Cisco to pay $8.6 million for supplying the US government with software known to be insecure
Cisco has agreed to pay $8.6 million to settle a claim that it sold video surveillance software to the American government even though it was aware it contained security vulnerabilities.
A total of fifteen US states filed a case under the False Claims Act after Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency all purchased flawed software from Cisco. Rather than improving security as desired, the complainants said that Cisco's software actually made systems less secure.
- Apple pushes out another emergency security update to fix videoconferencing vulnerabilities
- Microsoft sneaks telemetry into Windows 7 via security update
- Zoom for Mac has a security hole that means your webcam could be turned on without permission
Details of the complaint have just been unsealed, and it shows the government saying that the software failed to "meet its primary purpose: enhancing the security of the agencies that purchase it", rendering it "of no value".
The security flaws were discovered way back in 2008 by whistleblower James Glenn. He found that it was possible to bypass security to gain access to video surveillance systems and manipulate them. Despite having been made aware of the vulnerability, Cisco continued to sell the insecure software until 2013 when it finally revealed and addressed the vulnerabilities.
In a statement Glenn said:
The tech industry does not fulfil its professional responsibility to protect the public from its products and services. There is this culture that tends to prioritise profit and reputation over doing what is right. I hope coming forward with my experience causes others in tech companies to think about their ethical mandate.
The former Cisco contractor will receive more than $1 million of the settlement payment, with the remainder going to the federal government and state buyers.
Cisco spokeswoman Robyn Blum said:
We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product. There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.