Cisco has agreed to pay $8.6 million (roughly Rs. 59 crores) to settle a claim that it sold video surveillance software it knew was vulnerable to hackers to hospitals, airports, schools, state governments and federal agencies.
The tech giant continued to sell the software and didn't fix the massive security weakness for about four years after a whistleblower alerted the company about it in 2008, according to a settlement unsealed Wednesday with the Justice Department and 15 states as well as the District of Columbia.
Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks - all without being detected, according to Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented whistleblower James Glenn.
The security weakness was also easy to find and exploit, said Michael Ronickher, another Contantine Cannon attorney.
"It was like the moment in the heist movies when a person types on a laptop for 30 seconds and says 'I'm in,' " Ronickher said.
There's no evidence that the bug was actually exploited to spy on Cisco customers' cameras, the company said in a statement. "We are pleased to have resolved" the dispute, a Cisco spokesman said. "There was no allegation or evidence that any unauthorised access to customers' video occurred as a result of the architecture."
Glenn's lawyers noted, however, that it's possible the hackers compromised the cameras but weren't discovered. "We don't want to give the impression we think this happened a lot," Ronickher said. "As far as we know no major breaches resulted from this. But it was left unaddressed for [four] years."
The settlement marks the first time a company has been forced to pay out under a federal whistleblower law for not having adequate cyber-security protections.
It also comes as the federal government is doing a top-to-bottom review of its multibillion-dollar contracting efforts, which officials have said were never designed to deal with cyber-security. The concern is that the government may be inadvertently greenlighting a slew of hackable products for purchase by federal agencies - many of which are then also bought by states and government grant recipients such as schools and hospitals.
That was the case with the flawed Cisco software. The US Secret Service, Federal Emergency Management Agency and military services were among the federal agencies that purchased it. And prisons and police departments, including the New York City Police Department, also bought it through grants, Mahendranathan said.
Given recent digital attacks on hospitals, local governments and schools, the pervasiveness of weak software is an urgent concern, the lawyers argued. "This video surveillance software . . . is supposed to make us safer, making the vulnerabilities at issue all the more troubling," Mahendranathan said.
Glenn, who was working for a Cisco partner in Denmark when he alerted the company to the issue, filed the lawsuit in the U.S. District Court for the Western District of New York under the False Claims Act. That law effectively allows individuals to sue on the behalf of the government if they believe a government contractor is committing fraud. The government can join the suit later and collect most of the proceeds.
In this case, the federal and state governments who joined will collect 80 percent of the $8.6 million award while Glenn and his attorneys will take 20 percent, his lawyers said.
Glenn, during his work at a Cisco subcontractor called NetDesign over the course of 2008, sent the company "detailed reports . . . revealing that anyone with a moderate grasp of network security could exploit this software" but never got a response, his attorneys said.
Glenn was fired by NetDesign in 2009, his attorneys said. They are not alleging that dismissal was in retaliation for pointing out the flaw. He filed the whistleblower lawsuit two years later.
"He tried to fix this through the appropriate channels before he ever thought about filing a lawsuit," Ronickher said. "This is usually the last resort for people who find things that just aren't being fixed."