DoJ’s new Civil Cyber-Fraud Initiative to hold contractors accountable for cybersecurity

The Justice Department is bringing the power of the False Claims Act to the growing challenge of cybersecurity.

Government contractors now will face possible penalties for not doing enough to secure networks and systems that hold federal data.

DoJ today announced the launch of the Civil Cyber-Fraud Initiative, which will be led by the Civil Division’s Commercial Litigation Branch, Fraud Section, to pursue cybersecurity related fraud by government contractors and grant recipients through the False Claims Act and through the Qui Tam, or whistleblower, provision of the law.

Lisa Monaco
Deputy Attorney General Lisa Monaco
(AP Photo/Alex Brandon)

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well that changes today,” said Deputy Attorney General Lisa Monaco today at the 6th annual Aspen Institute’s Cyber Summit. “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

The new task force’s goal is to hold accountable companies or individuals that put federal agency information or systems at risk “by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

Monaco said there is too much risk for the government to absorb if contractors fail to follow required cybersecurity standards.

“We will extract very hefty fines,” she said. “We will protect whistleblowers who bring those violations and those failures forward.”

Monaco said this new initiative is a direct result of the department’s ongoing comprehensive cyber review, which Monaco kicked off in May.

Justice said the benefits of the new cyber fraud initiative include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

Justice officials signaled this move earlier this year. Acting Assistant Attorney General Brian Boynton told the Federal Bar Association Qui Tam Conference in February that cybersecurity was one of six key priorities for the civil division when it comes to the False Claims Act.

“With the growing threat of cyberattacks, federal agencies are relying heavily on robust cybersecurity protections to safeguard our vital governmental data and information,” he said. “To the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”

Two cyber cases from 2019

This application of the False Claims Act isn’t necessarily new. But Justice plans to put more of a focus on it going forward.

Attorneys from Carlton Fields highlighted in January 2020 two cases that show just how Justice may apply the FCA to cybersecurity related problems for contractors.

“Last summer [2019], two significant whistleblower cases sent ripples through the False Claims Act (FCA) community by demonstrating the specter of FCA liability resulting from the failure to comply with cybersecurity requirements in government contracts. In May, the U.S. District Court for the Eastern District of California refused to dismiss a case alleging that Aerojet Rocketdyne Holdings Inc. falsely asserted its compliance with the Department of Defense’s cybersecurity standards. Then, in late July, the government announced that Cisco Systems Inc. agreed to pay $8.6 million to settle a whistleblower suit alleging that the company fell short of federal cybersecurity standards by selling video surveillance products with known vulnerabilities that hackers could exploit. These cases show that cybersecurity-based FCA claims may be the new frontier and that such claims may prove difficult to defeat depending on the facts in any given case,” the attorneys wrote.

In fiscal 2020, Justice recovered more than $2.2 billion under the False Claims Act, with most of that coming from the health care industry.

Expanding the use of the False Claims Act to cybersecurity is another message agencies are sending to contractors about their expectations to secure federal systems and data.

This effort builds on the National Institute of Standards and Technology SP 800-171 to protect controlled unclassified information, the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) initiative and the work the Federal Acquisition Regulations Council and now the Federal Acquisition Security Council are taking to add more policies and requirements to contracts.

Cryptocurrency team announced

The Civil Cyber-Fraud Initiative was one of three recent initiatives DoJ launched to address the ever-growing threat of cybersecurity.

In August, DoJ announced the creation of a cyber fellows program, a three-year effort to provide selected attorneys experience combating emerging national security and criminal cyber threats, while rotating through multiple department components that protect the nation from cyber threats — including the Criminal Division, the National Security Division and the U.S. Attorneys’ Offices.

She also announced today a new National Cryptocurrency Enforcement Team, which “will combine the expertise of the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), Computer Crime and Intellectual Property Section (CCIPS) and other sections in the division, with experts detailed from U.S. Attorneys’ Offices. The team will also assist in tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups,” the agency stated in a release.

Monaco said at the Aspen Institute event that as the technology and banking industry advances, so too must Justice to ensure confidence in the platforms and systems.

“We want to strengthen our capacity to dismantle the financial ecosystem that enables these criminal actors to flourish and to profit from what they are doing. We will do that by drawing on our cyber experts, cyber prosecutors and our money laundering experts. We need to centralize and build on the expertise we already have,” she said. “Stepping back, when you think about it, we have been enforcing the securities laws for decades. We police fraud on the market with insider trading cases or market manipulation investigations. The point is to protect consumers and make sure we all can have confidence in the markets we are engaging in. The same has got to be true as the technology advances so we need to evolve with it.”

Related Stories

    Amelia Brust/Federal News Network

    Federal contractors warned to prepare for stricter oversight with new administration

    Read more
    Amelia Brust/Federal News NetworkCDM

    DoD’s interim rule adds a new twist to implementing cyber maturity model

    Read more

Comments

Sign up for breaking news alerts