Cisco Systems has settled a channel partner's claim that the networking giant improperly sold video surveillance software with known vulnerabilities to U.S. federal and state governments, according to Reuters and statements from Cisco.
The settlement involves a case that dates back to 2008, and software that hasn't been sold since 2014. Still, the settlement could be an important milestone in the cybersecurity market. Pundits believe it's the first payout on a False Claims Act case brought over failure to meet cybersecurity standards, Reuters says.
The $8.6 million settlement includes a $1.6 million payout to James Glenn, a whistleblower who was working with NetDesign, a Cisco partner in Denmark. In 2008, Glenn warned that a hacker could use flaws in the software to gain administrative control of the entire network, Reuters reports.
Cisco Settles Cybersecurity Claim: Case in Context
In a blog, Cisco Systems Executive VP and Chief Legal Officer Mark Chandler offered additional context on the settlement. Among the things Chandler pointed out, the video security software issue involved:
- software sold between 2008 and 2014;
- code created by Broadware, a company that Cisco acquired in 2007;
- an open architecture; and
- no evidence that any customer's security was ever breached.
Moreover, Cisco took steps to address potential concerns and issues in 2009, 2013 and 2014. Among the steps, Chandler points out:
- In 2009, Cisco published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from Cisco.
- In July, 2013, Cisco advised that customers should upgrade to a new version of the software which addressed security features.
- All sales of the older versions of the software had ended by September, 2014.
Still, Cisco agreed to settle the case and make the $8.6 million payment as part of a realization that "times and expectations" for cybersecurity have changed, Chandler wrote in the blog.
Technology Vulnerabilities: Landmark Case?
The big question on the minds of legal experts: Will the settlement open the door for more whistleblowers to report government-focused vendors for knowingly selling technology that contains cybersecurity vulnerabilities?
As The Washington Post points out: "The settlement marks the first time a company has been forced to pay out for inadequate cybersecurity protections under a federal whistleblower law that normally targets fraud and graft in federal contracts. And it’s sure to prompt other government suppliers to take a closer look at the security of the products they sell to the U.S. government."