The delivery company Cisco uses to ship hardware around the world has denied participation in a program run by the National Security Agency in which agents intercept packages as they are en route to customers for the purpose of installing bugs and spy software.
The NSA interception program was first made public last December in documents presented at a conference by security expert Jacob Appelbaum. The classified documents, which were published the same day by Der Spiegel magazine, detailed how technology experts within the NSA’s Tailored Access Operations unit, were tasked with installing spy hardware and software in computer equipment used throughout the world.
One way the TAO agents would install the spy equipment is by intercepting packages as they are en route to customers overseas, a process known as “interdiction.” Though the practice received little attention when it was disclosed last year, it was recently brought back into the spotlight when journalist Glenn Greenwald of The Intercept published two photos of a secret TAO facility, one of which showed agents carefully opening a Cisco-branded box that presumably contained computer hardware.
NSA employees intercept a Cisco-branded package at a secret facility. (Photo: U.S. government / Glenn Greenwald via Edward Snowden)
“Shipments of computer network devices (servers, routers, etc.) being delivered to our targets around the world are intercepted,” a classified NSA document explaining the program said. “Next they are redirected to a secret location where [TAO] employees, with the support of the Remote Operations Center…enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to their original destination.”
The document suggests the packages are intercepted after they’ve been shipped by Cisco, meaning they would be in the custody of a courier service when NSA obtains them.
UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law.
“UPS’ long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests,” UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. “UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments.”
In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.
TheBlot reached out to three other courier services — the U.S. Postal Service, Federal Express and DHL — to ask if they had any knowledge of the NSA interception program. The U.S. Postal Service told TheBlot in a statement that it “does not have knowledge of or participate in any such program.” Federal Express and DHL did not return multiple requests for comment.
In a blog post published last week, Cisco executive Mark Chandler said the company regularly complies with government regulations regarding the export of its computer equipment to customers overseas, but denounced the claim that the government “took steps to compromise IT products enroute [sic] to customers.”
“We ought to be able to count on the government to…not interfere with the lawful delivery of our products in the form in which we have manufactured them,” Chandler wrote. “To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry.”
Chandler didn’t say if the company knew of the NSA interdiction program, nor did the executive acknowledge if Cisco participated in the interception of packages delivered to certain customers.
Matthew Keys is a contributing journalist for TheBlot Magazine.
Matthew Keys is a California-based independent journalist who covers global current events for TheBlot Magazine with a focus on policy, tech and security. He previously worked at Thomson Reuters in New York City. He can be reached by phone, e-mail and on social media here.