The $8.6 million settlement Cisco will pay to settle claims it sold states and federal agencies hackable surveillance software marks a sea change in how seriously the government is now taking cybersecurity bugs. 

The Cisco bug, which a whistleblower first alerted the company about in 2008, was in surveillance software that ended up in schools, hospitals, airports and prisons as well as federal agencies and at least 15 state governments, as I reported yesterday.

It could have allowed hackers to spy on surveillance video footage, turn cameras on and off and delete footage. It could even have allowed those hackers to compromise other connected physical security systems such as alarms or locks. Yet the company didn’t fix the bug until 2012 – one year after the whistleblower, James Glenn, filed a lawsuit against the company.

The settlement marks the first time a company has been forced to pay out for inadequate cybersecurity protections under a federal whistleblower law that normally targets fraud and graft in federal contracts. And it’s sure to prompt other government suppliers to take a closer look at the security of the products they sell to the U.S. government. 

The federal government is reviewing its multibillion-dollar contracting enterprise, which supplies everything from military hardware to border surveillance tools but which officials have said was not designed to make cybersecurity a major consideration.

Those officials worry that federal agencies are inadvertently greenlighting a slew of hackable products for purchase by federal agencies — many of which are then also bought by states and government grant recipients such as schools and hospitals. The flawed Cisco software could be a prime example: Glenn's lawyers say it was purchased by the U.S. Secret Service, the Federal Emergency Management Agency and military services as well as prisons and police departments, including the New York Police Department. 

Even Cisco says the settlement underscores how government is taking cybersecurity in the products it buys far more seriously than it used to. In a blog post yesterday, Cisco’s Chief Legal Officer Mark Chandler described the settlement as an example of “changing standards” and noted that “what seemed reasonable at one point no longer meets the needs of our stakeholders today.”

“We intend to stay ahead of what the world is willing to accept,” Chandler added.

Glenn was working for a Cisco subcontractor called NetDesign in Denmark when he first spotted the cybersecurity bug and he sent the company numerous “detailed reports” throughout 2008 “revealing that anyone with a moderate grasp of network security could exploit this software,” his lawyers told me. But Glenn never got a response, his attorneys said.

“I was very concerned about the possibility that someone might endanger public safety by hacking into government systems,” Glenn said in a statement.

Glenn filed his lawsuit under the False Claims Act, which effectively allows individuals to sue on behalf of the government if they believe a government contractor is committing fraud. The government can join the suit later and collect most of the proceeds.

In this case, the federal government and state governments that joined the suit will collect 80 percent of the $8.6 million award while Glenn and his attorneys will take 20 percent, his lawyers said.

States that joined the settlement with the Justice Department include New York, California, Illinois, Florida, Massachusetts and Virginia.


PINGED: The hacker behind the Capital One breach likely also compromised the data of several other companies, multiple researchers report. Unicredit, Italy's largest bank, confirmed to Reuters it was investigating a potential breach by the same hacker and working with relevant authorities.

Vodafone, Ford, and Michigan State University also may have been impacted, according to research from CyberInt, an Israeli security firm, according to Zack Whittaker at TechCrunch. The Ohio Department of Transportation also confirmed to TechCrunch that it was hacked, but said only publicly available information was compromised. Cybersecurity blogger Brian Krebs reported potential hacks on the same entities and posted an image of files allegedly accessed by the hacker.

The Justice Department has not confirmed any additional breaches, but told Forbes' Thomas Brewster that the hacker, Paige Thompson, could be arrested for additional charges. Thompson bragged about additional hacks in a Slack channel where she admitted to hacking Capital One. Amazon, which stored the Capital One data on its cloud service, told Matt Day and Nico Grant at Bloomberg that it contacted other clients named in Thompson's online postings but found no evidence their data was accessed. (Amazon founder Jeff Bezos owns the Washington Post).

PATCHED: Rep. Alexandria Ocasio-Cortez (D-N.Y.) clapped back yesterday at claims from Senate Majority Leader Mitch McConnell (R-Ky.) that efforts by Democrats to pass election security legislation that he’s been blocking amounted to “modern-day McCarthyism.” 

Ocasio-Cortez described how former Sen. Joseph McCarthy (R-Wis.) lobbed baseless accusations of communist sympathy at political opponents in the 1950s in order to gin up fear and said McConnell's situation was far different:

McConnell has earned the ire of Democrats in both chambers for repeatedly blocking attempts to pass election security legislation — even after testimony from former special counsel Robert S. Mueller III. and Federal Bureau of Investigations Director Christopher A. Wray warning that foreign countries including Russia are likely to interfere in the 2020 election. 

PWNED: Breached consumers are likely to get a lot less than the “up to $125" first advertised from the Equifax settlement due to an “overwhelming response” from consumers, the Federal Trade Commission warned yesterday. Because the pool for cash claims was only $31 million, large demand for cash has made the size of each payout smaller

Instead, the agency is encouraging consumers to opt for the alternative settlement offer: 10 years of free credit monitoring with $1 million in fraud protection. “Frankly, the free credit monitoring is worth a lot more,” Robert Schoshinski, assistant director at the FTC's division of privacy and identity protection, wrote in a blog post.


Needless to say, not everyone was thrilled with the FTC's news.

The New York Times' tech reporter Mike Isaac slammed the agency for not being prepared to actually meet the number of claimants: 

Whitney Merrill, a privacy lawyer at BrexHQ and former FTC lawyer called the deal a "bait and switch."

Berkeley law professor Chris Hoofnagle pointed out that opting for credit monitoring might be a valuable service, but it also gives those services the right to sell your data.


— Cybersecurity news from the public sector:

Sens. Mike Crapo (R-Idaho) and Mark Warner (D-Va.) introduced legislation Tuesday intended to secure U.S. technological supply chains from exploitation from countries such as China.
The Hill
The Department of Defense continues to buy millions of dollars in commercial off-the-shelf technology with known cybersecurity vulnerabilities, a watchdog report published last week found.
The classified artificial brain being developed by US intelligence programs.
The Verge

— Cybersecurity news from the private sector:

A previously undocumented hacking group has been targeting oil and gas companies along with telecommunications providers from Africa to Central Asia to the Middle East, the industrial cybersecurity company Dragos said Thursday.
An exposed database at automotive giant Honda allowed anyone to see which systems on its network were vulnerable to unpatched security flaws, potentially giving hackers insider knowledge of the company’s weak points.
The breach disclosed by Capital One this week highlights an uncomfortable truth: It’s almost impossible to stop a determined hacker with inside knowledge of a firm’s systems.
Wall Street Journal
Pearson, the British maker of educational software, is warning school districts that a far-reaching data breach has exposed details on thousands of students, chiefly in the U.S.
Wall Street Journal
More patient records were leaked in the first half of 2019 than in all of 2018.

— Cybersecurity news from abroad:

Priti Patel calls for access to users’ data on messaging apps
The Independent

Coming up: