24 comments

[ 3.5 ms ] story [ 75.2 ms ] thread
(comment deleted)
Why is the US military procuring Cisco equipment from any retailer other than Cisco itself? Even if the devices weren’t counterfeit, the seller could install implants in them.
Public procurement processes put in to enable competition and prevent corruption (ostensibly) enable situations where you make public bids for network infrastructure and get whatever the lowest price bidder grabbed.
Doesn't the lower bidder still have to provide proof of a chain of custody for sensitive equipment?

Just one procurement officer with the slightest doubt, and calling up someone at Cisco HQ to double check a serial number, would have discovered this scam almost instantly.

That procurement officer could be less than a year removed from high school and in charge of ordering anything from ballpoint pens to medical devices and weapons. They aren't experts in what they are purchasing all the time. I doubt there are specific details on how these got ordered, but there are scenarios that could lead to little questioning.
Scenarios that lead to little questioning, sure, but none that lead to zero questioning.

Unless they are already part of a well established contractor. And even then at least a few dozen sets of eyeballs are going over the paperwork from my understanding.

Why?

Probably the other seller offered a lower price.

If a Cisco reseller offers a lower price than Cisco for Cisco equipment that's pretty dumb. I realize it can happen because prices are negotiated but such situations introduce risk into the supply chain as seen here.
A lot of times equipment like that is supplied as part of a system, the DOD buys the system, not the individual components.
There are many variables to procurement and all have various levels of scrutiny. I'm not an expert, but here are a few routes to paint a picture.

If it's a part of an "official" system/package from a big defense contractor there's little chance it's counterfeit. There's quite of bit of scrutiny there, unless the contractor providing that system is buying these off Amazon which seems the lest likely scenario. But maybe a small company setup with the sole purpose of winning the bid for an F-15 simulator bids so low that they do buy this stuff, it's possible.

As others mentioned, there are layers of rules about justification if you don't go for the lowest price, preference for small business, and getting bids.

Finally, if you just need something, the person ordering the item isn't the person buying the item. The IT professional orders a Cisco router, provides some possible places to source it and turns that into contracting/procurement. The procurement team will then actually go buy it and often they will go try to find the cheapest option and they're not experts so they'll often buy the wrong damn thing entirely. Want a 500ft roll of yellow shielded Cat6? Here's 1000ft of blue UTP Cat3 because "it was cheaper".

Lol being in the industry, it gets better than that.

Sometimes IT isn't even consulted. The engineers with no IT background will just buy equipment and shove it in without a second thought. Lord knows where they get the equipment at that point.

I had a network guy I know at another defense contractor once tell me he just came back from a IT freakout because engineering was just finishing a classified project and they literally never told IT about all the internal networking it contains. Apparently the IT guys themselves spent a weekend even installing steel plates over the network panels to the networking in a hurry to cover their bases. Lol

Cisco doesn’t really sell this stuff directly, you have to buy through resellers.
They bought from Amazon, etc. I think there are two issues here, 1 buying components for stuff like that from those types of sources, in addition to 2 his fraud
From the story:

    He was sentenced to 78mo for a scam that generated $100M in revenue

    His sentence includes an order to pay $100M in restitution to Cisco
When a US corp harms individuals (directly), it pays a fine (some small fraction of the gains) - to the government. Instead of jail time, corp execs keep whatever bonuses they receive.

When an individual harms a US corp (indirectly), he's obligated to pay 100% of the revenue - to the corp. He goes to jail.

The article is kinda fuzzy about a couple distinct things:

* Gray market is selling a product to someone you're not authorized by the brand to sell it to. For example, the brand says you can only sell these units in geopolitical region A, but you quietly sell to region B, where you can get more money for them. The biggest impact to the buyer might be that they don't have the brand's warranty coverage.

* Counterfeiting could include all the other things described. Where you're not getting the physical product that you thought you're getting.

In one startup, we were initially pitching anti-counterfeiting solutions. But in enterprise sales courtships, it seemed premium brands were often more immediately concerned about gray market diversion.

It could be that gray market hurts more immediately or obviously, whereas counterfeiting impact on sales and long-term brand reputation is harder to quantify and attribute.

Although this article is by CRN (formerly Computer Reseller News), it's much bigger than their perspective... With Cisco, and other critical infrastructure or life/safety-critical systems/products, counterfeits have the additional problem of threatening safety and/or national security. In those cases, it's not just about a brand trying not to get defrauded or lose money&reputation, but it's also on the radar for government authorities entrusted to protect everyone.

The interesting piece is how, within about a half-decade, Amazon went from having a reputation as trusted, reputable vendor to a a brand as a sketchy marketplace full of fakes and counterfeits.

I'm wondering who will step into Amazon's old role. It seems like a vacuum in the market now.

I bought a Cisco 4321 from Newegg once. It ran, but had a weird Chinese sticker on it. Otherwise totally looked 100% legit, ran ios (albeit an old version).

It ran at like 98% cpu utilization constantly but worked, after a few years it just started reboot looping every day, then eventually every hour.

Wtf - Cisco wouldn’t even admit it was a fake, they in fact wouldn’t tell me anything unless I bought a support plan from them