In a groundbreaking initiative announced by the Justice Department this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced “Civil Initiative Against Cyber Fraud” will leverage False Claims Law to go after contractors and grant recipients involved in what the Justice Department calls “cybersecurity fraud.” Generally, the government uses the False Claims Act to address civil lawsuits for false claims regarding federal funds and property related to government programs.
Cyber Contractors Chose Silence “For Too Long”
“For too long, companies have opted for silence under the mistaken belief that it is less risky to hide a violation than to anticipate and report it,” says Assistant Attorney General Lisa O. Monaco, a pioneer in the initiative. , that changes today. Today we announce that we will use our civil enforcement tools to go after companies, those that are government contractors that receive federal funds, when they do not meet the required cybersecurity standards, because we know that puts us all at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and protect the public treasury and public trust. “
The introduction of the Civil Cyber Fraud Initiative is the “direct result” of the department’s ongoing comprehensive review of the cybersecurity landscape ordered by the Deputy Attorney General in May. The goal behind these review activities is to develop practical recommendations that enhance and expand the Department of Justice’s efforts to combat cyber threats.
The launch of the Initiative aims to curb new and emerging cybersecurity threats to sensitive and critical systems by bringing together subject matter experts from civil fraud, public procurement and cybersecurity agencies.
The development comes at a time when cyberattacks are rampant and advanced ransomware gangs are repeatedly targeting critical infrastructure such as Colonial Pipeline and healthcare facilities.
Provisions of the law would protect whistleblowers
The Civil Cyber Fraud Initiative will use the False Claims Act, also known as the “Lincoln Law,” which serves as a litigation tool for the government when holding those who defraud government programs liable.
“The law includes a unique whistleblower provision, which allows private parties to help the government identify and prosecute fraudulent conduct and participate in any recovery, and protects whistleblowers who bring these violations and retaliatory failures,” the DoJ explains in a Press release.
The initiative will hold entities, such as federal contractors or individuals, accountable when they put America’s cyber infrastructure at risk. knowingly “Provide substandard cybersecurity products or services, knowingly misrepresent your cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.”
In summary, the Initiative is designed with the following objectives in mind:
- Building broad resilience against cybersecurity intrusions in government, the public sector, and key industry partners.
- Make contractors and grantees honor their commitments to protect government information and infrastructure.
- Support the efforts of government experts to identify, create, and release patches for vulnerabilities in commonly used information technology products and services.
- Ensure that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
- Reimburse the government and taxpayers for losses incurred when companies fail to meet their cybersecurity obligations.
- Improve overall cybersecurity practices that will benefit the US government, private users, and the public.
The timing of this announcement also coincides with the creation by the Deputy Attorney General of a “National Cryptocurrency Enforcement Team“designed to address complex investigations and criminal cases of misuse of cryptocurrencies. In particular, the team’s activities will focus on crimes committed by cryptocurrency exchanges and money laundering operations.
However, what stands out is that the Civil Initiative Against Cyber Fraud would prosecute those who knowingly negligent in implementing a strong cybersecurity posture or knowingly misrepresented its cybersecurity practices, leaving room for plausible denial.
Equally interesting is the fact that just two days ago, Senator Elizabeth Warren and Representative Deborah Ross proposed a new bill called “Ransom Disclosure Act. “The law would require ransomware victims to disclose details of any ransom amount paid within 48 hours of payment and to disclose” any known information about the entity demanding the ransom. “