Marking the first payout on a False Claims Act (FCA) case brought over a failure to meet cybersecurity standards, Cisco Systems, Inc. has agreed to pay $8.6 million to settle a whistleblower's complaint that the company improperly sold video surveillance systems with known vulnerabilities to various federal and state government agencies, including Homeland Security, the Secret Service, the army, the navy, the marine corps, the air force, and the Federal Emergency Management Agency. This settlement underscores the importance of government contractors understanding and complying with applicable cybersecurity standards, and of rapid reporting when companies detect non-compliance, even if, as in the case of Cisco, no actual cybersecurity breach was alleged.
Whistleblower James Glenn initially filed the case under seal in 2011, but the case was not unsealed until July 31, 2019. According to the complaint, while working for a Danish networking company and Cisco partner in 2008, Glenn was testing a line of Cisco products known as the Video Surveillance Manager (VSM) when he discovered security risks in the product's design. Glenn realized that he could hack into the video software and take over the surveillance system without being detected, as well as add and delete video streams. According to the complaint, these security flaws also potentially compromised the security of any other computer or systems connected to the product. Glenn reported these security defects to his management team and submitted a report on the vulnerabilities to Cisco. A few months after his report, however, Glenn was laid off as part of the company's supposed cost-cutting measures.
Cisco took no action to correct the vulnerabilities with the software but instead continued to sell the product without any notice to its customers of the system's vulnerabilities. In 2011, Glenn contacted the Federal Bureau of Investigation (FBI) to discuss the issue, and filed his complaint soon after. Cisco finally issued a security alert in 2013 to inform customers of the flaw, along with a solution to the security problems.
Glenn argued two theories of FCA liability in his complaint. The first was that the VSM was worthless to government customers because it failed to enhance the security of the agencies that purchased it, and in many cases actually reduced the protection provided by other security systems. The second was that Cisco's claims were false because Cisco failed to comply with the contractually mandated National Institute of Standards and Technology (NIST) standards that set recommended security controls for information systems at federal agencies.
This settlement spotlights the increased security and enforcement risks for companies selling products to the government that are subject to data and security mishandling.
The landscape of cybersecurity compliance requirements and reporting standards is quickly developing for all contractors, including those that sell devices with internet connectivity and those that access or manage government data under their contracts. What follows is a snapshot of the current regulatory environment.
Department of Homeland Security (DHS)
The DHS Cybersecurity and Infrastructure Security Agency (CISA) is developing a new Coordinated Vulnerability Disclosure (CVD) program. Under this program, the cybersecurity community would be allowed to scour select DHS systems for vulnerabilities and alert department officials to their findings without fear of punishment. The department plans to create a form on its website where members of the public can submit any security gaps they uncover. Those submitting would be asked to detail the compromised system, the process for reproducing the vulnerability, strategies for remediating the weakness, and the potential impact on Homeland Security if the bug remains unaddressed. DHS's goal for federal agencies is to mitigate 70% of significant vulnerabilities through scanning of their networks by September 30, 2019.
While public cyber initiatives such as bug bounties—where pre-vetted groups of hackers are brought in to test new agency applications for vulnerabilities—are growing in popularity, the DHS CVD program would provide a lawful way for any member of the public to discover and report vulnerabilities with agency systems. Contractors and suppliers to the government should expect that more vulnerabilities are likely to be found, and should create their own CVD programs and processes to address any potential vulnerabilities. This program also opens the door to far more whistleblower complaints, meaning that contractors must have a clear understanding of their obligations, representations, and certifications with regard to cybersecurity requirements on their federal contracts to avoid making potential false claims to the government.
Department of Defense (DoD)
All DoD solicitations and contracts, with the possible exception of solicitations and contracts issued solely for the acquisition of commercially available off-the shelf (COTS) items, must incorporate DoD Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, "safeguarding covered defense information and cyber incident reporting,"1 which requires compliance with NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," and rapid reporting within 72 hours of discovery of a cyber incident.
As Venable previously reported, the DoD has announced that it is developing a new cybersecurity standard and certification for defense contractors built on DFARS 252.204-7012 called the "Cybersecurity Maturity Model Certification" (CMMC). DoD released revision 0.4 and a request for feedback this month. The revision currently contemplates five levels of certification, from "Level 1 – Basic Cyber Hygiene" to "Level 5 – Advanced/Progress." Some level of certification would be required for all contractors within the supply chain, even small businesses. DoD plans to release its final unified standard in January 2020, to start including the standard in requests for information in June 2020, and to include the standard in requests for proposals in the fall of 2020. This aggressive schedule underscores the increasing importance of and federal scrutiny on cybersecurity.
* * * * *
All contractors, large and small, should keep abreast of such developments to ensure that they can comply when such standards are included in their contracts.