Search This Blog

Translate

Search Tool




Aug 1, 2019

Analysis | The Cybersecurity 202: Cisco settlement over hackable technology a warning to government contractors

By Joseph Marks



PowerPost Analysis
Analysis Interpretation of the news based on evidence, including data, as well as anticipating how events might unfold based on past events


An exterior view of Cisco Systems Inc. headquarters in Santa Clara, Calif. (AP Photo/Paul Sakuma, File)
THE KEY
The $8.6 million settlement Cisco will pay to settle claims it sold states and federal agencies hackable surveillance software marks a sea change in how seriously the government is now taking cybersecurity bugs. 
The Cisco bug, which a whistleblower first alerted the company about in 2008, was in surveillance software that ended up in schools, hospitals, airports and prisons as well as federal agencies and at least 15 state governments, as I reported yesterday.
It could have allowed hackers to spy on surveillance video footage, turn cameras on and off and delete footage. It could even have allowed those hackers to compromise other connected physical security systems such as alarms or locks. Yet the company didn’t fix the bug until 2012 – one year after the whistleblower, James Glenn, filed a lawsuit against the company.
The settlement marks the first time a company has been forced to pay out for inadequate cybersecurity protections under a federal whistleblower law that normally targets fraud and graft in federal contracts. And it’s sure to prompt other government suppliers to take a closer look at the security of the products they sell to the U.S. government. 
The federal government is reviewing its multibillion-dollar contracting enterprise, which supplies everything from military hardware to border surveillance tools but which officials have said was not designed to make cybersecurity a major consideration.
Those officials worry that federal agencies are inadvertently greenlighting a slew of hackable products for purchase by federal agencies — many of which are then also bought by states and government grant recipients such as schools and hospitals. The flawed Cisco software could be a prime example: Glenn's lawyers say it was purchased by the U.S. Secret Service, the Federal Emergency Management Agency and military services as well as prisons and police departments, including the New York Police Department.
Even Cisco says the settlement underscores how government is taking cybersecurity in the products it buys far more seriously than it used to. In a blog post yesterday, Cisco’s Chief Legal Officer Mark Chandler described the settlement as an example of “changing standards” and noted that “what seemed reasonable at one point no longer meets the needs of our stakeholders today.”
“We intend to stay ahead of what the world is willing to accept,” Chandler added.
Glenn was working for a Cisco subcontractor called NetDesign in Denmark when he first spotted the cybersecurity bug and he sent the company numerous “detailed reports” throughout 2008 “revealing that anyone with a moderate grasp of network security could exploit this software,” his lawyers told me. But Glenn never got a response, his attorneys said.
“I was very concerned about the possibility that someone might endanger public safety by hacking into government systems,” Glenn said in a statement.
Glenn filed his lawsuit under the False Claims Act, which effectively allows individuals to sue on behalf of the government if they believe a government contractor is committing fraud. The government can join the suit later and collect most of the proceeds.
In this case, the federal government and state governments that joined the suit will collect 80 percent of the $8.6 million award while Glenn and his attorneys will take 20 percent, his lawyers said.
States that joined the settlement with the Justice Department include New York, California, Illinois, Florida, Massachusetts and Virginia.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?
PINGED, PATCHED, PWNED

FILE - In this July 16, 2019, file photo, a man walks across the street from a Capital One location in San Francisco. (AP Photo/Jeff Chiu, File)
PINGED: The hacker behind the Capital One breach likely also compromised the data of several other companies, multiple researchers report. Unicredit, Italy's largest bank, confirmed to Reuters it was investigating a potential breach by the same hacker and working with relevant authorities.
Vodafone, Ford, and Michigan State University also may have been impacted, according to research from CyberInt, an Israeli security firm, according to Zack Whittaker at TechCrunch. The Ohio Department of Transportation also confirmed to TechCrunch that it was hacked, but said only publicly available information was compromised. Cybersecurity blogger Brian Krebs reported potential hacks on the same entities and posted an image of files allegedly accessed by the hacker.
The Justice Department has not confirmed any additional breaches, but told Forbes' Thomas Brewster that the hacker, Paige Thompson, could be arrested for additional charges. Thompson bragged about additional hacks in a Slack channel where she admitted to hacking Capital One. Amazon, which stored the Capital One data on its cloud service, told Matt Day and Nico Grant at Bloomberg that it contacted other clients named in Thompson's online postings but found no evidence their data was accessed. (Amazon founder Jeff Bezos owns the Washington Post).

Rep. Alexandria Ocasio-Cortez, D-N.Y., attends a House Oversight Committee. (AP Photo/J. Scott Applewhite)
PATCHED: Rep. Alexandria Ocasio-Cortez (D-N.Y.) clapped back yesterday at claims from Senate Majority Leader Mitch McConnell (R-Ky.) that efforts by Democrats to pass election security legislation that he’s been blocking amounted to “modern-day McCarthyism.” 
Ocasio-Cortez described how former Sen. Joseph McCarthy (R-Wis.) lobbed baseless accusations of communist sympathy at political opponents in the 1950s in order to gin up fear and said McConnell's situation was far different:
McCarthyism is the practice of baselessly accusing political opponents of being communists as unjust grounds for targeting & harassment.
You are blocking action to protect US elections despite official DoJ pleas. That doesn’t make you a communist. It just makes you a bad leader. https://t.co/qLqR2vtOfI
— Alexandria Ocasio-Cortez (@AOC) July 30, 2019
McConnell has earned the ire of Democrats in both chambers for repeatedly blocking attempts to pass election security legislation — even after testimony from former special counsel Robert S. Mueller III. and Federal Bureau of Investigations Director Christopher A. Wray warning that foreign countries including Russia are likely to interfere in the 2020 election. 

Signage at the corporate headquarters of Equifax Inc. in Atlanta. (AP Photo/Mike Stewart, File)
PWNED: Breached consumers are likely to get a lot less than the “up to $125" first advertised from the Equifax settlement due to an “overwhelming response” from consumers, the Federal Trade Commission warned yesterday. Because the pool for cash claims was only $31 million, large demand for cash has made the size of each payout smaller
Instead, the agency is encouraging consumers to opt for the alternative settlement offer: 10 years of free credit monitoring with $1 million in fraud protection. “Frankly, the free credit monitoring is worth a lot more,” Robert Schoshinski, assistant director at the FTC's division of privacy and identity protection, wrote in a blog post.

No comments:

Post a Comment