Cisco Settles Whistleblower Case for $8.6 MillionSettlement Stems From Flaws in Video Surveillance Software Sold to Government Agencies
Cisco has agreed to pay $8.6 million to settle a whistleblower lawsuit that claimed the networking company knowingly sold video surveillance software to local, state and federal agencies over a six-year period that contained serious security vulnerabilities.
The case stems from a former Cisco contractor who blew the whistle on the company after bringing the vulnerabilities in the software to the attention of Cisco executives and writing several detailed reports about the flaws, according to a statement from his attorneys.
This is apparently the first time U.S. whistleblower laws were applied to a case related to cybersecurity, the attorneys say.
Despite knowing about the flaws in the software, Cisco continued to sell these products to various government agencies and organization between 2008 and 2014, according to the attorneys' statement.
Whistleblower Gets $1.6 Million
Of the $8.6 million Cisco agreed to pay, about $1.6 million will go to whistleblower James Glenn, a contractor who was working for NetDesign, one of Cisco's distribution partners in Denmark. While working for the company in 2008, he discovered the flaw in the software, according to the his attorneys.
A few months after Glenn brought the software flaw to the attention of Cisco executives and co-workers, he was laid off in what Cisco called a cost-cutting move, according to the New York Times. A few years later, when he found that the Cisco was still selling the software, he contacted federal authorities, according to the Times.
Glenn brought the lawsuit against Cisco in 2011 under a U.S. law called the False Claims Act, which permits individuals to report fraud and misconduct in federal government contracts and programs by filing a lawsuit on the government's behalf. The act also provides for financial compensation to whistleblowers based on recovery by the government, typically between 15 and 30 percent of the total.
"This case is a critical step forward in enforcement of cybersecurity requirements - the first time the government has used a whistleblower's information to hold a major provider accountable," says Michael Ronickher, a partner at the law firm of Constantine Cannon, which represented Glenn.
Faulty Video Software
The case stems from a software package called Video Surveillance Manager, a bundled, centralized video surveillance system that controlled cameras and stored data. Cisco acquired the product when it bought a company called Broadware in 2007.
This video software was sold to numerous governments agencies, including the U.S. Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency, according the attorneys' statement. Cisco also sold software bundles to the local government in Washington, D.C., as well as 15 states.
The software bundle was used in airports, police departments and schools, Glenn's attorneys say.
Glenn claimed he discovered in 2008 that Video Surveillance Manager contained a vulnerability that an attacker could exploit to gain access the physical cameras and the data stored inside of the devices, according to his attorneys. An attacker could gain administrative privileges and use the software as a jumping off point to attack the entire network, according to the attorneys.
"The whistleblower submitted several detailed reports to Cisco allegedly revealing that anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems, and gain 'administrative' access to the entire network of a government agency, all without detection," the attorneys say. "Despite the repeated internal warnings of VSM's flaws, Cisco allegedly continued to sell the vulnerable software to high-profile infrastructure targets."
In July 2013, Cisco released an advisory to its Video Surveillance Manager customers that they should update their software to protect against security flaws in the bundle. By 2014, Cisco had stopped selling the product, the company says.
Mark Chandler, executive vice president for legal services and general counsel for Cisco, noted that the company has changed its security standards over time and what seemed acceptable in 2008 no longer applies today.
"Evaluating these facts today, we've now agreed to make a payment that includes, what is in effect, a partial refund to the U.S. federal government and 16 states for products purchased between Cisco's fiscal years 2008 and 2013," Chandler says.
"While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed," he adds.