What you need to know as DOJ steps up enforcement of cybersecurity protocols

The Justice Department has launched its Civil Cyber Fraud Initiative and even the most compliant government contractor needs to pay attention to what DOJ is saying and where it is focusing.

Earlier this year, Bloomberg Government released its annual BGOV200 report, revealing that the U.S. federal government spent a record $682 billion on federal contracts during the latest fiscal year, the fifth straight year of increase. Information technology continued to be a key piece of the overall government spend, posting its largest year-over-year growth ever and accounting for over $76 billion.

As lucrative as these contracts are, however, new risks are emerging for contractors. Over the past decade cybersecurity has become a challenge that affects virtually every company, and as cybercriminals have become more sophisticated, the dangers they pose have escalated. For instance, late last year, cybercriminals perpetrated the elaborate Sunburst hack that exploited vulnerabilities in a software developer’s supply chain. The networks of the victim’s clients—hundreds of organizations around the world, including NATO, U.S. and UK government agencies, and several large multinational corporations, among others—were exposed via a backdoor that provided access to systems running the software.

Three months later, company management blamed an intern who used an insecure password on a company network. The impact of the Sunburst incident is still being evaluated, but these kinds of massive data breaches have already occasioned a reappraisal of cybersecurity risk from the U.S. government, where the new mantra is “Cybersecurity is national security,” and this has important implications for federal contractors.

The Civil Cyber-Fraud Initiative

In October 2021 the U.S. Department of Justice (DOJ) announced the Civil Cyber-Fraud Initiative, a novel effort that redefines cybersecurity by viewing it through the lens of corporate fraud. The initiative establishes the use of the False Claims Act (FCA) “to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk,” according to Acting Assistant Attorney General (AAG) Brian M. Boynton.

Applying FCA to cybersecurity is a remarkable innovation for a Civil War-era law whose main purpose is to uncover fraud knowingly perpetrated against the government by its contractors, but given recent comments from senior DOJ officials, it perhaps should not come as a surprise. As recently as Oct. 28, 2021, Deputy Attorney General Lisa O. Monaco commented on the DOJ’s revamped response to corporate crime. Recalling the DOJ’s takedowns of executives at WorldCom, Qwest Communications, Adelphia, Tyco, and Enron at the beginning of her career, Deputy AG Monaco commented that “[c]orporate crime has an increasing national security dimension—from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” She elaborated further by emphasizing the role of preventative compliance programs and strong compliance culture, warning that “a corporate culture that fails to hold individuals accountable, or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.”

The weight of these comments—combined with the newly announced Civil Cyber-Fraud Initiative—suggests that the government’s posture toward its supply chain cybersecurity vulnerabilities has changed, introducing new risks for federal contractors generally and information technology professionals in particular. In the future corporations must be proactive in ensuring that they have solid cybersecurity compliance programs in place. Failure to do so risks civil liability—and even criminal liability—because parallel criminal investigations and proceedings are often pursued alongside of FCA cases. In fact, many criminal cases begin after civil investigations uncover facts or circumstances that provide predication for criminal investigators.

What is the False Claims Act?

The FCA (31 U.S. § 3729) is a federal statute that permits the government to sue any person or entity who knowingly submits false claims to the government for up to three times its damages, plus a penalty for each false claim. The FCA also allows for so-called qui tam actions, those brought by private citizens on the government’s behalf against actors that have defrauded the government. In FY2020 alone, DOJ obtained more than $2.2 billion in settlements and judgments from civil cases based on fraud and false claims against the government. 

As a civil enforcement statute, the government’s burden of proof in a FCA case is merely a preponderance of the evidence—a much lower hurdle to clear than that of a criminal statute, which requires proof beyond a reasonable doubt. In light of the potentially devastating civil penalties associated with the FCA and this lower burden of proof, it is especially important to understand that what constitutes a knowing violation of the statute may be easier to prove than one might think. The terms “knowing” and “knowingly” mean that a person (a) has actual knowledge of the true information, or (b) acts with deliberate ignorance of the truth or falsity of the information, or (c) acts in reckless disregard of the truth or falsity of the information. The statute thus provides DOJ with a powerful weapon that can be wielded nimbly in its effort to enforce cybersecurity in the government contracting sphere. 

DOJ has identified three common cybersecurity failures that are “prime candidates” for FCA enforcement:

  • failures to comply with cybersecurity standards;
  • knowing misrepresentations of security controls and practices;
  • and failures to timely report suspected breaches.

Certainly, actionable failures are not limited to these three areas.

For decades, the government has successfully used the FCA as a primary tool to combat false claims involving federal funds, programs, and property, and whistleblowers and qui tam actions in connection with cybersecurity are not exactly a new phenomenon. For instance, late last year, a federal court dismissed a whistleblower lawsuit against Dell Computer, where a third-party relator alleged that Dell had knowingly provided the government with unsecured computer systems. An uptick in qui tam actions is almost certain, given the DOJ’s evolving priorities. AAG Boynton has remarked that the Civil Cyber-Fraud Initiative will “build on the department’s already extensive work pursuing fraud and abuse relating to the government’s procurement of information technology products and services.” Notably Boynton specifically recognized the “critical” and “significant” role whistleblowers play in these actions.

The timeframe for implementation of this initiative is immediate. The DOJ already has in place mechanisms for reporting fraudulent or false claims involving cybersecurity and government information systems. In fact, it is not unusual for the Justice Department to make announcements such as these well after it has already ramped up its efforts behind the scenes. This means that not only are contracts currently under negotiation impacted by the initiative, but existing contracts as well.

The Scope of the Challenge

Federal contractors routinely process, store, and transmit personal identifiable information as well as other sensitive data to support the delivery of essential products and services to federal agencies (e.g., providing financial services; providing web and electronic mail services; processing security clearances or healthcare data; providing cloud services; and developing communications, satellite, and weapons systems). Inevitably, DOJ’s new initiative will lead the department to look for specific examples to prove the initiative’s success and justify its existence. Given the volume and sophistication of state-sponsored cybercrime, as well as other cyberthreats, investigators and whistleblowers should have no problem identifying weaknesses in government contractors’ cybersecurity regimes or inconsistencies in poorly drafted contract language.

Any current government contractor, as well as any entity looking to bid for new government contracts, should take heed. No industry is immune from attack by cybercriminals. Healthcare, education, aerospace, finance, retail, and general goods and services all have at least some requirement for data and cybersecurity protection needs. Moreover, the new enforcement regime is likely to impact companies that have employees, vendors, subsidiaries or subcontractors outside of the United States. Maintaining effective and up-to-date cybersecurity practices overseas can be extremely challenging and injects an additional layer of complication and risk in an already precarious situation.

How to Manage Risks

Many government contracts already contain strict data and cybersecurity protocols, including protocols for protection, response, reporting, and mitigation. Adhering to these protocols is key; however, internal and additional reviews may alleviate the risk of something going wrong. Risk mitigation is best accomplished through rigorous attention to the following areas.

Regularly review and update cybersecurity procedures. Waiting to update or conduct a review of your cybersecurity procedures may be too late. Conducting regular reviews of internal systems and programs that protect data allow your company to keep up with the ever-changing world of cybersecurity. Standards that were applicable when the program was instituted may be not be applicable—or even appropriate—now.

Communication with your contracting parties. The often-complex web of subcontractors and vendors can present unique challenges. Communication and transparency between the vertical contracting entities relating to cybersecurity practices and requirements is key.

Know what resources you have and what resources you need. As Boynton stated in announcing the Civil Cyber-Fraud Initiative, companies that do business with the government and who knowingly make misrepresentations about their own cybersecurity practices or abilities will face consequences. These misrepresentations deprive the government (in its eyes) of the bargain it agreed to. Knowing exactly what your company can accomplish, what products it can utilize and offer, and what assurances it can accurately deliver is critical to a successful contractual relationship with the government.

Compliance Program Training. Workforce training is essential to developing a robust cybersecurity culture within an organization. Cybersecurity training for new employees—and recurring annual training for existing employees—demonstrates corporate commitment to implement and maintain the security requirements enumerated in Department of Defense and General Services Administration (GSA) contracts.

Establish an in-house hotline to allow employees to identify concerns or possible violations without retribution. Hotlines or other similar reporting mechanisms that allow employees to report misconduct or other wrongdoings are now common across many industries. The key is to have an effective system in place. Developing a culture of confidential reporting, following up on complaints, and documenting investigations are best practices in an effective system. These systems and protocols allow companies to learn about problems before they attract the attention of regulators and investigators or mature into full-blown crises, address issues internally when appropriate, and minimize risk.

Maintain transparency with the U.S. government. Failing to report a data or other cybersecurity breach is almost always a critical mistake, and one the government intends to go after. Prompt reporting allows the appropriate parties to react and likely limit any risk resulting from the breach. 

Know what you don’t know and contact legal counsel before a problem arises. It is important to engage the assistance of experts before a breach occurs and certainly any time you have conntion and compliance are key as is a timely reaction if an incident occurs.

Conclusion

By situating cybersecurity within its set of national security concerns and by marshalling the FCA to combat substandard cybersecurity practices, the U.S. government has signaled clearly to federal contractors an aggressive new posture toward compliance in this area. There will surely be numerous lawsuits brought by third-party relators—and joined by the government—that create civil and criminal liability, as well as the associated reputational damage such allegations entail; however, there are risk management tools and procedures that responsible contractors can use to minimize these potential liabilities. Given the speed with which the DOJ’s initiative was stood up, it would be wise for information technology and compliance professionals to get started now to protect their organizations.

cerns that the government could construe a representation as false. Early preve

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.