What you need to know as DOJ steps up enforcement of cybersecurity protocols
Earlier this year, Bloomberg Government released its annual BGOV200 report, revealing that the U.S. federal government spent a record $682 billion on federal contracts during the latest fiscal year, the fifth straight year of increase. Information technology continued to be a key piece of the overall government spend, posting its largest year-over-year growth ever and accounting for over $76 billion.
As lucrative as these contracts are, however, new risks are emerging for contractors. Over the past decade cybersecurity has become a challenge that affects virtually every company, and as cybercriminals have become more sophisticated, the dangers they pose have escalated. For instance, late last year, cybercriminals perpetrated the elaborate Sunburst hack that exploited vulnerabilities in a software developer’s supply chain. The networks of the victim’s clients—hundreds of organizations around the world, including NATO, U.S. and UK government agencies, and several large multinational corporations, among others—were exposed via a backdoor that provided access to systems running the software.
Three months later, company management blamed an intern who used an insecure password on a company network. The impact of the Sunburst incident is still being evaluated, but these kinds of massive data breaches have already occasioned a reappraisal of cybersecurity risk from the U.S. government, where the new mantra is “Cybersecurity is national security,” and this has important implications for federal contractors.
The Civil Cyber-Fraud Initiative
In October 2021 the U.S. Department of Justice (DOJ) announced the Civil Cyber-Fraud Initiative, a novel effort that redefines cybersecurity by viewing it through the lens of corporate fraud. The initiative establishes the use of the False Claims Act (FCA) “to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk,” according to Acting Assistant Attorney General (AAG) Brian M. Boynton.
Applying FCA to cybersecurity is a remarkable innovation for a Civil War-era law whose main purpose is to uncover fraud knowingly perpetrated against the government by its contractors, but given recent comments from senior DOJ officials, it perhaps should not come as a surprise. As recently as Oct. 28, 2021, Deputy Attorney General Lisa O. Monaco commented on the DOJ’s revamped response to corporate crime. Recalling the DOJ’s takedowns of executives at WorldCom, Qwest Communications, Adelphia, Tyco, and Enron at the beginning of her career, Deputy AG Monaco commented that “[c]orporate crime has an increasing national security dimension—from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” She elaborated further by emphasizing the role of preventative compliance programs and strong compliance culture, warning that “a corporate culture that fails to hold individuals accountable, or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.”
The weight of these comments—combined with the newly announced Civil Cyber-Fraud Initiative—suggests that the government’s posture toward its supply chain cybersecurity vulnerabilities has changed, introducing new risks for federal contractors generally and information technology professionals in particular. In the future corporations must be proactive in ensuring that they have solid cybersecurity compliance programs in place. Failure to do so risks civil liability—and even criminal liability—because parallel criminal investigations and proceedings are often pursued alongside of FCA cases. In fact, many criminal cases begin after civil investigations uncover facts or circumstances that provide predication for criminal investigators.
What is the False Claims Act?
The FCA (31 U.S. § 3729) is a federal statute that permits the government to sue any person or entity who knowingly submits false claims to the government for up to three times its damages, plus a penalty for each false claim. The FCA also allows for so-called qui tam actions, those brought by private citizens on the government’s behalf against actors that have defrauded the government. In FY2020 alone, DOJ obtained more than $2.2 billion in settlements and judgments from civil cases based on fraud and false claims against the government.
As a civil enforcement statute, the government’s burden of proof in a FCA case is merely a preponderance of the evidence—a much lower hurdle to clear than that of a criminal statute, which requires proof beyond a reasonable doubt. In light of the potentially devastating civil penalties associated with the FCA and this lower burden of proof, it is especially important to understand that what constitutes a knowing violation of the statute may be easier to prove than one might think. The terms “knowing” and “knowingly” mean that a person (a) has actual knowledge of the true information, or (b) acts with deliberate ignorance of the truth or falsity of the information, or (c) acts in reckless disregard of the truth or falsity of the information. The statute thus provides DOJ with a powerful weapon that can be wielded nimbly in its effort to enforce cybersecurity in the government contracting sphere.
DOJ has identified three common cybersecurity failures that are “prime candidates” for FCA enforcement:
- failures to comply with cybersecurity standards;
- knowing misrepresentations of security controls and practices;
- and failures to timely report suspected breaches.
Certainly, actionable failures are not limited to these three areas.
For decades, the government has successfully used the FCA as a primary tool to combat false claims involving federal funds, programs, and property, and whistleblowers and qui tam actions in connection with cybersecurity are not exactly a new phenomenon. For instance, late last year, a federal court dismissed a whistleblower lawsuit against Dell Computer, where a third-party relator alleged that Dell had knowingly provided the government with unsecured computer systems. An uptick in qui tam actions is almost certain, given the DOJ’s evolving priorities. AAG Boynton has remarked that the Civil Cyber-Fraud Initiative will “build on the department’s already extensive work pursuing fraud and abuse relating to the government’s procurement of information technology products and services.” Notably Boynton specifically recognized the “critical” and “significant” role whistleblowers play in these actions.
The timeframe for implementation of this initiative is immediate. The DOJ already has in place mechanisms for reporting fraudulent or false claims involving cybersecurity and government information systems. In fact, it is not unusual for the Justice Department to make announcements such as these well after it has already ramped up its efforts behind the scenes. This means that not only are contracts currently under negotiation impacted by the initiative, but existing contracts as well.
The Scope of the Challenge
Federal contractors routinely process, store, and transmit personal identifiable information as well as other sensitive data to support the delivery of essential products and services to federal agencies (e.g., providing financial services; providing web and electronic mail services; processing security clearances or healthcare data; providing cloud services; and developing communications, satellite, and weapons systems). Inevitably, DOJ’s new initiative will lead the department to look for specific examples to prove the initiative’s success and justify its existence. Given the volume and sophistication of state-sponsored cybercrime, as well as other cyberthreats, investigators and whistleblowers should have no problem identifying weaknesses in government contractors’ cybersecurity regimes or inconsistencies in poorly drafted contract language.
Any current government contractor, as well as any entity looking to bid for new government contracts, should take heed. No industry is immune from attack by cybercriminals. Healthcare, education, aerospace, finance, retail, and general goods and services all have at least some requirement for data and cybersecurity protection needs. Moreover, the new enforcement regime is likely to impact companies that have employees, vendors, subsidiaries or subcontractors outside of the United States. Maintaining effective and up-to-date cybersecurity practices overseas can be extremely challenging and injects an additional layer of complication and risk in an already precarious situation.
How to Manage Risks
Many government contracts already contain strict data and cybersecurity protocols, including protocols for protection, response, reporting, and mitigation. Adhering to these protocols is key; however, internal and additional reviews may alleviate the risk of something going wrong. Risk mitigation is best accomplished through rigorous attention to the following areas.
Regularly review and update cybersecurity procedures. Waiting to update or conduct a review of your cybersecurity procedures may be too late. Conducting regular reviews of internal systems and programs that protect data allow your company to keep up with the ever-changing world of cybersecurity. Standards that were applicable when the program was instituted may be not be applicable—or even appropriate—now.