Cisco Systems has paid out a penalty of $8.6 million after failing to disclose security holes in software it sold to the US government. Video Surveillance Manager was used by authorities like LA Airport, the Washington D.C. police and New York City's MTA. Unfortunately, the system had flaws that meant an attacker could gain control of the system, although there is no evidence that any successful attack occurred.
Whistleblower James Glenn, a Danish employee of Cisco partner Net Design, warned Cisco management in 2008 that hackers could potentially use a flaw in the camera security system to get administrative access to other parts of the network. Cisco failed to respond to his concerns so he reported them to the police, and then the FBI. The government subsequently opened a case against Cisco in 2011, but documents from this time were only recently unsealed.
Of the total fee, $1 million will go to Glenn and the rest will be paid to the affected agencies. The lawsuit marked the first time a company has made a payout under the False Claims Act for failing to meet cybersecurity standards. The False Claims Act is designed to prevent companies from defrauding the government by misrepresenting the products they sell. The settlement could pave the way for more whistleblower lawsuits in the future.
Cisco finally addressed the security issue in an update to the software released in 2013, and the company reiterated that no attacks had taken place. "There's this culture that tends to prioritize profit and reputation over doing what's right," Glenn said in a written statement, as reported by Reuters. "I hope coming forward with my experience causes others in the tech community to think about their ethical mandate."