Cisco will pay $2.6 million to the federal government and up to $6 million to 15 states in a settlement over video security software it stopped selling in 2014 Credit: Thinkstock Cisco has agreed to pay $8.6 million to settle claims it sold video security software that had a vulnerability that could have opened federal, state and local government agencies to hackers. Under terms of the settlement Cisco will pay $2.6 million to the federal government and up to $6 million to 15 states, certain cities and other entities that purchased the product. The states that settled with Cisco are California, Delaware, Florida, Hawaii, Illinois, Indiana, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Tennessee, Massachusetts and Virginia. According to Cisco, the software, which was sold between 2008 and 2014 was created by Broadware, a company Cisco bought in 2007 for its surveillance video technology and ultimately named it Video Surveillance Manager. “Broadware intentionally utilized an open architecture to allow customized security applications and solutions to be implemented. Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached,” wrote Mark Chandler, Cisco executive vice president, Chief Legal Officer and General Counsel. “In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us. And in July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September, 2014.” Cisco wrote of vulnerabilities and a patch for the problems in its Video Surveillance Manager in 2013 saying “multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system.” The case was brought as a whistleblower lawsuit in 2011 against Cisco “for selling and causing others to sell to federal agencies as well as to state and local government entities a video surveillance system that Defendant knew to possess dangerous, undisclosed, and impermissible security weaknesses.” Law firm Phillips & Cohen filed the lawsuit alleging violations of a federal fraud law, the False Claims Act, and similar state laws on behalf of James Glenn, a former security consultant for a Danish company that is a Cisco partner, in federal district court in Buffalo, NY, in 2011. Fellow law firm Constantine Cannon LLP was co-counsel in the suit. The lawyers say this is one of the first time a company has been made to pay a False Claims finding. The Danish company fired Glenn in 2009 after he submitted a detailed report to Cisco identifying what he believed to be security flaws. “The whistleblower submitted several detailed reports to Cisco allegedly revealing that anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems, and gain administrative access to the entire network of a government agency, all without detection. Despite the repeated internal warnings of VSM’s flaws, Cisco allegedly continued to sell the vulnerable software to high-profile infrastructure targets,” according to Constantine Common. “I was very concerned about the possibility that someone might endanger public safety by hacking into government systems,” Glenn said in a statement. “I filed the [whistleblower] qui tam lawsuit to make the government aware of the problem and to get it fixed. I am glad that Cisco replaced the affected product and that the case has been settled.” “Cybersecurity products are an important piece of government spending these days, and it’s essential that those products comply with critical regulatory and contractual requirements,” said Claire Sylvia, a whistleblower attorney and partner at Phillips & Cohen in a statement. “The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.” Related content analysis Kyndryl bolsters its Bridge infrastructure services Kyndryl is using AI to expand its integration services for on-premise and cloud environments, adding to its range of security, mainframe modernization, and AI-readiness services. By Michael Cooney May 14, 2024 7 mins Cloud Computing Networking how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux news High-bandwidth memory nearly sold out until 2026 While it might be tempting to blame Nvidia for the shortage of HBM, it’s not alone in driving high-performance computing and demand for the memory HPC requires. By Andy Patrizio May 13, 2024 3 mins CPUs and Processors High-Performance Computing Data Center opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe