Cisco Shells Out $8.6 Million For Selling The Government Easily Hackable Tech

from the ill-communication dept

Not keen on competing with cheaper Chinese hardware, Cisco has long lobbied the US government to hamstring Chinese competitors like Huawei for lax security practices. At the beginning of this decade as Huawei began to make inroads into US markets, Cisco could frequently be found trying to gin up lawmaker angst on this subject for obvious, financial gain. And while Huawei (like most telecom giants) certainly does dumb and unethical things, it's fairly obvious that at least a portion of our recent hyperventilation over (so far unproven) allegations that Huawei spies on Americans is good old fashioned protectionism.

Fast forward to this week, when new reports suggested that Cisco should have spent a little more time worrying about its own products. The company was required to pay the government $8.6 million after it was found the company routinely sold the government hackable video cameras, then did nothing to secure the devices once they were in the wild. For years. The vulnerable gear, exposed by a Cisco whistleblower, was sold to a variety of hospitals, airports, schools, state governments and federal agencies.

And while news of the scandal was buried underneath the other, more notable privacy and security scandals of the day, the flaws were not what you'd call modest:

"Hackers could use the flaw not just to spy on video footage but to turn surveillance cameras on and off, delete footage and even potentially compromise other connected physical security systems such as alarms or locks — all without being detected, said Hamsa Mahendranathan, an attorney at Constantine Cannon, which represented the whistleblower James Glenn."

Cisco states that there's no evidence that these vulnerabilities were exploited, though that seems like an impossible claim to make given the scope of the impacted products, many of which aren't even still in circulation. Glenn suggested the vulnerabilities were "trivial" to exploit. He also noted that despite being aware of the issue, Cisco left the cameras unfixed for four years, opening to liability given its contractor relationship to government:

"Glenn, during his work at a Cisco subcontractor called NetDesign over the course of 2008, sent the company “detailed reports … revealing that anyone with a moderate grasp of network security could exploit this software,” but he never got a response, his attorneys said. Glenn was fired by NetDesign in 2009, his attorneys said. They are not alleging that dismissal was in retaliation for pointing out the flaw. He filed the whistleblower lawsuit two years later."

The settlement (astonishingly) marks the first time in US history that a government contractor has been forced to pay out under a federal whistleblower law for failing to have adequate cybersecurity protections, though it's unlikely to be the last. After the Washington Post broke the story, the New York Times found that the settlement will be doled out to an array of US government agencies, including FEMA, Homeland Security, the Secret Service, and all four branches of the military.

Companies: cisco, huawei


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    reader50 (profile), 5 Aug 2019 @ 6:13pm

    How much went to John Glenn?

    Millions saved for the government. All it took was a whistleblower willing to sacrifice his career. So did he get anything?

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 5 Aug 2019 @ 7:24pm

    Huawei, how are ya?

    We blatantly blamed others for doing bad things while we kept shipping our easily hacked crap.

    reply to this | link to this | view in chronology ]

  • identicon
    Avideogameplayer, 6 Aug 2019 @ 3:25am

    I find it ironic that the government wants hackable tech for everyone else but themselves. Hypocrites.

    reply to this | link to this | view in chronology ]

  • icon
    mechtheist (profile), 6 Aug 2019 @ 5:06am

    Does anyone think Cisco's costs to fix the problem would be anywhere under $8.6 million? Can anyone point to a fine that was more than the net gain resulting from the fined behavior? Shouldn't fines be a negative incentive? WTF is wrong with this picture?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Aug 2019 @ 8:56am

      Re:

      Does anyone think Cisco's costs to fix the problem would be anywhere under $8.6 million?

      Most assuredly it would have. Assuming the average software developer's salary at CIsco is $100,000 / year, $8.6 million be enough to have 86 developers work for a year to fix the problem.

      It wouldn't take that many or that long.

      Most of these exploits are going to be caused by very basic flaws whose solutions are well-documented both inside Cisco and across the internet. I'd estimate the issues could be fixed with a team of 5-6 engineers in the course of about 3-4 months.

      Can anyone point to a fine that was more than the net gain resulting from the fined behavior? Shouldn't fines be a negative incentive? WTF is wrong with this picture?

      The real problem is that the people who made the decision not to fix won't be held accountable since they're either a. no longer with Cisco, or b. no longer part of the team engineering team that caused the problems in the first place.

      Essentially, the only people who would feel anything from this are the company's execs via a dip in stock price (do to angry/spooked shareholders), but that wouldn't last long. That said, with the trade-war with China taking center stage in the investment arena, it's doubtful they'll even notice.

      reply to this | link to this | view in chronology ]

      • icon
        mechtheist (profile), 6 Aug 2019 @ 11:06am

        Re: Re:

        You're only looking at the engineering cost to figure out the fix. What about implementation, notification, tech support, PR, etc? It's common to see fines that are less than 10%, even 1% of the profits a corp earned from the behavior being fined, the fines easily absorbed, looked at as a minor cost, not anything that could deter the behavior. If you want to stop the behavior, I agree, hold execs to account, but fines that would significantly hurt the corporation would also work, best to do both. One way to do this would be fines figured at say, 500% of the excess profits, that would et their attention.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.