Cisco’s $8.6M settlement for security flaws has broader ramifications

The outcome is precedent-setting, believed to be the “first cyber-security whistleblower case of its kind ever successfully litigated under the False Claims Act,” according to the attorneys who represented the whistleblower in the case.

On Aug. 1, a coalition of 19 Attorneys General, headed by New York State, announced the multistate settlement agreement against Cisco Systems. The allegations resolved by the settlement arose from a whistleblower lawsuit filed in 2011 under the False Claims Act (FCA), which permits private citizens to sue on behalf of the government and share in any recovery.

The whistleblower in this case was James Glenn, who worked in Europe for a Cisco distribution partner. Under the settlement, state and local agencies will receive $6 million, while Glenn will receive an award equal to 20 percent (about $1.7 million) of the total.

In his role at Cisco, Glenn discovered critical security flaws in the company’s Video Surveillance Manager (VSM), a bundled, centralized video surveillance system. In 2008, Glenn submitted reports to Cisco, notifying them of these security vulnerabilities. According to the allegations, these reports revealed “anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems, and potentially gain ‘administrative’ access to the entire network of a government agency, all without detection.”

The security vulnerabilities meant the VSM was not in compliance with the Federal Acquisition Regulation and other applicable procurement standards, including state standards, that require government information technology contractors to comply with basic cyber-security controls. These cyber-security standards include those set forth by the National Institute of Standards and Technology (NIST).

“We have seen an increase in the number of whistleblowers approaching us with information about cyber-security issues.”

Anne Hartman, Partner, Constantine Cannon

Despite the repeated internal warnings of the VSM’s flaws, Cisco allegedly failed to report these security issues until 2013, and only after the states launched their investigation. Instead, Cisco continued to sell the vulnerable software to high-profile infrastructure targets and government entities, including the Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps, and the Federal Emergency Management Agency.

According to the New York Attorney’s General office, the joint state investigation uncovered no evidence that a hack or any unauthorized access of security surveillance systems ever took place.

“Security camera software must be secure; it’s that simple,” New York Attorney General Letitia James said in a statement. “Cisco’s failure to keep their software safe could have endangered the safety of New Yorkers across our state.”

James sounded a warning to other software manufacturers: “We are holding the company accountable and will ensure that software manufacturers dealing with our state not only have the most secure software possible, but diligently report and repair any flaws they learn about.”

North Carolina Attorney General Josh Stein echoed a similar warning in response to the settlement. “Cisco failed to address known flaws in its software and put sensitive surveillance data at risk of being hacked,” he said. “My office will continue to hold companies accountable when they don’t work to protect their products and data.”

Cisco responds

Mark Chandler, Cisco’s chief legal and compliance officer, responded to the settlement in comments made in a blog post, broadly stating cyber-security efforts of yesterday are no longer up to par with cyber-security efforts needed today.

The video security software at issue was created by Broadware, a company Cisco acquired in 2007. “Broadware intentionally utilized an open architecture to allow customized security applications and solutions to be implemented,” Chandler explained. “Because of the open architecture, video feeds could theoretically have been subject to hacking—though there is no evidence that any customer’s security was ever breached.”

Chandler went on to say in 2009 Cisco published a “Best Practices Guide, emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us.” In July 2013, Cisco further advised customers should upgrade to a new version of the video security software, which addressed the security features.

All sales of the older versions of the software had ended by September 2014. “While this is a legacy issue which no longer exists,” Chandler wrote, “it matters to us to recognize that times and expectations have changed.”

More to come?

Marking the first successful cyber-security whistleblower case of its kind under the FCA, the case may now spark similar whistleblower claims. “We have seen an increase in the number of whistleblowers approaching us with information about cyber-security issues,” Anne Hartman, who represented Glenn in the case, tells Compliance Week.

“Cyber-security is emerging as a critical issue for government regulators at all levels—federal, state, and local—and whistleblowers can play a critical role in providing non-public information to those regulators and helping to ensure the security both of government systems and of individuals’ private information,” Hartman adds.

“The tech industry needs to fulfill its professional responsibility to protect the public from their products and services,” Glenn said in a statement. “There’s this culture that tends to prioritize profit and reputation over doing what’s right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”