Inside Cisco's $2B Security Setback

Cisco Systems (CSCO) has been hit with penalties that could top $2 billion in a patent infringement lawsuit that strikes at the heart of its cybersecurity product lineup and could make its rocky road to re-invention even rougher.

Following a lengthy bench trial — the first patent trial ever to be conducted virtually — Judge Henry Coke Morgan, Jr., of the Eastern District of Virginia court, ruled that Cisco willfully infringed four patents belonging to Centripetal Networks, a small (under 200-person), 11-year-old cybersecurity firm headquartered in Herndon, Virginia.

In addition to awarding Centripetal extensive damages, the ruling requires Cisco to pay the smaller firm six years' worth of royalties on most of Cisco's most valuable artificial intelligence (AI)-driven cybersecurity products.

The ruling hasn't affected Cisco's share price, as Cisco shares rose a bit this week with a general market rally, but the judgement is a branding and reputation setback in the company's key strategy to compete in the red-hot field of AI-based security management. The company's products in this area have been hauling Cisco's growth above the water line since 2017.

Cisco did not immediately respond to a request for comment, but published reports indicate the company intends to appeal the decision. Clearly, it's in Cisco's best interest to do so. Still, past history indicates that Cisco could get snarled in longstanding legal wrangles -- as it did with Arista Networks (ANET), a case that dragged on for years and ended in a $400 million settlement in 2018.

But there is also the chance that Cisco could make good on its relationship with Centripetal by investing in an ongoing partnership -- something it might have considered doing prior to meeting in court.

Particulars of Cisco's Punishment

The recent judgment awards Centripetal total damages of $1,903,239,287.50, to be paid in a lump sum.

That figure includes pre-judgment interest and court costs of $13,717,925, plus $755,808,545 in damages enhanced 2.5 times to reach total damages equal to $1,889,521,362.50. The enhancement to damages is a legal option that allows a court to punish a patent infringer for behavior that meets the criteria for being “willful and egregious.”

Additionally, Cisco must pay royalties of 10% for three years and 5% for three subsequent years on sales of the products accused of infringement. That list includes Cisco’s Catalyst 9000 series switches; Aggregation Services Router (ASR) 1000 series; Integration Services Router (ISR) 1000 and 400 series; Cisco Digital Network Architecture (DNA) and Stealthwatch security devices and software, which perform threat analytics using artificial intelligence (AI); Cisco’s Identity Services Engine (IDE); a range of Cisco firewalls; and the Cisco FirePower Management Center.

In ruling for Centripetal, the judge held that Cisco failed to produce convincing evidence that it developed the cybersecurity AI in these accused products separately from Centripetal. Cisco also did not call for testimony from any engineers responsible for developing the accused products.

Timeline of Intellectual Property Tangle

How Cisco got itself into this unfortunate position is a tale that begins in 2015, when Centripetal’s founder and CEO Steven Rogers (ex-Unisys, Comsat, Cetacean/Avaya, and others) approached a Cisco employee with information about the technology his firm had developed for threat management, which, among other things, was capable of identifying and halting security threats contained in encrypted packets on IP-routed networks.

Cisco was intrigued enough to agree to a nondisclosure Webex presentation on February 4, 2016, in which Centripetal described the algorithms underlying its technology. Subsequent meetings between the two companies featured technical heavyweights, among them Joseph Muniz, who is a Cisco Technical Solutions Architect with the company’s Americas Security Sales Organization.

Though not explicitly stated in court documents, Centripetal appeared to want Cisco either to invest in the company or license its technology. But that didn’t happen. Instead, on June 20, 2017, Cisco rolled out a series of products the court says contained Centripetal’s technology.

A Ho-Hum Rollout

Whatever Cisco actually added to its security lineup back in 2017 didn't impress some jaded observers, and Cisco's lavish presentation of its new software on June 20 was followed by a same-day 14-cent drop in its share price.

No matter. By November of 2017, Cisco reported the first quarter of growth after eight quarters of decline, and its Security segment led the charge with the most growth at 8%. Since that date in 2017, the court states, Cisco has made over $5.575 billion on the intelligence added to its switches, routers, and security devices. And ever since, Centripetal has been pursuing its case for justice.

What Comes Next?

While the recent ruling and penalty for Cisco could affect its quarterly earnings, it may not affect the router leader’s market position. After all, big companies are involved in many lawsuits during the course of business.

Cisco also has taken a public stand against the U.S. Patent and Trademark Office (PTO), accusing that agency of favoring patents that “have not met the tests for innovation that Congress and the courts have established." Clearly, this is among Cisco's arguments against the Centripetal award. Along with Apple (AAPL), Google (Alphabet, GOOGL), and Intel (INTC), Cisco has sued the PTO, claiming its policies open the way for patent trolls to help small firms litigate their way to unwarranted riches.

Despite all this, the Centripetal debacle outlined in the judge’s opinion can’t help the company’s already drooping public image as a firm in crisis. Did Cisco grab what it could from a relatively unknown company in order to beat its way back to success in an area where it had foundered? With other switch and router vendors like Arista and Fortinet (FTNT) nipping at its heels, along with a growing roster of security management and automation companies, did Cisco take a shortcut to beef up its software? The judge has spoken, even if the jury is out.

As for Centripetal, the news couldn’t be better. The small firm, populated largely by ex-government security experts, no doubt will benefit from the publicity surrounding the ruling. Indeed, it seems to be already anticipating how it will spend its award to buttress engineering talent.

But this David-and-Goliath tale isn’t over. Cisco could win an appeal; Centripetal could fail to take itself to the next level, despite the award. One outcome is certain: The stakes in cybersecurity have never been higher.