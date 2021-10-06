Business
DoJ’s New Civilian Cyber Fraud Initiative to Hold Entrepreneurs Accountable for Cyber Security
The Department of Justice is applying the power of the False Claims Act to the growing cybersecurity challenge.
Government contractors will now face penalties if they do not do enough to secure networks and systems containing federal data.
The DoJ today announced the launch of the Civil Cyber-Fraud Initiative, which will be led by the Civil Divisions Commercial Litigation Branch, Fraud Section, to prosecute cybersecurity-related fraud by government contractors and grant recipients by through the False Claims Act and the Qui Tam, or whistleblower, provision of the law.
For too long, companies have chosen silence on the mistaken belief that it is less risky to hide a violation than to expose and report it. Well that is changing today, said Deputy Attorney General Lisa Monaco today at the 6e Aspen Institutes Annual Cyber Summit. We are announcing today that we will use our civil enforcement tools to prosecute companies, those that are government contractors that receive federal funds, when they fail to meet required cybersecurity standards because we know that it puts us all in danger. It is a tool at our disposal to ensure that taxpayers’ money is used appropriately and to protect the tax system and the public trust.
The new goal of the working groups is to hold companies or individuals accountable who endanger federal agency information or systems by knowingly providing deficient cybersecurity products or services, knowingly distorting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. .
Monaco said there was too much risk for the government to absorb if contractors failed to meet required cybersecurity standards.
We are going to extract very hefty fines, she said. We will protect whistleblowers who report these violations and failures.
Monaco said this new initiative is a direct result of the on-going comprehensive cybernetic review of departments, which Monaco launched in May.
Justice said the benefits of the new cyber fraud initiative include:
- Build broad resilience against cybersecurity intrusions across government, public sector and key industry partners.
- Keep contractors and beneficiaries on their commitments to protect government information and infrastructure.
- Support the efforts of government experts to identify, create and release patches for vulnerabilities in commonly used information technology products and services in a timely manner.
- Ensure that companies that play by the rules and invest to meet cybersecurity requirements are not at a competitive disadvantage.
- Reimburse the government and taxpayers for losses incurred when businesses fail to meet their cybersecurity obligations.
- Improve overall cybersecurity practices that will benefit government, private users, and the U.S. public.
Justice officials reported the ruling earlier this year. Acting Assistant Attorney General Brian Boynton told the Qui Tam conference of the Federal Bar Association in February that cybersecurity was one of the Civil Division’s six key priorities with respect to the False Claims Act.
With the growing threat of cyber attacks, federal agencies rely heavily on robust cybersecurity protections to protect our vital government data and information, he said. As long as the government pays for systems or services that claim to meet required cybersecurity standards but do not, it is not hard to imagine a situation where False Claims Act liability could arise.
Two cyber cases of 2019
This application of the False Claims Act is not necessarily new. But Justice plans to put more emphasis on this in the future.
Carlton Fields Lawyers highlighted in January 2020 two cases that show how justice can apply FCA to cybersecurity issues for entrepreneurs.
Last summer [2019], two prominent whistleblower cases have made waves in the False Claims Act (FCA) community by demonstrating the specter of FCA liability resulting from failure to meet cybersecurity requirements in government contracts. In May, the U.S. District Court for the Eastern District of California refused to dismiss a case alleging that Aerojet Rocketdyne Holdings Inc. had falsely asserted compliance with Department of Defense cybersecurity standards. Then, in late July, the government announced that Cisco Systems Inc. had agreed to pay $ 8.6 million to settle a whistleblower lawsuit alleging the company failed to meet federal cybersecurity standards by selling CCTV with known vulnerabilities that hackers could exploit. These cases show that cybersecurity-based FCA claims can be the new frontier and that such claims can prove difficult to defeat depending on the facts in any given case, the lawyers wrote.
In fiscal year 2020, Justice recovered over $ 2.2 billion under the False Claims Act, most of it from the health care industry.
Extending the use of the False Claims Act to cybersecurity is another message agencies send to contractors about their expectations for securing federal systems and data.
This effort builds on the National Institute of Standards and Technology SP 800-171 to Protect Controlled Unclassified Information, the Department of Defense Cybersecurity Maturity Model Certification Initiative (CMMC), and the work that the Department of Defense Federal Acquisition Regulations Council and now the Federal Acquisition Security Council are leading to add more policies and requirements to contracts.
Cryptocurrency Team Announced
The Civil Cyber-Fraud Initiative was one of three recent initiatives launched by the DoJ to address the ever-growing threat of cybersecurity.
In August, the DoJ announced the creation of a cyber scholarship program, a three-year effort to provide selected lawyers with experience in combating emerging national security and criminal cyber threats, while alternating between several departmental components that protect the country from cyber threats, including the Criminal Division, the Criminal Division National Security and US Prosecutor’s Offices.
She also announced today the creation of a new National Cryptocurrency Enforcement Team, which will combine the expertise of the Money Laundering and Asset Recovery Section (MLARS) of the Ministry’s Criminal Divisions. Justice, Computer Crime and Intellectual Property Section (CCIPS) and other sections of the division, with detailed experts from US prosecutors’ offices. The team will also help locate and recover assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups, the agency indicated in a press release.
Monaco said at the Aspen Institute event that as technology and the banking industry advance, justice must also ensure trust in platforms and systems.
We want to strengthen our ability to dismantle the financial ecosystem that allows these criminal actors to thrive and profit from what they do. We will do this by bringing in our cyber experts, cyber prosecutors and our money laundering experts. We need to centralize and leverage the expertise that we already have, she said. Looking back, when you think about it, we’ve been enforcing securities laws for decades. We monitor market fraud with insider trading cases or market manipulation investigations. The goal is to protect consumers and to ensure that we can all have confidence in the markets in which we operate. The same must be true as technology advances, so we must evolve with it.
