Imillian - stock.adobe.com
The end was almost an anti-climax for James Glenn, a network security specialist-turned-whistleblower.
For the past decade, the 42-year-old computer security specialist has been at the centre of a legal battle with Cisco and the US government.
In 2008, Glenn became an accidental whistleblower when he alerted Cisco Systems, one of the world’s largest networking technology companies, to serious security flaws in its video surveillance software.
He ended up working with US federal, state and local governments to bring legal action against Cisco for allegedly knowingly selling equipment containing serious security flaws to the US government.
Details of the case, brought under the US False Claims Act, became public on 31 July when Cisco agreed an $8.6m settlement to compensate US federal and state governments that had bought Cisco’s equipment.
Glenn, who now works in Bulgaria as a video surveillance technology specialist, heard the result the next day. “I woke up this morning and l looked at the phone, and was like, oh, it is all over,” said Glenn in an interview with Computer Weekly.
Holding companies to account
Glenn’s legal battle sets a new legal precedent. It is the first time that the False Claims Act has been used in a cyber security case, and other cases are expected to follow.
US whistleblower laws represent a new way to hold technology companies to account if they sell products that are not secure and contain serious flaws that could be exploited by hackers.
Mary Inman, a lawyer with law firm Constantine Cannon, which represented Glenn, said there is rising awareness that Europeans can use US whistleblowing laws to bring claims against large companies.
In July, for example, Microsoft agreed to pay $16m to settle claims that its subsidiaries in Hungary, Turkey, Saudi Arabia and Thailand had given excessive discounts and made improper payments to secure contracts.
“I was maybe a bit naïve because I had an understanding that we were just going to fix this”
“Technology is the next growth area,” said Inman. “Data is the new gold. I think this is an area where we are going to increasingly see a bigger role for whistleblowers.”
Glenn honed his craft in the US when he joined a company that leased routers, AS400 computers and laptops to businesses. “I had access to every piece of hardware that I could imagine, and so I took advantage of that,” he said.
In late 2006, he moved to Denmark to work for the managed security department of Tele-Danmark Communications (TDC), a telecommunications specialist in Copenhagen. His department later became part of NetDesign, a Danish network services provider and Cisco “Gold Partner”.
NetDesign ran a programme called Own Medicine to encourage employees to test software and equipment for security errors and vulnerabilities.
When a colleague introduced Glenn to some “cool” video surveillance technology from Cisco – its Video Surveillance Manager (VSM) – he took it as a challenge and began to test the product.
“Just using the web browser, some questions started popping up, like why did I see this, how can this be?” he said. “It was put together in such a way that it just drew me in, you know, holy crap, you can save a file here. Let me see what I can save, and it just blossomed.”
Glenn discovered a series of security weaknesses that he said presented a “serious threat” to any organisation that had bought Cisco’s VSM equipment.
They include the Department of Homeland Security, the Department of Defense, Nasa, the US Army, US Navy, US Air Force and US Marine Corps, state police forces, schools and universities, Amtrak, which used it in railway stations, and at least five US airports.
The system was also bought by organisations in Europe, including Loughborough University, which used the surveillance software to monitor video cameras on its campus, and by Greater Manchester for monitoring its transport network.
According to allegations filed in the New York Western District Court, anyone with access to one video camera could have exploited security flaws to gain access to an organisation’s entire network. Intruders could bypass locks, fire alarms and other physical security devices attached to the network.
The vulnerabilities allegedly allowed unauthorised users to gain administration rights over the video system. They could effectively, for example, shut down an entire airport by taking control of the security cameras and shutting them down.
Attackers could delete or change video recordings to cover up theft or espionage, or gain access to a secure facility, such as a server room, if card readers were – as they often are – connected to the same network as the video surveillance system.
Cisco was accused of knowingly selling the software containing security vulnerabilities from at least October 2008. In July 2013, it advised customers to upgrade to a new software version and finally stopped selling the flawed software by September 2014.
Glenn: “I was a bit naïve”
Glenn had expected Cisco to acknowledge his work by crediting him on a security vulnerability website, giving him some recognition in the security community. “I was maybe a bit naïve because I had an understanding that we were just going to fix this because it was a new product,” he said.
After several weeks of testing, Glenn presented a detailed report of his findings to his supervisor at NetDesign and to Cisco’s Product Security Incident Response Team (PSIRT).
He wrote a personal letter to the Cisco incident manager, named on the automatic reply he received from the incident response team, after hearing nothing back from Cisco. During a conference call with a Cisco employee and NetDesign in December 2008, Glenn said he didn’t think the problems could be fixed easily. He told his employers that NetDesign should not continue to sell the product.
“It didn’t look like it could be sold at that point without some sort of fix in place, or some sort of additional equipment in front of it to filter requests, or whatever,” he said. “It needed attention.”
Cisco representatives met with Glenn’s employer in March 2009. Three days later, Glenn received a text message summoning him to the director’s office. He was told that, because of budgets, he no longer had a job.
Glenn was sceptical. His company’s financial report for that year showed the company had performed well, he claims.
“I don’t know what anyone did or said, but it was too close timing to be legitimate, as much as anything,” he said. “I wasn’t buying it.”
Unemployed in Denmark
Disillusioned with IT security, Glenn toyed with the idea of leaving Europe and talked about learning calligraphy or indulging in his other passion – music. He has played in jazz bands, marching bands and music groups.
In the end, he filed an application to extend his residency in Demark for six months, so he could look for another job. When that was rejected, he lodged an appeal. It took months, leaving him unable to work until January 2011. “I was not allowed to look for a job in that country, and if I left, I was not welcome to come back,” he said.
Glenn survived on the severance money from NetDesign plus some extra compensation because his former employer had made mistakes with the paperwork. “It wasn’t a lot of money, but it was enough not to die in Denmark,” he said.
Glenn recalls reading Dostoyevsky’s Notes from the underground, the story of a person, disillusioned by oppression and corruption, who withdraws from society. The story reflected his own state of mind – he found himself avoiding peopled and watching too much TV. “It was difficult for anyone to be my friend,” he said.
At that point, Glenn’s sister, based in Washington DC, intervened. “She became concerned and kept calling me,” he said. At first, Glenn, who had signed a non-disclosure agreement with his employer, refused to talk about the problem, but eventually he confided in his sister. “And she said, you know you have to do something, and I didn’t disagree,” he said.
Glenn, the son of a marine, says it was not in his nature to give up. He took inspiration from a television series called MacGyver, which told the story of a US government agent who used his intelligence and ordinary items, such paper clips and chewing gum, to solve problems, whatever the odds. “I don’t recall an episode where it was oh, OK, its over,” he said.
Glenn agreed that his sister could pass on his information anonymously. She called a US cyber security organisation and passed on Glenn’s concerns that Los Angeles International Airport had installed the flawed Cisco VSM.
Phoned by FBI
Out of the blue, Glenn received a phone call from a Los Angeles police officer who was also a member of the FBI’s joint terrorism task force. “I wasn’t expecting this phone call because I thought I had successfully remained anonymous,” he said. “I felt hurt, betrayed, angry.
“I called my sister and asked her, hey, didn’t I tell you that I’d like to remain anonymous? And she said, oh yeah, you did.”
Glenn shared screenshots and exchanged emails with the FBI, but as he got drawn into the case, he felt he needed his own legal representative.
“Because my sister got me into all of this, I just called her and told her she had to figure out a way that I could have an attorney that would help me work with the government and not ask me to pay them money to do it,” he said.
Glenn agreed to file a lawsuit, known as a qui tam, against Cisco on behalf of the US federal government, US state governments and the District of Columbia in May 2011.
Qui tam lawsuits – from the Latin meaning “he who brings an action for the king as well as himself” – allow people of any nationality to bring lawsuits on behalf of the US government in cases of fraud against the taxpayer or other wrongdoing.
The case remained under seal until August 2019, when Cisco agreed to settle the allegations. Glenn said he had to remain guarded about talking about anything related to the case until it was resolved. “I haven’t been that approachable over this time,” he said.
Cisco said in blogpost after the settlement that it had acquired the VSM software when it bought another company, BroadWare, in 2007. Although Cisco said there was no evidence that customers’ security had ever been breached, it acknowledged that Broadware used an open architecture that meant video feeds could “theoretically have been subject to hacking”.
Glenn is now working as a video surveillance expert in Bulgaria, for a company he declines to identify. His role is to deal with complex and “politically hot problems” that would not be resolved using normal resolution channels. He said the job has taken him to every part of the world.
People in tech don’t speak up
Glenn said too many people in the technology industry do not speak up when they should do, which is why such problems persist.
“It is everyone’s responsibility to wear out your welcome,” he said. “If you have to upset someone to get the point across, get it across. Be more assertive about these issues.
“The reason that stuff like this happens is because nobody is speaking up. And there are very talented people within arm’s reach of these pieces of software.”
Glenn stands to gain under the US Federal False Claims Act, and is likely to receive 15-20% of the $8.6m paid by Cisco to settle the case.
But Glenn is not bitter about the way he was treated. “ I shook that off,” he said. And he only has good words to say about his former employer. “They have the most talented engineers in Denmark, and there are a lot of great guys there. They are a very high-level Cisco partner.”
But he said that if he was in a similar situation again, he would not blow the whistle. “I was once 32, now I am 42. I am not going to regret it, but I would not risk being 52. I think it’s a once-in-a-lifetime thing.”
The whistblower whisperer
Glenn was represented by a small law firm, Constantine Cannon, which specialises in bringing cases from whistleblowers in the US.
Two years ago, Mary Inman, a partner in Constantine Cannon, moved to the UK to set up a branch to represent whistleblowers outside the US.
The law firm expects to see an increase in the number of whistleblowers in Europe using US laws to highlight corruption and fraud in companies that do business with the US federal and state governments – particularly in technology companies.
The Office of the Whistleblower at the US Securities and Exchange Commission (SEC), said in its annual report to Congress that in 2018, it had received reports from whistleblowers from 72 countries outside the US, with the highest numbers coming from Canada and the UK.
Inman said of Glenn’s case: “This lawsuit is a great example of someone abroad being aware of a fraud that has a global aspect to it and can then be used to go after funds that impact the states, federal government and local governments in the US.”
Unlike the UK, which has an over-arching law, the Public Interest Disclosure Act (PIDA), which aims to protect whistleblowers acting in the public interest, US law has grown up in a patchwork, piecemeal way, sector by sector.
“You would be amazed how many whistleblowers write to us from their company emails”
Mary Inman, Constantine Cannon
The US Congress created the Sarbanes-Oxley Act in 2002 in the wake of the Worldcom and Enron accounting scandals. It provides protection for whistleblowers who disclose fraud against shareholders or breaches of SEC regulations in publicly traded companies.
The financial crisis in 2000 prompted the Dodd-Frank Act, which introduced broader protections for whistleblowers and a mandatory bounty programme that allows whistleblowers to receive 10-30% of the proceeds of litigation.
The US introduced the False Claims Act in 1863 to fight widespread fraud during the American civil war. The law was amended in the 1980s following a series of overcharging scandals by government contractors, to encourage whistleblowers to come forward, and it has been strengthened to give whistleblowers legal protection from retaliation.
Inman had intended to become a government prosecutor when she graduated from the University of Pennsylvania Law School in 1994. That changed when she was offered the opportunity to join the San Francisco office of Phillips & Cohen, a boutique law firm that specialised in representing whistleblowers.
In 2015, she left with seven colleagues to join Constantine Cannon, another small whistleblower law firm that had plans to move into London.
Inman predicted that as more companies rely on data analytics for their business, whistleblowing in the technology sector is likely to increase. Her company has offices in London and Silicon Valley. “This is a huge growth area for us,” she said.
In financial services, the US Commodities Futures Trading Commission is encouraging people to blow the whistle on insider trading, bribery and virtual currency fraud.
Another target is the telecoms industry, which can face pressure to offer bribes to government officials to award contracts in developing countries in breach of the US Foreign Corrupt Practices Act.
And the US Department of Transportation is running programme to encourage whistleblowers in car manufacturers or parts suppliers to come forward with information about safety defects that could put lives at risk.
“There is a sort of ripple effect,” said Inman. “Those programmes have been so successful, they have spawned copy-cat programmes abroad, and even in the US.”
Inman, known to her colleagues as the “whistleblower whisperer”, describes her job as part lawyer, part psychologist.
Law firms that represent whistleblowers work for contingency fees and are only paid if they bring a successful claim. So the first question Inman asks when she meets whistleblowers is whether they have a strong legal case.
A more important question is whether a would-be whistleblower has the resilience and the support network to survive what will inevitably be a life-changing experience. “I turn down hundreds of whistleblowers,” said Inman.
Whistleblowing cases brought under US law take at least five years to resolve, often more, so whistleblowers need to be in it for the long haul.
Inman’s law firm uses secure channels including encrypted messaging through Signal, encrypted Protonmail accounts and a secure website that allows whistleblowers to contact the firm securely. “You would be amazed how many whistleblowers write to us from their company emails,” she said.
The SEC’s programme allows whistleblowers to keep their identities confidential, but anonymity does not apply under the False Claims Act. In that case, whistleblowers need to be prepared for their names to become public, even if their case ultimately fails.
Life-changing consequences of whistleblowing
If people are intent on whistleblowing, they need to ask some deep questions first, said Inman. “Just because you have it, should you pull the trigger on it? What does it mean for you professionally and personally, just given the high cost and the personal toll that is imposed on people who might choose to blow the whistle?”
US laws protect whistleblowers from retaliation and allow them to bring legal claims for compensation against employers if they are mistreated.
Nevertheless, whistleblowers can find themselves fired, often in the most “brutal of circumstances”, said Inman. They may be given a small pay-off for agreeing to sign onerous non-disclosure agreements. Sometimes they will be summarily dismissed with no severance payment and no compensation.
In other cases, employers give whistleblowers the “Siberia treatment”, she said. High-fliers can find themselves relegated to menial jobs with no opportunity of career progression, and very little contact with other people in the company. “They can wear you down,” she added.
A study of whistleblowers by the New England Journal of Medicine found, for example, that whistleblowers can lose their homes, their cars, and frequently struggle to find another job. Divorce is common, family life suffers and they often have stress-related conditions.
Employers use a mixture of threats and financial inducements to persuade employees not to speak out, said Inman. One was told: “The company will throw you under a bus and prove that you were a loose cannon and the only person doing it.”
Inman said she lost one of her clients who began to suffer from stress and depression after blowing the whistle on healthcare fraud. He died in an accident at home and never got to see the $5m compensation that went to his estate.
“So you can’t have an experience like that and not feel like every whistleblower needs to know the what-ifs and what could happen,” she said.
Inman said she tries to discourage whistleblowers if they are young and have their careers ahead of them, unless they are so determined that they will blow the whistle anyway.
Her favourite clients are those on the cusp of retirement who have built up a nest-egg after a successful career. Next are the “inadvertent whistleblowers” – people like Glenn who thought they were doing their job by alerting their employers to a problem. Such people have often experienced retaliation already and have little to lose.
“If you are an ethical hacker and you are supposed to find vulnerabilities and all of a sudden you can’t figure out why your employer doesn’t want you around any more, it is only then that people will often come to us, and at that point they have already blown the whistle internally,” she said.
For most whistleblowers, bringing a complaint against a former employer is a career-ending decision. It is rare that they will be able to continue working in the same industry.
Some whistleblowers, such as Martin Woods, who exposed suspicious transactions linked to Mexican drug cartels passing through the books of US bank Wachovia, have successfully managed to turn their experiences into a new career path by moving into compliance roles.
Others have written successful books or had films made about their experiences.
Inman asks would be whistleblowers: “Are you going to defy the odds, are you someone who can survive that? Most importantly, look at your personal situation – are you the sole bread-winner for a family with young children? What is going to happen when we play out the parade of horribles that could happen?”
James Glenn’s whistleblowing diary
May 2007: Cisco acquires video surveillance technology when it buys BroadWare, a provider of internet protocol (IP)-based video surveillance software. Cisco adapts BroadWare’s products to create its own IP video surveillance product – the Cisco Video Surveillance Manager (VSM).
March 2007: James Glenn starts work for the managed security division of Tele-Danmark Communications (TDC).
July 2007: Glenn’s division is acquired by NetDesign, a Danish network services provider and Cisco “Gold Certified Partner”.
September 2008: Glenn and a colleague from NetDesign’s physical security department test an internet-based Cisco security camera, looking for problems and vulnerabilities. They discover it is vulnerable to “brute force” password attacks. Glenn reports the vulnerabilities to Cisco, which issues a patch and notice of the problem in the next update.
October 2008: Glenn discovers serious security defects in Cisco’s VSM.
Late October 2008: Glenn submits a detailed report on vulnerabilities in the Cisco VSM, including screenshots, to Cisco’s Product Incident Response Team (PSIRT). He presents the same evidence to his supervisor and NetDesign.
November 2008: Glenn writes a personal letter to the Cisco incident manager after receiving no follow-up response. After making follow-up enquiries, the manager tells Glenn there is “no quick fix” and does not respond to further queries.
2 December 2008: Glenn takes part in a conference call between Cisco representatives and NetDesign about the flaws in the Cisco VSM.
6 March 2009: Cisco representatives visit NetDesign and meet Glenn’s supervisor and other NetDesign employees.
9 March 2009: Glenn is called into his supervisor’s office and dismissed from his job at NetDesign. His manager cites “economic concerns”.
2009: Cisco publishes a best practices guide which says users need to pay special attention to building necessary security features on top of Cisco’s software.
September 2010: Glenn asks his sister in the US to anonymously pass on concerns about vulnerabilities in the Cisco VMS and the fact that the system has been installed at Los Angeles International Airport. A detective at the Los Angeles Police Department, who was also a member of the FBI’s joint terrorism network, phones Glenn, who passes on documentary evidence of the security flaws.
10 May 2011: Glenn’s lawyers file a complaint against Cisco on behalf of the US government in US district court, Western District of New York.
July 2013: Cisco advises customers to upgrade to a new version of the software which it says addresses security vulnerabilities.
September 2014: Cisco stops selling older versions of its VSM software which contain the security vulnerabilities.
August 2019: Cisco agrees to pay $8.6m to settle allegations that it knowingly sold video surveillance equipment containing serious security vulnerabilities to US government agencies including the US Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency (FEMA).