Cisco Systems has agreed to pay $8.6 million to settle a case brought by a former contractor who accused the company of selling video surveillance software with known vulnerabilities to the US government. The majority of the payment acts as a refund for a number of US states and the federal government, however, around $1.6 million will go the whistleblower who brought attention to the issue.
In the lawsuit, which was filed in 2011 and only unsealed on Wednesday (31st July), James Glenn, a subcontractor, claimed he found a vulnerability in Cisco’s Video Surveillance Manager (VSM), a software package used for controlling surveillance cameras and storing recorded video feeds. The exploit Glenn discovered would have given an attacker full administrative access to the software that managed video feeds, letting them be monitored from a single location, the lawsuit claimed. It could also potentially have been used to gain unauthorized access to sensitive connected systems.
Glenn reportedly notified Cisco of the issue in October 2008. He expected a grateful response, together with a bug-bounty credit on Cisco’s website. Instead, he was fired by the Cisco reseller that employed him as part of a cost-cutting programme. Even more alarmingly, Cisco themselves failed to act on Glenn’s discovery and continued to sell the unpatched software to customers all over the world, including a number of US government agencies. The lawsuit documents the full breadth of Cisco’s government contract, with the software being used by the Department of Defense Biometrics Task Force, the U.S Secret Service, the Department of Homeland Security, the Army, the Navy, the Marine Corps, NASA and the Federal Emergency Management Agency – as well as police stations, prisons, schools and by Amtrak at its stations.
Cisco eventually patched the vulnerabilities in 2013, almost five years after Glenn’s initial report, and stopped selling the VSM altogether in 2014.
The significance of the lawsuit
After seeing his reports were ignored, Glenn filed a case under the US False Claims Act (FCA), a law which allows whistleblowers to report fraud and misconduct in government contracting, i.e. for selling defective products, and claim a financial reward when claims succeed.
Glenn’s case is significant because, according to his attorneys, it is the first cybersecurity case successfully litigated under the FCA. In other words, it sets a potentially crucial precedent, by making it clear, at least with regards to US government contracts, that cyber security vulnerabilities can render a product flawed. This could have far reaching implications for the design and development of software products.
For similar incidents read our news blogs ‘British Airways Face Record £183m Fine’ and ‘Marriott International, Inc Served with Fine for More Than £99m’.