The $8.6 million (roughly Rs.59 crores) settlement Cisco will pay to settle claims it sold states and federal agencies hackable surveillance software marks a sea change in how seriously the government is now taking cyber-security bugs.
The Cisco bug, which a whistleblower first alerted the company about in 2008, was in surveillance software that ended up in schools, hospitals, airports and prisons as well as federal agencies and at least 15 state governments, as I reported yesterday.
It could have allowed hackers to spy on surveillance video footage, turn cameras on and off and delete footage. It could even have allowed those hackers to compromise other connected physical security systems such as alarms or locks. Yet the company didn’t fix the bug until 2012 – one year after the whistleblower, James Glenn, filed a lawsuit against the company.
The settlement marks the first time a company has been forced to pay out for inadequate cyber-security protections under a federal whistleblower law that normally targets fraud and graft in federal contracts. And it’s sure to prompt other government suppliers to take a closer look at the security of the products they sell to the US government.
The federal government is reviewing its multibillion-dollar contracting enterprise, which supplies everything from military hardware to border surveillance tools but which officials have said was not designed to make cyber-security a major consideration.
Those officials worry that federal agencies are inadvertently greenlighting a slew of hackable products for purchase by federal agencies – many of which are then also bought by states and government grant recipients such as schools and hospitals. The flawed Cisco software could be a prime example: Glenn’s lawyers say it was purchased by the US Secret Service, the Federal Emergency Management Agency and military services as well as prisons and police departments, including the New York Police Department.
Even Cisco says the settlement underscores how government is taking cyber-security in the products it buys far more seriously than it used to. In a blog post yesterday, Cisco’s Chief Legal Officer Mark Chandler described the settlement as an example of “changing standards” and noted that “what seemed reasonable at one point no longer meets the needs of our stakeholders today.”
“We intend to stay ahead of what the world is willing to accept,” Chandler added.
Glenn was working for a Cisco subcontractor called NetDesign in Denmark when he first spotted the cyber-security bug and he sent the company numerous “detailed reports” throughout 2008 “revealing that anyone with a moderate grasp of network security could exploit this software,” his lawyers told me. But Glenn never got a response, his attorneys said.
“I was very concerned about the possibility that someone might endanger public safety by hacking into government systems,” Glenn said in a statement.
Glenn filed his lawsuit under the False Claims Act, which effectively allows individuals to sue on behalf of the government if they believe a government contractor is committing fraud. The government can join the suit later and collect most of the proceeds.
In this case, the federal government and state governments that joined the suit will collect 80 percent of the $8.6 million award while Glenn and his attorneys will take 20 percent, his lawyers said.
States that joined the settlement with the Justice Department include New York, California, Illinois, Florida, Massachusetts and Virginia.