Cisco Systems has agreed to an $8.6 million settlement with the federal government stemming from allegations it “improperly sold video surveillance software with known vulnerabilities to U.S. federal and state governments,” Reuters reported on Wednesday.
According to Reuters, the case began eight years ago and underlying claims related to the settlement were unsealed on Wednesday. The New York Times identified a wide range of agencies which Cisco will pay civil damages to, including Homeland Security, the Secret Service, all four branches of the military, and the Federal Emergency Management Agency. Some 15 states and the District of Columbia were also named as claimants.
The Times reported that the underlying issue relates to a Cisco subcontractor turned whistleblower, James Glenn, whose attorneys said he discovered major vulnerabilities in 2008 that could allow hackers to “gain unauthorized access to the video surveillance system, manipulate information, and bypass security measures.” While Glenn reported the issue, he was laid off five months later; he realized in 2010 it was never fixed and informed the FBI.
According to Reuters, the suit claims that an attacker could theoretically exploit the vulnerability to access other administrative systems and thus compromise entire federal computer networks:
The suit says a hacker could then potentially move beyond the video system.
“Due to the vulnerability in Cisco’s surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorized access to the entire network of a federal agency,” the suit says.
Cisco only acknowledged that the flaw could allow “full administrative privileges on the system” in July 2013, when it released patches. As CNBC noted, the flaws made the products non-compliant with National Institute of Standards in Technology (NIST) standards that federal contractors are expected to maintain. Cisco continued to insist that its products met the NIST standard during the time the bugs went unfixed, leaving the company open to liability under the False Claims Act, Glenn’s legal team told CNBC.
Glenn will receive around $1 million of the settlement payout, with the rest going to the federal government and the affected states.
Reuters wrote that Glenn’s attorney, Annie Hayes Hartman, said that this appears to be the first payout in a false claims cyber case—something that some in the legal community have warned could be the next frontier in lawsuits waged over allegations of false promises in government contracts. Hartman told CNBC that “It’s astonishing that there aren’t more of these cases being brought.”
“We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007,” Cisco told CNBC in a statement. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”