Cisco to pay $8.6 million for selling vulnerable software to US government

Danish contractor gets $1.6 million of the final settlement for reporting Cisco to the US government.

cisco-logo-vantage-small.jpg

Cisco agreed today to pay $8.6 million to settle a legal case brought forward by a former contractor who accused the company of failing to fix several security flaws and continuing to sell vulnerable video surveillance software to US government agencies for years.

According to court documents obtained by ZDNet, the case was handled under the US False Claims Act (FCA), which allowed the former contractor to report fraud in government contracts by filing a "qui tam" lawsuit on the government's behalf.

Cisco ignored bug report

In the lawsuit, filed in May 2011 but kept under seal until today, James Glenn, who worked in Denmark at Cisco subcontractor NetDesign, claimed he found security flaws in Cisco's Video Surveillance Manager (VSM) -- a multi-software package that could be used to control video surveillance cameras, to store recorded video feeds, and allow operators to manipulate camera-recorded videos.

Glenn said the vulnerabilities could have allowed a hacker to gain unauthorized access to data stored inside VSM installations, turn cameras off to aid intruders, and even gain "administrative" access over a client's entire network.

Glenn said he notified Cisco of these issues in October 2008, but the company failed to patch the reported bugs. Furthermore, Cisco continued to sell its VSM package to customers all over the world, including US government agencies.

"This video surveillance software is used by airports, police departments, and schools. It is supposed to make us safer, making the vulnerabilities at issue all the more troubling," said Hamsa Mahendranathan, an attorney at Constantine Cannon, the law firm that represented Glenn.

After seeing that his reports were ignored, Glenn filed a whistleblower case under the FCA, which was later joined by 18 US states, including California, Delaware, Florida, Hawaii, Illinois, Indiana, Massachusetts, Minnesota, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Rhode Island, Tennessee, Virginia and the District of Columbia.

Cisco eventually patched the bugs reported by Glenn in 2013 and stopped selling the VSM package altogether, a year later, in 2014.

Settlement fee represent a partial refund

"We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007. There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture," a Cisco spokesperson told ZDNet via email, when reached out for comment.

According to Mark Chandler, Cisco's Executive Vice President and Chief Legal Officer, the $8.6 million sum represents "a partial refund to the US federal government and 16 states for products purchased between Cisco's fiscal years 2008 and 2013."

Of the $8.6 million, roughly $1.6 million will go to Glenn and his lawyers. Qui tam lawsuits allow whistleblowers to receive a percentage of any imposed penalties.

Chandler said Cisco never made huge profits from these contracts, and the total sales of VSM software to US government entities were "well under one one-hundredth of one percent of Cisco's total sales."

"While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed," Chandler said.

Related government coverage: