The company’s video surveillance manager, which was used by the Pentagon, DHS, NASA and others, contained vulnerabilities that would let hackers view, modify and disable video feeds at government facilities.
Cisco Systems on Wednesday agreed to pay a $8.6 million settlement after knowingly selling insecure video surveillance equipment to federal agencies, state governments, schools, airports and other groups.
The company became aware of multiple security flaws in its video surveillance manager in 2008, but it didn’t fix the bugs for roughly four years, according to newly unsealed court documents. During that time, Cisco continued to sell the vulnerable system to government agencies and never brought the vulnerabilities to the attention of its clients, which included the Homeland Security Department, Federal Emergency Management Agency, U.S. Secret Service and NASA, as well as the Army, Navy, Air Force and Marine Corps.
The lawsuit began in 2011 after whistleblower named James Glenn told the FBI that Cisco was knowingly selling the flawed tech to government agencies despite the significant security risks. Glenn alerted Cisco to the vulnerabilities while working as a subcontractor in Denmark, but the company never took action to address them. The company laid off Glenn months later in what he suspected was retaliation.
After Cisco continued to sell the insecure system for more than two years, Glenn filed a suit under the False Claims Act on behalf of the federal government, as well as 15 states and the District of Columbia.
The vulnerabilities Glenn uncovered would allow bad actors to view, modify and disable video feeds across the entire network by accessing a single camera. And because video networks often connect to other security systems, they could’ve also exploited the bugs to bypass locks, fire alarms and other security features at government facilities.
“These flaws are so severe that they not only render the [system] fatally insecure, but also compromised the security of any other computer or system connected to the [system],” lawyers for Glenn, the Justice Department and state governments wrote in their original complaint, which was unsealed on Wednesday. By not telling government customers about the bugs, the company created “a wide network of security disasters waiting to happen,” they added.
The settlement marks the first time federal whistleblower law was successfully used to punish a company for shoddy cybersecurity practices.
In a blog post, Mark Chandler, Cisco’s executive vice president and chief legal officer, said the settlement amounts to “a partial refund” to federal agencies and state governments for the systems they purchased between 2008 and 2013. As the whistleblower for the case, Glenn will receive about 20% of the $8.6 million settlement, according to the post.
The government is still trying to figure out how to ensure the companies it does business with are taking cybersecurity seriously. Despite efforts to lock down the federal supply chain and mandate secure development practices, agencies are struggling to keep irresponsible vendors and vulnerable tech out of their IT ecosystems.
“Citizens depend on the tech industry to keep our data secure, and every data breach we read about shakes our confidence,” Michael Ronickher, a lawyer at Constantine Cannon who represented Glenn during the case, said in a statement. “This case is a critical step forward in enforcement of cybersecurity requirements.”