Cisco to pay $8.6 million for selling vulnerable software to US government

[steven36]

Cisco agreed today to pay $8.6 million to settle a legal case brought forward by a former contractor who accused the company of failing to fix several security flaws and continuing to sell vulnerable video surveillance software to US government agencies for years.

 

 

According to court documents obtained by ZDNet, the case was handled under the US False Claims Act (FCA), which allowed the former contractor to report fraud in government contracts by filing a "qui tam" lawsuit on the government's behalf.

Cisco ignored bug report

In the lawsuit, filed in May 2011 but kept under seal until today, James Glenn, who worked in Denmark at Cisco subcontractor NetDesign, claimed he found security flaws in Cisco's Video Surveillance Manager (VSM) -- a multi-software package that could be used to control video surveillance cameras, to store recorded video feeds, and allow operators to manipulate camera-recorded videos.

 

Glenn said the vulnerabilities could have allowed a hacker to gain unauthorized access to data stored inside VSM installations, turn cameras off to aid intruders, and even gain "administrative" access over a client's entire network.

 

Glenn said he notified Cisco of these issues in October 2008, but the company failed to patch the reported bugs. Furthermore, Cisco continued to sell its VSM package to customers all over the world, including US government agencies.

 

"This video surveillance software is used by airports, police departments, and schools. It is supposed to make us safer, making the vulnerabilities at issue all the more troubling," said Hamsa Mahendranathan, an attorney at Constantine Cannon, the law firm that represented Glenn.

 

After seeing that his reports were ignored, Glenn filed a whistleblower case under the FCA, which was later joined by 18 US states, including California, Delaware, Florida, Hawaii, Illinois, Indiana, Massachusetts, Minnesota, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Rhode Island, Tennessee, Virginia and the District of Columbia.

 

 

Cisco eventually patched the bugs reported by Glenn in 2013 and stopped selling the VSM package altogether, a year later, in 2014.

Settlement fee represent a partial refund

"We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007. There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture," a Cisco spokesperson told ZDNet via email, when reached out for comment.

 

According to Mark Chandler, Cisco's Executive Vice President and Chief Legal Officer, the $8.6 million sum represents "a partial refund to the US federal government and 16 states for products purchased between Cisco's fiscal years 2008 and 2013."

 

Of the $8.6 million, roughly $1.6 million will go to Glenn and his lawyers. Qui tam lawsuits allow whistleblowers to receive a percentage of any imposed penalties.

 

Chandler said Cisco never made huge profits from these contracts, and the total sales of VSM software to US government entities were "well under one one-hundredth of one percent of Cisco's total sales."

 

"While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed," Chandler said.

 

 

Source

[steven36]

Cisco whistleblower gets first False Claims payout over cybersecurity

 

 

SAN FRANCISCO (Reuters) - Cisco Systems (CSCO.O) Inc has agreed to settle a whistleblower’s claim that it improperly sold video surveillance software with known vulnerabilities to U.S. federal and state governments, marking the first payout on a False Claims Act case brought over failure to meet cybersecurity standards.

 

The settlement and underlying claim were unsealed on Wednesday, eight years after the initial legal complaint. Cisco paid $8.6 million to resolve the case, with most of that going to the federal government and 15 state buyers and more than $1 million going to the whistleblower, James Glenn.

 

“We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product,” said Cisco spokeswoman Robyn Blum. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”

 

Glenn attorney Anne Hayes Hartman and other experts believe Cisco’s payout is the first in a false claims cyber case.

 

Many more whistleblower claims could ensue, experts said. The settlement “clearly provides an opportunity for entrepreneurial plaintiffs or potential plaintiffs to go around looking for more examples like this,” said Georgetown University law professor Gregory Klass.

 

Hundreds of false-claim suits are filed yearly, in part because of built-in rewards for those who point out improper conduct by government contractors. Under the law, a whistleblower must provide nonpublic information in order to win an award.

 

With many contracts including pledges that products meet cyber security standards set by the government, experts have long warned that the claims could expand into that area and punish vendors for the vulnerabilities that are present in many systems.

 

Cisco’s Video Surveillance Manager was used by Los Angeles International Airport, the Washington D.C. police and the New York City public transit system, as well as many schools, said Hartman.

 

The complaint unsealed Wednesday also names as customers the U.S. Army, Navy, Air Force, and Marine Corps.

 

Glenn was working at a Cisco partner in Denmark called NetDesign, the complaint says, among other things working with Danish police. In 2008, he warned Cisco that a hacker who got into one camera that was part of the system could use flaws in the software to get administrative control of the entire network. The suit says a hacker could then potentially move beyond the video system.

 

“Due to the vulnerability in Cisco’s surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorized access to the entire network of a federal agency,” the suit says.

 

When Cisco failed to act, Glenn spoke with an L.A. airport police detective on an FBI terrorism task force.

 

The company acknowledged the flaws in 2013 as it released an updated version of the software.

 

“There’s this culture that tends to prioritize profit and reputation over doing what’s right,” Glenn said in a written statement. “I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”

 

Source