August 1, 2019 By Pierluigi Paganini
Cisco is going to pay $8.6 million to settle a legal dispute for selling vulnerable software to the US government.
Back in 2008, a whistle-blower identifies a vulnerability in Cisco video surveillance software, but the tech giant continued to sell the software to US agencies until July 2013. The case was filed in the Federal District Court for the Western District of New York and was handled under the False Claims Act, which specifically addresses fraud and misconduct in federal government contracts.
“Cisco will pay civil damages in connection with software that it sold to various government agencies, including Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency, according to a government complaint unsealed on Wednesday.” reported The New York Times.
“Fifteen states, including New York and California, and the District of Columbia joined the Justice Department in the claim against Cisco, one of the world’s largest sellers of software and equipment to businesses and governments.”
The former contractor James Glenn, who worked in Denmark at Cisco subcontractor NetDesign, discovered several security vulnerabilities in the Cisco Video Surveillance Manager (VSM).
The vulnerabilities could have allowed attackers to access data stored managed by the surveillance software, control cameras, bypass security measures, and under specific circumstances to gain “administrative” access over the host network.
“This video surveillance software … is supposed to make us safer, making the vulnerabilities at issue all the more troubling,” said Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented the whistleblower James Glenn.
Glenn was fired five months after he reported the vulnerabilities to Cisco, the company pointed out that it wasn’t a punishment but an ordinary cost-cutting measure.
One year later, in June 2010, the expert discovered that Cisco had not addressed the vulnerabilities exposing its customers to the risk of a hack, then he reported his findings to the FBI.
Cisco finally addressed the flaws in 2013 and stopped selling Cisco Video Surveillance Manager (VSM) in 2014.
The good news is that Cisco is not aware that the bug was actually exploited by threat actors in the wild.
“We are pleased to have resolved the dispute” Robyn Blum, a Cisco spokeswoman, said in a statement. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”
“Evaluating these facts today, we’ve now agreed to make a payment that includes, what is in effect, a partial refund to the US federal government and 16 states for products purchased between Cisco’s fiscal years 2008 and 2013. The payment settles litigation that had originally been brought in 2011.” explained Mark Chandler, Cisco’s Executive Vice President and Chief Legal Officer. “The total sales at issue were well under one one-hundredth of one percent of Cisco’s total sales, and our total payment was $8.6 million, which includes payment of approximately $1.6 million to the individual who brought this to the attention of the government. While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed.”