microsoft first took a hostile attitude towards security researchers and critics, but that backfired and helped cement the impression that the company was ignoring security bugs rather than trying to fix them. Microsoft ultimately reversed its course, but not until its reputation took a serious hit.

On a smaller scale, Cisco has made a similar kind of reversal. The company angered hackers in 2005 by suing researcher Mike Lynn after he showed how it was possible to run unauthorized shellcode software on a Cisco router.

But instead of kicking off a new era of Cisco hacking, the Mike Lynn episode was more of an aberration. Cisco research was quiet for the next few years.

Stewart said that Cisco has been "a little lucky" in that it has not had major security flare-ups, but he's not taking anything for granted. He invited IDG News Service to his San Jose office to talk about the Cisco threat landscape. Following is an edited transcript of the interview.

Cisco got a lot of attention at Black Hat 2005. What's your take on things, three years later?

Part of the reason all the attention was painted on us at Black Hat three years ago is because we created a firestorm of, frankly all sorts of complicated issues, that felt like Cisco was suppressing communication and research.

I think arguably we did some silly things, like trying to put the genie back in the bottle, which you can't do. We were trying to do it for the right reasons: protection of intellectual property and our customers. But how it came out just completely went sideways.

And, in many respects, we did it anonymously. It was "a Cisco spokesperson." We sort of hid behind an anonymity context , which I think really goofed everything.

This is why I personally sponsored Black Hat at the platinum level ever since. Because I think we had some atonement to do and go, "Look, our bad. That was not the way to do that one."

Why do you think the Cisco research dried up like it did?

There are a couple of reasons. The first is, a lot of this is not remote exploitation, and a lot of what the research is about in any community is, "How do you do it remotely?" IRM's [Information Risk Management's] research, Sebastian's [Muniz, a researcher with Core Security Technologies] research, and to a certain degree, Michael Lynn's research, although it had a slight remote variant, it's not stable remote. And that's where the real game is.

The IDG News Service is a Network World affiliate.