The $8.6 million settlement Cisco will pay to settle claims it sold states and federal agencies hackable surveillance software marks a sea change in how seriously the government is now taking cybersecurity bugs.
The Cisco bug, which a whistleblower first alerted the company about in 2008, was in surveillance software that ended up in schools, hospitals, airports and prisons as well as federal agencies and at least 15 state governments, as I reported yesterday.
It could have allowed hackers to spy on surveillance video footage, turn cameras on and off and delete footage. It could even have allowed those hackers to compromise other connected physical security systems such as alarms or locks. Yet the company didn’t fix the bug until 2012 – one year after the whistleblower, James Glenn, filed a lawsuit against the company.
The settlement marks the first time a company has been forced to pay out for inadequate cybersecurity protections under a federal whistleblower law that normally targets fraud and graft in federal contracts. And it’s sure to prompt other government suppliers to take a closer look at the security of the products they sell to the U.S. government.
The federal government is reviewing its multibillion-dollar contracting enterprise, which supplies everything from military hardware to border surveillance tools but which officials have said was not designed to make cybersecurity a major consideration.
Those officials worry that federal agencies are inadvertently greenlighting a slew of hackable products for purchase by federal agencies — many of which are then also bought by states and government grant recipients such as schools and hospitals. The flawed Cisco software could be a prime example: Glenn's lawyers say it was purchased by the U.S. Secret Service, the Federal Emergency Management Agency and military services as well as prisons and police departments, including the New York Police Department.
Even Cisco says the settlement underscores how government is taking cybersecurity in the products it buys far more seriously than it used to. In a blog post yesterday, Cisco’s Chief Legal Officer Mark Chandler described the settlement as an example of “changing standards” and noted that “what seemed reasonable at one point no longer meets the needs of our stakeholders today.”
“We intend to stay ahead of what the world is willing to accept,” Chandler added.
Glenn was working for a Cisco subcontractor called NetDesign in Denmark when he first spotted the cybersecurity bug and he sent the company numerous “detailed reports” throughout 2008 “revealing that anyone with a moderate grasp of network security could exploit this software,” his lawyers told me. But Glenn never got a response, his attorneys said.
“I was very concerned about the possibility that someone might endanger public safety by hacking into government systems,” Glenn said in a statement.
Glenn filed his lawsuit under the False Claims Act, which effectively allows individuals to sue on behalf of the government if they believe a government contractor is committing fraud. The government can join the suit later and collect most of the proceeds.
In this case, the federal government and state governments that joined the suit will collect 80 percent of the $8.6 million award while Glenn and his attorneys will take 20 percent, his lawyers said.
States that joined the settlement with the Justice Department include New York, California, Illinois, Florida, Massachusetts and Virginia.
PINGED: The hacker behind the Capital One breach likely also compromised the data of several other companies, multiple researchers report. Unicredit, Italy's largest bank, confirmed to Reuters it was investigating a potential breach by the same hacker and working with relevant authorities.
Vodafone, Ford, and Michigan State University also may have been impacted, according to research from CyberInt, an Israeli security firm, according to Zack Whittaker at TechCrunch. The Ohio Department of Transportation also confirmed to TechCrunch that it was hacked, but said only publicly available information was compromised. Cybersecurity blogger Brian Krebs reported potential hacks on the same entities and posted an image of files allegedly accessed by the hacker.
The Justice Department has not confirmed any additional breaches, but told Forbes' Thomas Brewster that the hacker, Paige Thompson, could be arrested for additional charges. Thompson bragged about additional hacks in a Slack channel where she admitted to hacking Capital One. Amazon, which stored the Capital One data on its cloud service, told Matt Day and Nico Grant at Bloomberg that it contacted other clients named in Thompson's online postings but found no evidence their data was accessed. (Amazon founder Jeff Bezos owns the Washington Post).
PATCHED: Rep. Alexandria Ocasio-Cortez (D-N.Y.) clapped back yesterday at claims from Senate Majority Leader Mitch McConnell (R-Ky.) that efforts by Democrats to pass election security legislation that he’s been blocking amounted to “modern-day McCarthyism.”
Ocasio-Cortez described how former Sen. Joseph McCarthy (R-Wis.) lobbed baseless accusations of communist sympathy at political opponents in the 1950s in order to gin up fear and said McConnell's situation was far different:
McCarthyism is the practice of baselessly accusing political opponents of being communists as unjust grounds for targeting & harassment.— Alexandria Ocasio-Cortez (@AOC) July 30, 2019
You are blocking action to protect US elections despite official DoJ pleas. That doesn’t make you a communist. It just makes you a bad leader. https://t.co/qLqR2vtOfI
McConnell has earned the ire of Democrats in both chambers for repeatedly blocking attempts to pass election security legislation — even after testimony from former special counsel Robert S. Mueller III. and Federal Bureau of Investigations Director Christopher A. Wray warning that foreign countries including Russia are likely to interfere in the 2020 election.
PWNED: Breached consumers are likely to get a lot less than the “up to $125" first advertised from the Equifax settlement due to an “overwhelming response” from consumers, the Federal Trade Commission warned yesterday. Because the pool for cash claims was only $31 million, large demand for cash has made the size of each payout smaller.
Instead, the agency is encouraging consumers to opt for the alternative settlement offer: 10 years of free credit monitoring with $1 million in fraud protection. “Frankly, the free credit monitoring is worth a lot more,” Robert Schoshinski, assistant director at the FTC's division of privacy and identity protection, wrote in a blog post.
Needless to say, not everyone was thrilled with the FTC's news.
The New York Times' tech reporter Mike Isaac slammed the agency for not being prepared to actually meet the number of claimants:
this is such a lame sentence, essentially admitting they relied on relatively few claimants— rat king (@MikeIsaac) July 31, 2019
almost like byzantine solutions are baked into the settlement outcome itself pic.twitter.com/wn42PyVxib
Whitney Merrill, a privacy lawyer at BrexHQ and former FTC lawyer called the deal a "bait and switch."
I defend the @FTC a lot, but not foreseeing that lots of people would choose the $125 option is a huge mistake because we now feel deceived by the settlement notice - a bait and switch. https://t.co/nyvCpxA46r— Whitney Merrill (@wbm312) July 31, 2019
Berkeley law professor Chris Hoofnagle pointed out that opting for credit monitoring might be a valuable service, but it also gives those services the right to sell your data.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad:
- The Black Hat USA conference will take place August 3-8 in Las Vegas.