Cisco CEO Chuck Robbins
Pradeep Gaur | Mint | Getty Images
Cisco has settled with federal, state and local agencies for $8.6 million in a first-of-its-kind whistleblower case involving a cybersecurity flaw.
The case involves attempts by a Denmark-based employee of a Cisco partner, who alerted the company in November 2008 to a flaw in software made for a line of Cisco surveillance cameras. The problems wasn’t fixed for years, and the funds are meant to reimburse the whistleblower and federal, state and local entities to whom Cisco misrepresented the safety of the cameras.
Though the settlement is relatively small, it’s a case that many companies will be watching closely as they navigate the hundreds or thousands of vulnerability reports they receive from outside researchers each month, and try to parse which ones need attention and which are just hype.
In a statement, Cisco said, “We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007. There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”
A lengthy fix
According to the complaint, James Glenn, a Denmark-based employee of a Cisco partner company called Net Design, contacted Cisco in November 2008. He said he had discovered a flaw in Cisco’s proprietary surveillance camera software that not only made it easy for a would-be attacker to access the systems running the devices, but to also hack deeper into those systems after gaining entry. Glenn made the discovery after participating in a so-called “own medicine” initiative by his company, where employees security test equipment and software they’re using or working on.
James Glenn, who tried to alert CIsco to a security flaw in its surveillance cameras.
Via Constantine Cannon
According to the complaint, Glenn said he tried to contact Cisco through an online form meant for reporting vulnerabilities, but was unsuccessful in reaching anyone. Shortly after that, Net Design fired him. The firing, because it took place in Denmark, was not a part of Glenn’s whistleblower claim in the U.S., according to his attorneys.
Later, Glenn claims he discovered the unfixed cameras and software were still being used by the Los Angeles International Airport, and in 2010 he contacted the local authorities and ultimately law enforcement personnel working within LAX to report the problem.
But according to court filings cited by Glenn’s attorneys, Cisco didn’t fix the vulnerability until an updated version of the software was released in 2012. The company also didn’t release a security advisory to companies using the previous, flawed version of the software until 2015.
Importantly, the flaw hinged on faulty access controls, making it too easy for anyone to access the equipment. This made the products non-compliant with the federal government’s National Institute of Standards in Technology (NIST) framework, which dictates the security measures required by tech companies wishing to do business with the federal government. Many state and local agencies also demand NIST compliance.
Since Cisco had continually represented its surveillance products were compliant with NIST during the timeframe it remained vulnerable, the Western District of New York court determined the company had violated the False Claims Act by not minding the warnings of the whistleblower and continuing to claim the cameras were compliant, Glenn’s attorneys said.
The cameras were used in a wide range of federal government entities, including military installations, prisons, local courthouses and many others, according to Anne Hartman, attorney for Glenn and partner in San Francisco-based whistleblower law firm Constantine Cannon.
Cisco had argued that it had released a best practices guide, with information about how to set access controls so the flaw wouldn’t present a problem, and reassured Glenn at one point they were working on the issue, both of which weren’t enough of a remedy to avoid a whistleblower case, Hartman said.
Companies should pay attention, Hartman said, because they face a tripling of damages from cases like this.
“It’s astonishing that there aren’t more of these cases being brought,” she said.