Cisco suit proves dodgy software cover-ups are a bigger risk than evil back doors

via Flickr © zigazou76  (CC BY 2.0)

via Flickr © zigazou76 (CC BY 2.0)

  • Vendor sold vulnerable surveillance kit to several US federal agencies
  • Whistleblower who found and tried to fix the problem was fired
  • Cisco to pay $8.6m settlement, issues grudging non-apology

Donald Trump needn't worry about Huawei posing threats to US national security, not when he has good ol' homegrown Cisco to do it for him.

The networking giant has just agreed to pay $8.6 million to settle a lawsuit brought by the government and whistleblower James Glenn, relating to historic security flaws in Cisco's Video Surveillance Manager (VSM) software.

Glenn is a US citizen who worked for Cisco partner NetDesign in Denmark. According to the lawsuit, filed in 2011 but only unsealed this week, Glenn made NetDesign and Cisco aware of the vulnerabilities in 2008, only to be fired months later.

The Department of Homeland Security, the Secret Service Procurement Division, the Department of Defense Biometrics Task Force Headquarters, the Federal Emergency Management Agency, NASA, the Army, the Navy, the Air Force, the Marine Corps, and the Patent and Trademark Office are just some of the Cisco customers that purchased this software.

Despite being aware of the security flaws, the lawsuit alleged that Cisco failed to notify the government about them, and instead continued to sell its vulnerable VSM.

Not sounding very sorry

In a blog post, Cisco general counsel Mark Chandler gave a masterclass in deflecting blame and not explicitly apologising.

He wrote that the vulnerability was inherited from Broadware, a company Cisco acquired in 2007. He said that a Cisco best practices guide published in 2009 – after Glenn blew the whistle – urged customers to "pay special attention" to implementing security features on top of the VSM. Cisco didn't release updated software until 2013, after it had been taken to court. It didn't withdraw the older, vulnerable software from sale until September 2014.

"While this is a legacy issue which no longer exists, it matters to us to recognise that times and expectations have changed," Chandler said.

I'm no expert, but I'm fairly confident that even a decade ago, government agencies didn't expect their video surveillance software to be, according to the lawsuit, "riddled with serious security defects."

It also doesn't take an expert to conclude that a decade ago, best practice would have been to inform customers about any known security defects as and when they emerged.

Once more, I'm also fairly confident that a decade ago, it would still have been frowned upon to fire whoever used official internal channels to highlight the problem in a bid to resolve it.

On a broader level though, what this case highlights is just how ridiculous it is to single out individual companies like Huawei as posing a threat to national security purely for political reasons.

The reality is, even so-called 'friendly' suppliers, either by accident or design, could leave networks vulnerable to attack.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.