In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced “Civil Cyber-Fraud Initiative” will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DOJ calls “cybersecurity fraud.” Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.
Cyber contractors chose silence “for too long”
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Lisa O. Monaco, who is pioneering the initiative. “Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The introduction of the Civil Cyber-Fraud Initiative is the “direct result” of the department’s ongoing thorough review of the cybersecurity landscape ordered by the deputy attorney general in May. The goal behind these review activities is to develop actionable recommendations that enhance and expand the DOJ’s efforts to combat cyber threats.
The launch of the initiative aims to curb new and emerging cybersecurity threats to sensitive and critical systems by bringing together subject-matter experts from civil fraud, government procurement, and cybersecurity agencies.
Provisions of the act would protect whistleblowers
The Civil Cyber-Fraud Initiative will utilize the False Claims Act, aka the “Lincoln Law,” which serves as a litigative tool to the government when placing liability on those who defraud government programs.
“The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation,” explained the DOJ in a press release.
The initiative will hold entities, such as federal contractors or individuals, accountable when they put US cyber infrastructure at risk by knowingly “providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
In summary, the initiative is designed with the following objectives in mind:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector, and key industry partners
- Holding contractors and grantees to their commitments to protect government information and infrastructure
- Supporting government experts’ efforts to timely identify, create, and publicize patches for vulnerabilities in commonly used information technology products and services
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations
- Improving overall cybersecurity practices that will benefit the government, private users, and the American public
The timing of this announcement also coincides with the deputy attorney general’s creation of a “National Cryptocurrency Enforcement Team” designed to tackle complex investigations and criminal cases of cryptocurrency misuse. In particular, the team’s activities will focus on offenses committed by cryptocurrency exchanges and money-laundering operations.
What stands out, though, is that the Civil Cyber-Fraud Initiative would pursue those who were knowingly negligent in the implementation of a robust cybersecurity posture or those who knowingly misrepresented their cybersecurity practices—leaving room for plausible deniability.
Equally interesting is the fact that just two days ago, Senator Elizabeth Warren and Representative Deborah Ross proposed a new bill dubbed the “Ransom Disclosure Act.” The act would require ransomware victims to disclose details of any ransom amount paid within 48 hours of payment and to divulge “any known information about the entity demanding the ransom.”