Among the flurry of cybersecurity news to come out last week was an announcement by the Department of Justice that it would start using the False Claims Act to go after contractors and recipients of federal grant money who fail to report breaches in a timely manner or knowingly misrepresent their cybersecurity protections.
This new initiative will be run out of the Civil Division, the department’s largest litigating division, with more than 1,000 lawyers on staff, and will focus on three kinds of bad behavior: contractors and grantees who knowingly provide deficient cybersecurity products or services to the government, those who knowingly misrepresenting their cybersecurity practices or protocols, and those who violate their obligations to monitor and report cybersecurity incidents and breaches.
But even as some applaud stricter ramifications for bad behavior, both government officials and members of the contracting community are seeking clarity on how this impacts federal regulatory authorities and what standards the Justice Department will follow to define fraudulent behavior.
SC Media spoke to legal and contracting experts to better define the implications of the effort, and where lines may remain blurry.
Going after bad behavior
Speaking at an Oct. 6 public event, Deputy Attorney General Lisa Monaco cast the initiative as an attempt to change the calculus and pressures that contractors make when it comes to communicating the realities of their cybersecurity posture to government agencies. On breach reporting, for example, she chided companies who have “chosen silence, under the mistaken belief that it's less risky to hide a breach, than to bring it forward and to report it.”
It also follows a long government tradition of leveraging procurement and contracting rules and the billions and billions of federal dollars it doles out to vendors every year, as a lever to enact preferred policy change. More recently, agencies like DoJ and the Department of Defense have moved to create new vehicles to ensure better oversight of contractor cybersecurity, or as Monaco put it, use available tools “to ensure that taxpayer dollars are used appropriately.”
“Where those who are entrusted with government dollars, who are entrusted to work on sensitive government systems, fail to follow required cybersecurity standards, we’re going to go after that behavior and extract…very hefty fines,” she said.
This week, acting Assistant Attorney General Brian Boynton further fleshed out the initiative, saying the False Claims Act gives the government the ability to fine companies an amount equivalent to three times its losses, with an additional fine on top for each individual offense. He also indicated that the DoJ would rely heavily on a provision in the law that allows third party private actors, or relators, to bring cases of potential fraud forward on behalf of the government.
The cyber fraud initiative will aim to ”identify, pursue and deter” cyber vulnerabilities and incidents that hit companies who do business with the government or receive grant funding, under the logic that these weaknesses can and do lead to compromise of federal agency systems and networks. Boynton said the department has tapped the Civil Division’s Fraud Section to lead the efforts and will partner with Inspectors General across different agencies to share information and collaborate on investigations into waste, fraud and abuse.
“We recognize that most companies and people who do business with the government abide by contract terms and obligations,” said Boynton. “We also recognize that cyber incidents and breaches may result even when a contractor has a robust monitoring, detection and reporting system. But when contractors or grantees knowingly fail to implement and follow required cybersecurity requirements or misrepresent their compliance with those requirements, False Claims Act enforcement is an important part of the federal response.”
A novel interpretation
However, some former officials and members of the contracting community have raised questions around how DoJ will define knowing fraud or deception in some of these cases, and how the initiative might conflict with the missions and work of other law enforcement agencies.
Kellen Dwyer, a former deputy assistant attorney general and former assistant U.S. attorney for the Eastern District of Virginia, where he led the government’s criminal hacking cases against Wikileaks founder Julian Assange and Russian cybercriminal Aleksey Burkov, told SC Media that the initiative could create “tension” with agencies like the FBI.
Officials at FBI, the Cybersecurity and Infrastructure Security Agency and others have spent the past few years encouraging companies to voluntarily report ransomware attacks and breaches to the government, something that allows them to deploy resources and technical assistance, help incident response and remediation and conduct investigations.
“Normally when DoJ is involved in investigating breaches, they are trying to find the hacker. It’s normally the FBI doing criminal investigation into who did it and in order for that to work, they need to get cooperation from the victim company,” said Dwyer, now a partner at law firm Alston and Bird. “The FBI has spent a lot of time…trying to convince victim companies that you can trust [them], you should cooperate fully and candidly to help us find the criminal and that the information you give us isn’t going to be used against you.”
Setting up a new, punitive regulatory function within the same department could chill those discussions and cause confusion among some companies about whether they could potentially face penalties for coming forward or erring on the side of disclosure.
“The DoJ getting involved as a regulator of cybersecurity is a really big deal and think it kind of creates tension in terms of their relationship with companies that are the victims of a breach, because on the one hand the criminal division in DoJ is treating you as a victim and trying to work with you to find the perpetrator, but the civil division is maybe thinking about [fining] you.”
The use of the False Claims Act for cybersecurity failures by government contractors is relatively new. However, it is in line with how a law that was first passed amid the Civil War to deal with rampant fraud from unscrupulous contractors supplying the Union Army has been steadily expanded over the years. Since then, it has become a key component to helping the government recover more than $65 billion from fraudulent contractors since 1986, according to Justice officials. The most recent application to cybersecurity likely stems at least in part from a court case in 2019 that found defense contractor Aerojet Rocketdyne had violated the law by falsely certifying it was in compliance with NIST cybersecurity standards spelled out its contract.
The government has good reason to consider a harder line on enforcing contractor cybersecurity, particularly when it intersects directly with agency systems and networks. It was, after all, a government contractor (SolarWinds) who's software was hijacked by Russian hackers last year to eventually infect at least nine federal agencies and 100 companies, many of whom were contractors themselves, in a wide ranging supply chain hack.
To be clear, SolarWinds has not been accused by the government with making false claims about its products, but it is being sued by investors in part for claims made in regulatory documents filed with the government and in public interviews about its robust cybersecurity practices that the plaintiffs allege were either untrue, exaggerated or served as "window dressing" to mask serious deficiencies.
"I think it all kind of arises from the SolarWinds breach, where after that the government walked away with two takeaways," said Dwyer. "The first is that it's incredible that...this wasn't a mandatory reporting event for a lot of contractors...that was the first 'oh shoot' moment that you saw the president try to deal with in his May executive order. Then the second is realizing how interconnected security is, so that even if you have great cybersecurity yourself [the federal government] is contracting with a bunch of entities and breach of their security is a breach of yours."
Eager for clarity
Some contractors are eager to know more about how the department will define intentional fraud and where the legal line is between a claim made out of technical ignorance or marketing zeal. The law itself defines “knowing” and “knowingly” to mean a person who is aware of or has knowledge of information, acts “in deliberate ignorance of the truth or falsity of the information” or reckless disregard for the truth. Critically, a successful claim does not require any proof of a specific intent to defraud on the part of the company.
Roger Waldron, president of the Coalition for Government Procurement, said his organization is still working through the potential implications of the DoJ initiative.
He did argue that government vendors already deal with a myriad of cybersecurity-related requirements and that for many, this would be one more obligation layered on top of an already confusing and sometimes contradictory set of requirements for doing business with the government.
“DHS has its cyber clauses, DoD has its own, we hear from members that different contracts [with the same department] have different requirements. There are NIST standards, FedRAMP and all these things across the federal enterprise that go to the requirements of cybersecurity,” said Waldron, adding: “I think the government would be well served if it took a look at all the requirements, tried to rationalize them, and came up with a strategic approach across the enterprise.”
He also questioned how ramping up pursuit of fraud enforcement at the same time the Biden administration is pushing for greater public-private cooperation would play out, though he noted that contractors are already subject to the False Claims Act and this would in a sense just be an extension of those existing obligations.
“I do think this does raise the question of whether it will have a chilling effect on some of the goals of the [Biden] administration or not,” Waldron told SC Media. “Part of the [cybersecurity] executive order was about increasing communication between government and industry on cyber incidents, and I don’t know if this cuts in favor of that or not. We’ll have to see.”
Chris Cummiskey, a former undersecretary and chief acquisition officer at the Department of Homeland Security and cybersecurity expert, said that his conversations with contractors has yielded mixed sentiments. Like the Cybersecurity Maturity Model Certification program being established by the Pentagon to regulate cybersecurity among its defense industrial base, the questions are less around why the government is doing it than how, specifically, they’re going to enforce it.
“If you talk to the procurement community, they understand what this is and are confident this can be executed,” said Cummiskey. “Now application of the False Claims Act with the vendor community is going to be a different conversation. How is that going to be applied, what kind of companies and actions are DoJ going to go after? I think there is at least a strong curiosity as to what that’s going to look like from the contracting community.”