Flawed Security Gap Costs Cisco 8.6 millions to settle Federal False Claims Act Case

When selling security systems to governmental agencies such as the Federal Emergency Management Agency, Homeland Security, Secret Service, the Army,. Marine, Navy and Air Force, it’s always a good idea to make sure there are no security flaws that would allow hackers to gain unauthorized access to the video system. Once hacked, perhaps by terrorists or a foreign power, intruders are able to manipulate information, including deletion and transfer of images. In 2008 a whistleblower, John Glenn, who worked as a subcontractor to Cisco, discovered he could hack into the video software and take over the Cisco surveillance system without being detected.  This flaw could put major airports such as Los Angeles International Airport, at risk. 
   Joined by California, New York and the District of Columbia, this False Claims Act case was filed in 2011 in the Western District of New York. The government claimed the video equipment was “of no value” as it failed to meet its primary purpose of enhancing the security of the agencies that bought it. An allegation was made that the software “actually reduced” the protection provided by other security systems.  At the time of bidding, Cisco was required to represent that its surveillance products were compliant with standards promulgated by the National Institute of Standards in Technology (NIST). These standards set the minimum security requirements for technology companies to bid for federal government work. Cisco apparently knew that the Cisco VSM did not meet these standards.
The whistleblower was laid off five months after he reported the vulnerability. Up to a year after his lay off, Mr. Glenn found that he could still hack the system and decided to contact the FBI. Cisco continued to market the software until July 2013, when it finally let customers know how to fix the flaw. Cisco admitted to its customers that an attacker could gain full administrative privileges, allowing that person to change camera feeds and archives.
In the security software industry today, many large tech firms offer “bug bounties” to people who discover security flaws. Industry consultants tell us that tech providers delay reporting or repairing flaws because of the perception of “low risk”, cost of implementing fixes, or creation of new security issues as a result of fixing the old one.  Finally, once a security flaw is publicly disclosed, potential hackers may try to exploit the information.  Fortunately, no one appears to have illegally exploited the glitch and as reported by the New York Times, Cisco sold some video assets in 2015. 
      Under the False Claims Act, a whistleblower is entitled to a portion of the settlement. In this case, Mr. Glenn received more than $1 million as his whistleblower share. This is the first case to impose liability under the False Claims Act for breaching cybersecurity contracting requirements. It should serve as a reminder to all potential whistleblowers that, while health care (especially Medicare claims) remain the largest single category of false claims liability (at about 80% of all cases) numerous other areas for whistleblower litigation remain available. Stephen Danz and Associates has represented whistleblowers in health care, finance, agriculture, tax fraud (subject to different IRS whistleblower standards than the FCA), aerospace, and cost accounting fraud. 
      This web article does not constitute legal advice and no attorney-client relationship is formed until there is a signed retainer with our law firm. We welcome your inquiries by calling our senior partner Steve Danz directly at 877 789 9707 or filling out the online contact form. All inquiries are held in strict confidence. SD&A is a statewide California employee-side law firm representing whistleblowers, representing employees in federal qui tam and IRS litigation throughout the country. In most cases, two attorneys represent you the whistleblower, one of which is focused on the whistleblower claims and the other on the individual retaliation/employment rights of the whistleblower.