In December, news surfaced of cybercriminals exploiting a new network vulnerability in a piece of Java-based, open-source software called Log4j. The widely-used software performs the perfunctory task of logging data to help other programs function. By mid-December, cybersecurity experts estimated that Log4j was the target of over 100 hacking attempts per minute, leading some to call it the most serious network vulnerability they had ever seen.
As serious as the Log4j vulnerability is, it will likely be eclipsed soon by a new one, and then another. The risk of cybercrime is steadily growing at a disturbing rate, both in terms of the sophistication of the attacks and the potential damage they can do. In response, the U.S. government has been reappraising cybersecurity risk. This will have important implications for private businesses, particularly contractors and subcontractors to the federal government.
A New Regulatory Focus
Cybercrime is difficult to address with the tools available to the federal government. After all, it crosses borders, it involves obscure methods and technology, and it is carried out by a shadowy network of state-sponsored and non-state actors whose nexus of collaboration is difficult to identify. Given the challenges of stopping cybercrime at the source—i.e., the criminals themselves—the government is focusing on the lax or negligent cybersecurity protocols that facilitate cybercrime or increase the resulting damage.
In October 2021, the U.S. Department of Justice (DOJ) announced the Civil Cyber-Fraud Initiative, which sets out to view cybersecurity through the lens of corporate fraud. The initiative uses the False Claims Act (FCA), a piece of Civil War-era legislation meant to prosecute fraud against the federal government, “to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk,” according to Acting Assistant Attorney General Brian M. Boynton. Under the FCA, any person or entity that knowingly submits false claims to the government can be sued for up to three times the damages, plus a penalty for each false claim.
Applying FCA to cybersecurity is notable, but not surprising when viewed through the context of recent government activity. In public remarks made late last year, Deputy Attorney General Lisa O. Monaco highlighted the DOJ’s newly invigorated response to corporate crime, commenting that “corporate crime has an increasing national security dimension—from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” She also emphasized the importance of preventative compliance programs and strong compliance culture, warning that “a corporate culture that fails to hold individuals accountable, or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.”
The Civil Cyber-Fraud Initiative is therefore consistent with the current regulatory focus, but it does introduce new risks for federal contractors generally and information technology professionals in particular. Using FCA to fight cybercrime changes the risk profile for private business and increases the importance of greater vigilance and proactive compliance, as failures risk greater civil liability. Additionally, parallel criminal investigations and proceedings are often pursued alongside of FCA cases, and many criminal cases begin after civil investigations uncover facts or circumstances that provide predication for criminal investigators. In short, the Civil Cyber-Fraud Initiative will likely have wider implications than initially expected.
Broader Application of the FCA
The FCA is taking on an expanded relevance. For instance, there have been several recent so-called “reverse false claims actions” involving money owed to the government rather than money that was wrongly paid out by the government. Many of these reverse claims have involved failure to pay duties of various kinds, including antidumping and countervailing duties.
As part of the Civil Cyber-Fraud Initiative, the DOJ has identified three common cybersecurity failures that are “prime candidates” for FCA enforcement: 1) failures to comply with cybersecurity standards; 2) knowing misrepresentations of security controls and practices; and 3) failures to promptly report suspected breaches. Boynton has remarked that the Civil Cyber-Fraud Initiative will “build on the department’s already extensive work pursuing fraud and abuse relating to the government’s procurement of information technology products and services.”
Notably, Boynton specifically recognized the role whistleblowers play in these actions. Given the volume and sophistication of state-sponsored cybercrime, as well as other cyberthreats, investigators and whistleblowers should be able to easily identify weaknesses in government contractors’ and subcontractors’ cybersecurity regimes or inconsistencies in poorly drafted contract language.
Additionally, no industry is immune from attack by cybercriminals—health care, education, aerospace, finance, retail, and general goods and services all potentially handle sensitive data. Moreover, the new enforcement regime is likely to impact companies that have employees, vendors, subsidiaries or subcontractors based overseas.
What Should Risk Professionals Do?
Since the FCA-related aspects of cybersecurity compliance will trace back to contract language, risk professionals will need to pay more attention to what the actual contracts say. Many government contracts already contain strict data and cybersecurity requirements, including protocols for protection, response, reporting and mitigation. Adhering to these protocols is key. Internal and additional reviews can also help alleviate the risk of something going wrong. To best mitigate risk, pay careful attention to the following:
Review and update cybersecurity procedures. Do not wait for new risks to update or conduct reviews of your cybersecurity procedures. Conducting regular reviews of internal systems and programs that protect data allows your company to keep up with the ever-changing world of cybersecurity. Standards that were applicable when the program was instituted may no longer be applicable or even appropriate.
Communicate with your contracting parties. The often-complex web of subcontractors and vendors can present unique challenges. Communication and transparency about cybersecurity are critical between vertical contracting entities.
Do not overpromise and underdeliver. As Boynton stated in announcing the Civil Cyber-Fraud Initiative, companies that do business with the government and that knowingly make misrepresentations about their own cybersecurity practices or abilities will face consequences. These misrepresentations could be seen as depriving the government of the deal it agreed to. For a successful contractual relationship with the government, it is critical to know exactly what your company can accomplish, what products it can offer, and what assurances it can accurately make.
Conduct compliance program training. Workforce training is essential to develop a robust cybersecurity culture within an organization. Requiring cybersecurity training for new employees and annual training for existing employees demonstrates corporate commitment to implement and maintain the security requirements enumerated in contracts with the Department of Defense and General Services Administration.
Establish an in-house hotline. Across many industries, it is now common practice to have hotlines or other reporting mechanisms for employees to report misconduct or wrongdoing. To run an effective system, it is essential to develop a culture of confidential reporting, follow up on complaints, and document investigations. These systems and protocols allow companies to learn about and address problems before they attract the attention of regulators and investigators or mature into full-blown crises.
Given the breadth of the threat, every company is likely to experience a cyberattack of some kind in the future. Making a good-faith effort to comply with the law and other contractual obligations can help mitigate the fallout. When incidents occur, it is equally important to maintain transparency with the U.S. government. Failing to report a data breach or other cybersecurity incident is almost always a critical mistake, and one the government clearly intends to go after. Prompt reporting allows the appropriate parties to react and limit any risk resulting from the breach.