Cisco Shells Out $8.6 Million For Selling The Government Easily Hackable Tech
from the ill-communication dept
Not keen on competing with cheaper Chinese hardware, Cisco has long lobbied the US government to hamstring Chinese competitors like Huawei for lax security practices. At the beginning of this decade as Huawei began to make inroads into US markets, Cisco could frequently be found trying to gin up lawmaker angst on this subject for obvious, financial gain. And while Huawei (like most telecom giants) certainly does dumb and unethical things, it's fairly obvious that at least a portion of our recent hyperventilation over (so far unproven) allegations that Huawei spies on Americans is good old fashioned protectionism.
Fast forward to this week, when new reports suggested that Cisco should have spent a little more time worrying about its own products. The company was required to pay the government $8.6 million after it was found the company routinely sold the government hackable video cameras, then did nothing to secure the devices once they were in the wild. For years. The vulnerable gear, exposed by a Cisco whistleblower, was sold to a variety of hospitals, airports, schools, state governments and federal agencies.
And while news of the scandal was buried underneath the other, more notable privacy and security scandals of the day, the flaws were not what you'd call modest:
"Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks — all without being detected, said Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented the whistleblower James Glenn."
Cisco states that there's no evidence that these vulnerabilities were exploited, though that seems like an impossible claim to make given the scope of the impacted products, many of which aren't even still in circulation. Glenn suggested the vulnerabilities were "trivial" to exploit. He also noted that despite being aware of the issue, Cisco left the cameras unfixed for four years, opening to liability given its contractor relationship to government:
"Glenn, during his work at a Cisco subcontractor called NetDesign over the course of 2008, sent the company “detailed reports … revealing that anyone with a moderate grasp of network security could exploit this software,” but he never got a response, his attorneys said. Glenn was fired by NetDesign in 2009, his attorneys said. They are not alleging that dismissal was in retaliation for pointing out the flaw. He filed the whistleblower lawsuit two years later."
The settlement (astonishingly) marks the first time in US history that a government contractor has been forced to pay out under a federal whistleblower law for failing to have adequate cybersecurity protections, though it's unlikely to be the last. After the Washington Post broke the story, the New York Times found that the settlement will be doled out to an array of US government agencies, including FEMA, Homeland Security, the Secret Service, and all four branches of the military.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
How much went to John Glenn?
Millions saved for the government. All it took was a whistleblower willing to sacrifice his career. So did he get anything?
[ link to this | view in chronology ]
Re: How much went to John Glenn?
The estate of John Glenn thanks your interest in this matter. However, [points to the attorneys for James Glenn].
[ link to this | view in chronology ]
Re: How much went to John Glenn?
The whistle blower will get 1.72 million according to https://www.marketwatch.com/story/ex-cisco-security-expert-wins-settlement-in-whistleblower-case-201 9-07-31
[ link to this | view in chronology ]
Huawei, how are ya?
We blatantly blamed others for doing bad things while we kept shipping our easily hacked crap.
[ link to this | view in chronology ]
I find it ironic that the government wants hackable tech for everyone else but themselves. Hypocrites.
[ link to this | view in chronology ]
Does anyone think Cisco's costs to fix the problem would be anywhere under $8.6 million? Can anyone point to a fine that was more than the net gain resulting from the fined behavior? Shouldn't fines be a negative incentive? WTF is wrong with this picture?
[ link to this | view in chronology ]
Re:
Most assuredly it would have. Assuming the average software developer's salary at CIsco is $100,000 / year, $8.6 million be enough to have 86 developers work for a year to fix the problem.
It wouldn't take that many or that long.
Most of these exploits are going to be caused by very basic flaws whose solutions are well-documented both inside Cisco and across the internet. I'd estimate the issues could be fixed with a team of 5-6 engineers in the course of about 3-4 months.
The real problem is that the people who made the decision not to fix won't be held accountable since they're either a. no longer with Cisco, or b. no longer part of the team engineering team that caused the problems in the first place.
Essentially, the only people who would feel anything from this are the company's execs via a dip in stock price (do to angry/spooked shareholders), but that wouldn't last long. That said, with the trade-war with China taking center stage in the investment arena, it's doubtful they'll even notice.
[ link to this | view in chronology ]
Re: Re:
You're only looking at the engineering cost to figure out the fix. What about implementation, notification, tech support, PR, etc? It's common to see fines that are less than 10%, even 1% of the profits a corp earned from the behavior being fined, the fines easily absorbed, looked at as a minor cost, not anything that could deter the behavior. If you want to stop the behavior, I agree, hold execs to account, but fines that would significantly hurt the corporation would also work, best to do both. One way to do this would be fines figured at say, 500% of the excess profits, that would et their attention.
[ link to this | view in chronology ]