Not keen on competing with cheaper Chinese hardware, Cisco has long lobbied the US government to hamstring Chinese competitors like Huawei for lax security practices. At the beginning of this decade as Huawei began to make inroads into US markets, Cisco could frequently be found trying to gin up lawmaker angst on this subject for obvious, financial gain. And while Huawei (like most telecom giants) certainly does dumb and unethical things, it's fairly obvious that at least a portion of our recent hyperventilation over (so far unproven) allegations that Huawei spies on Americans is good old fashioned protectionism.
Fast forward to this week, when new reports suggested that Cisco should have spent a little more time worrying about its own products. The company was required to pay the government $8.6 million after it was found the company routinely sold the government hackable video cameras, then did nothing to secure the devices once they were in the wild. For years. The vulnerable gear, exposed by a Cisco whistleblower, was sold to a variety of hospitals, airports, schools, state governments and federal agencies.
And while news of the scandal was buried underneath the other, more notable privacy and security scandals of the day, the flaws were not what you'd call modest:
"Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks — all without being detected, said Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented the whistleblower James Glenn."
Cisco states that there's no evidence that these vulnerabilities were exploited, though that seems like an impossible claim to make given the scope of the impacted products, many of which aren't even still in circulation. Glenn suggested the vulnerabilities were "trivial" to exploit. He also noted that despite being aware of the issue, Cisco left the cameras unfixed for four years, opening to liability given its contractor relationship to government:
"Glenn, during his work at a Cisco subcontractor called NetDesign over the course of 2008, sent the company “detailed reports … revealing that anyone with a moderate grasp of network security could exploit this software,” but he never got a response, his attorneys said. Glenn was fired by NetDesign in 2009, his attorneys said. They are not alleging that dismissal was in retaliation for pointing out the flaw. He filed the whistleblower lawsuit two years later."
The settlement (astonishingly) marks the first time in US history that a government contractor has been forced to pay out under a federal whistleblower law for failing to have adequate cybersecurity protections, though it's unlikely to be the last. After the Washington Post broke the story, the New York Times found that the settlement will be doled out to an array of US government agencies, including FEMA, Homeland Security, the Secret Service, and all four branches of the military.
Our IP Address: