Cisco has agreed to settle a whistleblower’s claim that it improperly sold video surveillance software with known vulnerabilities to U.S. federal and state governments, marking the first payout on a False Claims Act case brought over failure to meet cyber security standards.
The settlement and underlying claim were unsealed on Wednesday, eight years after the initial legal complaint. Cisco paid US$8.6 million to resolve the case, with most of that going to the federal government and 15 state buyers and more than $1 million going to the whistleblower, James Glenn.
"We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product," said Cisco spokeswoman Robyn Blum. "There was no allegation or evidence that any unauthorised access to customers' video occurred as a result of the architecture."
Glenn attorney Anne Hayes Hartman and other experts believe Cisco's payout is the first in a false claims cyber case.
Many more whistleblower claims could ensue, experts said. The settlement “clearly provides an opportunity for entrepreneurial plaintiffs or potential plaintiffs to go around looking for more examples like this,” said Georgetown University law professor Gregory Klass.
Hundreds of false-claim suits are filed yearly, in part because of built-in rewards for those who point out improper conduct by government contractors. Under the law, a whistleblower must provide nonpublic information in order to win an award.
With many contracts including pledges that products meet cyber security standards set by the government, experts have long warned that the claims could expand into that area and punish vendors for the vulnerabilities that are present in many systems.
Cisco’s Video Surveillance Manager was used by Los Angeles International Airport, the Washington D.C. police and the New York City public transit system, as well as many schools, said Hartman.
The complaint unsealed Wednesday also names as customers the U.S. Army, Navy, Air Force, and Marine Corps.
Glenn was working at a Cisco partner in Denmark called NetDesign, the complaint says, among other things working with Danish police. In 2008, he warned Cisco that a hacker who got into one camera that was part of the system could use flaws in the software to get administrative control of the entire network. The suit says a hacker could then potentially move beyond the video system.
"Due to the vulnerability in Cisco's surveillance system, any user who has or can gain access to one video camera could potentially gain unauthorised access to the entire network of a federal agency," the suit says.
When Cisco failed to act, Glenn spoke with an L.A. airport police detective on an FBI terrorism task force.
The company acknowledged the flaws in 2013 as it released an updated version of the software.
“There's this culture that tends to prioritise profit and reputation over doing what's right," Glenn said in a written statement. "I hope coming forward with my experience causes others in the tech community to think about their ethical mandate."
(Reporting by Joseph Menn in San Francisco; Editing by Greg Mitchell)