KazantsevAlexander - Fotolia
Cisco security flaw leads to $8.6M payout in whistleblower case
The settlement resolves allegations that a Cisco security flaw left governments vulnerable to hackers for years without the company taking action.
Cisco agreed to pay $8.6 million to settle a whistleblower lawsuit that accused the company of selling video surveillance software to government agencies despite knowing for years that the product suffered from critical security vulnerabilities. The settlement was the first of its kind against a tech company for alleged cybersecurity fraud.
Hackers could have used the Cisco security flaw to gain access to a customer's local area network, potentially giving them control over physical security systems such as locks and alarms. The hackers also could have exploited the weakness to view, modify and delete video surveillance feeds and to obtain user passwords that would mask their activities.
Federal agencies that used the flawed product to manage video surveillance feeds included the Department of Defense, the Secret Service, the Department of Homeland Security, NASA and the Federal Emergency Management Agency, according to court documents unsealed Wednesday. Major airports, police departments and public transit systems had also deployed the product.
Cisco became aware of flaws in the product, called the Cisco Video Surveillance Manager, no later than May 2008 but did not issue a security advisory until July 2013, according to Cisco's settlement agreement with 15 states and the District of Columbia. Offices of the state attorneys general provided a copy of the deal.
Cisco did not admit wrongdoing.
Cisco has made security a main selling point of its cloud products in recent years. This week's revelations risk sullying that reputation at a time when consumers and businesses are becoming leerier of the threats posed by new technologies. The case underscores that vendors need more than just secure software — they need well-enforced protocols for responding to reported defects.
In a blog post, Cisco said the settlement showed that software companies were increasingly being held to a higher standard on security. "In short, what seemed reasonable at one point no longer meets the needs of our stakeholders today," said Mark Chandler, Cisco's executive vice president and chief legal officer.
Whistleblower's lawsuit
James Glenn, a former employee of Denmark-based Cisco partner NetDesign, sued Cisco in May 2011 on behalf of the federal government and numerous state governments who had purchased the product. Glenn acted as a whistleblower under the provisions of federal and state fraud laws that allow private citizens to file lawsuits on behalf of governments.
Glenn alerted Cisco to the vulnerabilities in October 2008. In March 2009, while attempting to get Cisco to patch the flaws, Glenn's position with NetDesign was terminated because of "economic concerns," according to the lawsuit. NetDesign did not respond to a request for comment.
Glenn first alerted federal authorities to the security issue in September 2010, asking a family member to tell the FBI that the Los Angeles International Airport was using the software. Glenn later spoke to a detective for the airport who served on the FBI's Joint Terrorism Task Force.
The settlement marks the first instance of a citizen-initiated whistleblower lawsuit prompting the U.S. government to successfully seek a financial penalty against a tech company for cybersecurity fraud, according to Constantine Cannon LLP, a law firm that represented Glenn.
As part of the $8.6 million settlement, Cisco will pay Glenn $1.6 million. Separately, Glenn is asking a federal judge to order Cisco to reimburse him for attorneys' fees and other costs related to bringing the action. Nevertheless, the penalty is a tiny drop in the bucket for Cisco, which brought in $49.3 billion in revenue last fiscal year.
The settlement -- representing a partial refund for those who bought the product -- covers only the government agencies involved, meaning Cisco could still be subject to lawsuits by private companies that used the software, which the vendor sold between 2008 and 2014.
"My view is that there are likely international governments, as well as domestic and international private companies, who could be impacted here for sure," said Mary Inman, an attorney for Constantine Cannon LLP's whistleblower practice group. "I would expect to see follow-on lawsuits from class-action attorneys representing some of the private customers here."
Cisco's handling of the security flaw
Cisco inherited the technology behind the product through its 2007 acquisition of Broadware. Cisco released a best practices guide in 2009 that the company claims addressed the security vulnerabilities in question. However, in an interview Thursday, Glenn disputed the guide's helpfulness. "I didn't see a version of the guide that would have been effective in mitigating those issues," he said.
Cisco released an advisory in July 2013, shortly after a security website posted publicly about the vulnerabilities. The company released a software update in December 2012 that eliminated the flaws, but customers were not forced to upgrade. Cisco continued to sell vulnerable versions of the product until September 2014.
The lawsuit accused Cisco of violating the federal False Claims Act by knowingly selling a product that failed to comply with security standards for government computer systems. The company also allegedly failed to warn customers subscribed to its premium security service about the flaws.
"We're increasingly seeing whistleblowers from around the world alerting the U.S. authorities to fraud," Inman said. "[This is] the first of what we believe will be … many whistleblower-initiated lawsuits which are helping to hold the tech community accountable."