Cisco to Pay $8.6 Million to Settle Government Claims of Flawed Tech

WASHINGTON — Cisco Systems agreed on Wednesday to pay $8.6 million to settle claims that it sold video surveillance technology that it knew had a significant security flaw to federal, state and local government agencies.

Cisco will pay civil damages in connection with software that it sold to various government agencies, including Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency, according to a government complaint unsealed on Wednesday.

Fifteen states, including New York and California, and the District of Columbia joined the Justice Department in the claim against Cisco, one of the world’s largest sellers of software and equipment to businesses and governments. The case was filed in the Federal District Court for the Western District of New York under the False Claims Act, which addresses fraud and misconduct in federal government contracts.

The government said the video surveillance software it bought from Cisco was “of no value” because it did not “meet its primary purpose: enhancing the security of the agencies that purchase it.” In many cases, the Cisco software actually reduced the protection provided by other security systems, the complaint said.

Cisco said in a statement that it was pleased to resolve the dispute. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture,” Robyn Blum, a Cisco spokeswoman, said in a statement.

The software vulnerability was identified in 2008 by a whistle-blower, James Glenn, who was working as a Cisco subcontractor in Denmark when he discovered that he could hack into the video software and take over the surveillance system without being detected, according to his lawyers at Constantine Cannon.

That September, Mr. Glenn told Cisco that he had discovered a flaw that hackers could use to gain unauthorized access to the video surveillance system, manipulate information and bypass security measures, Mr. Glenn’s lawyers told The New York Times.

Mr. Glenn was laid off as part of what the company said was a cost-cutting measure five months after he reported the vulnerability. A year later, in June 2010, he realized that Cisco had not fixed the flaw and he could still hack into the surveillance system. Soon after, he contacted the F.B.I. to discuss the issue.

Cisco continued to sell the software with the vulnerability until July 2013, when the company let customers know about the flaw and released a way to fix the problem.

In its July 2013 disclosure, Cisco said several vulnerabilities in its software could allow an attacker to gain “full administrative privileges” to a video surveillance system, allowing that person to alter or remove camera feeds and archives. Cisco released software updates to fix the problems.

Government entities, especially smaller agencies, that do not have the resources to stay on top of cybersecurity best practices “are dependent on the software manufacturer,” said Michael Ronickher, a partner at Constantine Cannon.

When Mr. Glenn reported the problem to Cisco in 2008, he was following a vulnerability disclosure practice that was beginning to be established in the technology industry. Today, many major tech firms offer so-called bug bounties to people who discover security flaws in their systems. And they are expected to let customers know — and provide a fix — as quickly as possible.

“You have the obligation to let your users know as fast as possible,” said Jobert Abma, a co-founder of the security research service HackerOne. “I think waiting five years is never the right thing.”

Cisco and other surveillance camera manufacturers came under increasing scrutiny in 2013 for the security practices of technology linked through the internet.

During a presentation at the Black Hat security conference that year, Craig Heffner, a security researcher, demonstrated how to hack into surveillance cameras made by Cisco and others.

The Federal Trade Commission opened its first enforcement action against a so-called internet of things company in September 2013, pursuing a company called TRENDnet. Flawed security allowed a hacker to post live feeds from 700 of the company’s surveillance cameras online.

“Companies that don’t pay attention to their security practices may find that the F.T.C. will,” Edith Ramirez, who was F.T.C. chairwoman at the time, said in a 2013 speech.

Some technology providers delay making repairs to security flaws because they believe the risk is low, the cost of repair would be excessive or the patch might set off other problems, said Katie Moussouris, the chief executive of Luta Security who has drafted vulnerability disclosure standards that are used throughout the industry.

Also, once you let people know about a security flaw, “you are alerting all the bad guys at the same time,” she said.

As the world becomes more dependent on technological security, this whistle-blower case, believed to be the first focused on cybersecurity, “is a harbinger of things to come,” Mary Inman, a lawyer at Constantine Cannon, said. “We need whistle-blower insiders to be our eyes and ears and hold tech firms accountable.”

The government has not claimed that anyone exploited the vulnerability that Mr. Glenn found. Cisco sold some of its video assets to Technicolor in 2015.

Source link