Cisco Settles $8.6 Million Lawsuit Over Security Vulnerabilities in Surveillance Software
Cisco Systems has reached an $8.6 million settlement concerning a lawsuit that alleged the company knowingly sold a flawed video surveillance system to U.S. federal and state agencies, despite being aware of critical security vulnerabilities. This case marks a significant application of the False Claims Act in relation to cybersecurity standards, potentially setting a precedent for future legal actions in the tech industry.
The lawsuit originated in 2011 when James Glenn, a former subcontractor for Cisco, became a whistleblower after discovering significant vulnerabilities in the Cisco Video Surveillance Manager (VSM) suite. Glenn’s concerns took root in September 2008 when he and a colleague identified multiple security flaws. Their attempts to bring these issues to Cisco’s attention in October 2008 yielded no substantial action, prompting Glenn’s eventual report to federal authorities in 2010.
The VSM suite is designed to centralize the management of video cameras across various locations, allowing for remote access. However, the vulnerabilities uncovered could have potentially allowed remote attackers to seize control of entire surveillance systems. This includes unauthorized access to live video feeds, stored data manipulation, and the bypassing of critical security protocols, raising alarm about the potential for significant security breaches.
After Glenn was terminated by his employer, Net Design—allegedly as a backlash against his whistleblowing—he took further steps, leading to the federal lawsuit against Cisco, claiming the company had defrauded multiple government entities. The software was reportedly sold to numerous departments, including police, schools, and high-security agencies such as the U.S. Department of Homeland Security and the Secret Service.
The lawsuit highlights that Cisco had knowledge of these vulnerabilities for a considerable period—and failed to alert affected entities. The ramifications of such flaws could have been severe. The court documents indicated that an unauthorized user could decommission security cameras at critical locations like airports, raising the specter of significant operational disruption.
In response to the lawsuit, Cisco acknowledged the vulnerabilities (CVE-2013-3429, CVE-2013-3430, CVE-2013-3431) and subsequently released an updated version of the VSM suite. The settlement will allocate $1.6 million to Glenn and his legal team, while $7 million will be dispersed among the federal government and the 16 states impacted by the flawed software.
Cisco has maintained in its public statements that there was no evidence that unauthorized access to customer data had occurred through its software, although it conceded that the system could theoretically be susceptible to hacking. The company views this settlement as a resolution of the dispute that arose from Glenn’s claims, closing a chapter on a significant security lapse that could impact U.S. governmental operations.
As businesses navigate the complexities of cybersecurity, this case serves as a stark reminder of the vulnerabilities inherent in technology solutions and the critical importance of rigorous security standards in software development. Companies must remain vigilant about their cybersecurity measures and compliance with established standards to mitigate the risks of potential lawsuits and breaches.