Cisco Cybersecurity Flaws Lead to Large Payout for Whistleblower
In what is likely the first payout of a False Claims Act (FCA) case brought on a failure to meet cybersecurity standards, Cisco Systems has agreed to settle a whistleblower’s claim that it improperly sold video surveillance software with known vulnerabilities to US federal and state governments. This claim was initially brought in 2011 and was only recently settled. Cisco paid $8.6 million to resolve the case, with more than $1 million going to the whistleblower, James Glenn.
Glenn was a computer security expert working for one of Cisco’s Danish distributors when he discovered the flaws within Cisco’s Video Surveillance Manager (VSM) system in 2008. The VSM system allowed for customers to connect multiple video surveillance cameras through one centralized server and could be accessed remotely. Glenn found a flaw within the system that would allow a person with moderate software security knowledge to gain access to all video feeds, passwords, and stored data on the system. Rather than take action to fix the flaw, Glenn was terminated from his position and Cisco continued to sell their product. The customers that used the VSM system included all four branches of the US Military, various schools, Los Angeles International Airport, Washington DC Metro Police, and the NY City public transmit system.
In 2013, Cisco issued a security alert, along with a solution to solve the security flaws, but by this time Glenn had already filed his FCA claim and the FBI had begun investigating. What was found in Glenn’s report was that Cisco was required to represent that its surveillance products were compliant with the National Institute of Standards in Technology (NIST), which sets the minimum-security requirements necessary for technology companies to do business with the federal government. However, Cisco knew that Cisco VSM did not meet these standards, subjecting it to potential FCA liability.
With this being the first payout for a FCA case brought on a failure to meet cybersecurity standards, it reminds those contracted with the government to understand what their obligations, representations, and certifications are regarding cybersecurity on federal contracts.