Currently it is no longer uncommon to hear about cases where technology companies intentionally omit the security issues present in their products or services. This time, the company involved is Cisco, which has just reached an agreement to pay $8.6M USD after admitting that it sold surveillance software vulnerable to multiple variants of cyberattack, reported experts in system audit.
As mentioned, the company was fully aware of
the security flaws of the software in question, yet it kept selling it to
hospitals and other organizations without even releasing update patches for
more than 4 years. The agreement was announced by the U.S. Department
of Justice (DOJ).
After extensive investigation, system audit experts
concluded that software flaws could be exploited by hackers to access
surveillance systems, turn cameras on or off at their will, delete records and
even compromise other devices connected to the monitoring system, such as
alarms or electrical locks. As if that wasn’t enough, the vulnerabilities were
easy to exploit for any hacker.
A spokesman for the company was pleased to have
reached an arrangement with the U.S. authorities “We have solved this
incident; I would like to add that there is no evidence or complaints about
possible unauthorized access to our customers’ surveillance systems as a result
of this software flaws,” the Cisco spokesperson said. However, James
Glenn, an informant in the case, points out that a hacker could have compromised
surveillance systems undetected.
This case can be an important background, as it
is the first time that a technology company is required to pay compensation for
not having the right cybersecurity measures in its products, experts in system
audit report.
In addition, the U.S. government is conducting
extensive scrutiny over its multimillion-dollar contracts with technology
companies as some officials have mentioned, cybersecurity was not a factor to
consider when these agreements were signed. Many experts are concerned that the
government will authorize the purchase of technology products and services that
are very easy to hack, compromising sensitive information in more ways than we
might think.
“This is the case for this specific Cisco
product. Agencies such as the Secret Service, the Federal Emergency Management
Agency, and some military facilities used the compromised software, even the
New York police and some prisons had this system,” said system audit
experts.
The information revealed by Glenn, who used to
work for a Danish company associated with Cisco, helped file a lawsuit in a New
York District Court under the False Claims Act, which allows individuals to
file lawsuits on behalf of the government in cases where a company could commit
fraud. As this act allows, the federal government and some state governments
joined the lawsuit against Cisco; 80% of the compensation will go to
governments, while the remaining 20% will go to Glenn and his legal advisers.
Reports from the International Institute of Cyber
Security experts (IICS) claim that Glenn reported those security flaws
repeatedly while working with NetDesign, a Cisco subcontractor. However, the
informant never obtained a satisfactory response from the company; he was
eventually fired from the company in 2009.
