We recently saw the first settlement by a company charged under the False Claims Act for failing to meet cyber security standards. Is there more to come?
The original version of this post was published in Forbes.
Who says a 156-year-old law can’t be relevant today?
Probably not James Glenn, the whistleblower who is expected to receive about $1 million as part of an $8.6 million settlement Cisco agreed to pay for violating the False Claims Act by selling video surveillance equipment that it knew had security defects to government agencies.
The company knew because Glenn let them know—back in 2008.
The False Claims Act, sometimes known as the “Lincoln law,” was enacted in 1863, by a Congress concerned that suppliers of goods to the Union Army were defrauding it.
See—supply chain problems go way back.
But yes, the kinds of supplies have changed. The Cisco settlement, which concluded a lawsuit filed by Glenn plus 18 states and the District of Columbia in 2011, is said to be the first time a company has made a payment under that law for a failure to meet security standards—in this case, software security standards.
Therefore, it sets a precedent. Reportedly there are hundreds of false-claim suits filed every year because there are built-in rewards for whistleblowers who make credible claims and do it privately.
That is now expected to expand rapidly into cyber security, since many government contracts require vendors to pledge that their products meet government security standards. Rather than, as the cliché says, the truth hurts, not telling the truth could hurt more.
But even if it does, will that really move the needle in the right direction? Will the threat of false claims suits push companies to get religion on software security? Perhaps, but it doesn’t look like a slam dunk.
First, it took more than a decade from Glenn’s notification of the vulnerabilities for the case to reach this point—multiple generations in the world of cyber.
According to the complaint, unsealed late last month, it was 2008 when Glenn, then working at a Cisco partner in Denmark called NetDesign, warned Cisco that a hacker who got into a camera that was part of Cisco’s Video Surveillance Manager (VSM) could use software vulnerabilities to get administrative control of the entire network. The suit said a hacker could then potentially move beyond the video system.
Glenn did notify the company privately at first. But between 2008 and the filing of the suit in 2011, he lost his job in what NetDesign said was a cost-cutting measure.
Meanwhile, as the 2011 complaint put it: “Unfortunately for purchasers of the Video Surveillance Manager, the product … has several critical security flaws. These flaws are so severe that they not only render the VSM product fatally insecure, but also compromise the security of any other computer or system connected to the VSM product.”
Among the government customers using the VSM: the Pentagon, U.S. Secret Service, Department of Homeland Security, the Army, Navy, Marine Corps and the Federal Emergency Management Agency, plus police stations, prisons and schools.
It was also used by Amtrak and commercial airports, including Los Angeles International, Chicago’s Midway and Auckland airport, New Zealand’s largest.
Yet it wasn’t until 2013, five years after Glenn’s notification, that Cisco issued an alert acknowledging “multiple security vulnerabilities” in the VSM software.
Even now, the company isn’t apologizing for selling its customers defective equipment that was supposed to help guard critical installations.
Company spokeswoman Robyn Blum described the case as a “dispute involving the architecture” of the VSM, adding, “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”
Sort of the “no harm, no foul” defense.
Then there is the amount of the settlement. While $8.6 million—even Glenn’s $1 million—would be significant for most individuals, as a percentage of Cisco’s market value, it’s not even a rounding error—less than a tenth of 1% of the $213 billion the company is worth.
That doesn’t qualify as even a slap on the wrist. It’s vastly less than the close to $300 million that a 2013 breach cost retailer Target, although about $100 million of that was covered by insurance.
Also, the money that doesn’t go to Glenn will be spread among various customers, including multiple federal government departments, and, of course, the lawyers.
Still, experts say the precedent could, ultimately, have some potency. Jim Gettys, an internet system architect and CTO of Muinin, Inc., said whether this specific settlement is reasonable depends on whether the damage was real—and there was no evidence of actual damage presented in court.
But the precedent likely means “it won’t take so long the next time to deal with an issue,” he said.
Art Manion, vulnerability analysis technology manager at the CERT division of the Carnegie Mellon University Software Engineering Institute (SEI), says he thinks it something of an “oddity” that Cisco apparently didn’t address this vulnerability since “there is a lot of history—a lot of public evidence of Cisco fixing things.”
Indeed, just this week Cisco announced the release of patches to several vulnerabilities in its Small Business 220 Series Smart Switches, including two with a severity rating of critical.
But Manion says he thinks the effect of the precedent set by the settlement will extend well beyond connected products like video surveillance systems sold to government or major businesses. “A lot of things we use every day are connected computers—cars, refrigerators etc.,” he says. “That’s where you’re going to see legal action.”
The reality is that “all modern software has bugs and vulnerabilities, and some are going to get reported. We shouldn’t expect it to be perfect, but when things are found, they should be fixed,” he says.
Don’t expect improvements to be quick, or even a sure thing, though. There have been regular headlines going back more than a decade about catastrophic data breaches. Major security conferences all over the world are filled with workshops, lectures and keynotes about “shifting left” to “build security in” to software as it’s being developed, rather than trying to patch it on after a product is on the market and being exploited. But that hasn’t led to a revolution in security.
“At SEI we’re big proponents of shift left,” Manion says. “Ultimately it is less expensive. Yet here we are after many decades, still producing software with latent vulnerabilities.”
Michael Fabian, principal consultant at Synopsys, makes the same point. “As we have seen time and time again, what you want as a security person, and expect, rarely happens. Here we are 20 years later still with SQLi [SQL injection] as the top vulnerability,” he said.
“I found some old hacking magazines from about 10 years ago, and all of the articles are still relevant. So I don’t think this will move the needle or change anything at all.”
A prime reason for that reality is that building security into products does take time and money and is not nearly as flashy, nor does it create the same immediate gratification, as convenience and features.
“One fundamental problem is that software needs to be maintained for the life of the hardware it runs on,” Gettys said, adding that another disincentive for companies to take security seriously is that “those who pay for bad security in the end may not be the company that makes the mistake or deploys the insecure applications. Think Equifax.”
Steve Klos, a subject matter expert in IT asset management at 1E, said most vendors “develop software and systems that they can promote and sell—generally that means the focus is on creating a new bright, shiny feature rather than making the software and systems more robust and manageable.”
In other words, even the threat of looming false-claim suits may not move the software security needle that much until failure to do so hurts—really hurts.
What will it take? “More disasters,” Gettys said, somewhat sardonically.
Klos said losing major customers like government might do it. If the federal government demanded “transparency and vendor-provided metadata that can enable automation,” then software security would become more of a priority than an afterthought.
Manion says it would probably help if the government overall adopted the stance of the Food and Drug Administration (FDA) regarding medical devices. He noted that the agency’s “postmarket guidance” on the security of those devices “says you have to fix bugs if there is potential for serious impact—even if something hasn’t happened yet.”
Ultimately, Manion expresses tempered optimism. The Cisco settlement, he says, will probably generate no more than “a small needle move. But there are larger forces slowly pushing the needle as well.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.