Cisco Shells Out $8.6 Million For Selling The Government Easily Hackable Tech

from the ill-communication dept

Not keen on competing with cheaper Chinese hardware, Cisco has long lobbied the US government to hamstring Chinese competitors like Huawei for lax security practices. At the beginning of this decade as Huawei began to make inroads into US markets, Cisco could frequently be found trying to gin up lawmaker angst on this subject for obvious, financial gain. And while Huawei (like most telecom giants) certainly does dumb and unethical things, it’s fairly obvious that at least a portion of our recent hyperventilation over (so far unproven) allegations that Huawei spies on Americans is good old fashioned protectionism.

Fast forward to this week, when new reports suggested that Cisco should have spent a little more time worrying about its own products. The company was required to pay the government $8.6 million after it was found the company routinely sold the government hackable video cameras, then did nothing to secure the devices once they were in the wild. For years. The vulnerable gear, exposed by a Cisco whistleblower, was sold to a variety of hospitals, airports, schools, state governments and federal agencies.

And while news of the scandal was buried underneath the other, more notable privacy and security scandals of the day, the flaws were not what you’d call modest:

“Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks ? all without being detected, said Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented the whistleblower James Glenn.”

Cisco states that there’s no evidence that these vulnerabilities were exploited, though that seems like an impossible claim to make given the scope of the impacted products, many of which aren’t even still in circulation. Glenn suggested the vulnerabilities were “trivial” to exploit. He also noted that despite being aware of the issue, Cisco left the cameras unfixed for four years, opening to liability given its contractor relationship to government:

“Glenn, during his work at a Cisco subcontractor called NetDesign over the course of 2008, sent the company ?detailed reports ? revealing that anyone with a moderate grasp of network security could exploit this software,? but he never got a response, his attorneys said. Glenn was fired by NetDesign in 2009, his attorneys said. They are not alleging that dismissal was in retaliation for pointing out the flaw. He filed the whistleblower lawsuit two years later.”

The settlement (astonishingly) marks the first time in US history that a government contractor has been forced to pay out under a federal whistleblower law for failing to have adequate cybersecurity protections, though it’s unlikely to be the last. After the Washington Post broke the story, the New York Times found that the settlement will be doled out to an array of US government agencies, including FEMA, Homeland Security, the Secret Service, and all four branches of the military.

Companies: cisco, huawei

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cisco Shells Out $8.6 Million For Selling The Government Easily Hackable Tech”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Does anyone think Cisco’s costs to fix the problem would be anywhere under $8.6 million?

Most assuredly it would have. Assuming the average software developer’s salary at CIsco is $100,000 / year, $8.6 million be enough to have 86 developers work for a year to fix the problem.

It wouldn’t take that many or that long.

Most of these exploits are going to be caused by very basic flaws whose solutions are well-documented both inside Cisco and across the internet. I’d estimate the issues could be fixed with a team of 5-6 engineers in the course of about 3-4 months.

Can anyone point to a fine that was more than the net gain resulting from the fined behavior? Shouldn’t fines be a negative incentive? WTF is wrong with this picture?

The real problem is that the people who made the decision not to fix won’t be held accountable since they’re either a. no longer with Cisco, or b. no longer part of the team engineering team that caused the problems in the first place.

Essentially, the only people who would feel anything from this are the company’s execs via a dip in stock price (do to angry/spooked shareholders), but that wouldn’t last long. That said, with the trade-war with China taking center stage in the investment arena, it’s doubtful they’ll even notice.

mechtheist (profile) says:

Re: Re: Re:

You’re only looking at the engineering cost to figure out the fix. What about implementation, notification, tech support, PR, etc? It’s common to see fines that are less than 10%, even 1% of the profits a corp earned from the behavior being fined, the fines easily absorbed, looked at as a minor cost, not anything that could deter the behavior. If you want to stop the behavior, I agree, hold execs to account, but fines that would significantly hurt the corporation would also work, best to do both. One way to do this would be fines figured at say, 500% of the excess profits, that would et their attention.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...