On Wednesday, the US Department of Justice (DOJ) announced the launch of the Civil Cyber-Fraud Initiative aimed at government contractors and federal grant recipients who fail to report cybersecurity breaches and neglect recommended cybersecurity practices.
Under the initiative, led by the Civil Division’s Commercial Litigation Branch Fraud Section, government contractors could face penalties for failing to secure sensitive systems that hold federal data.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” Deputy Attorney General Monaco said.
“We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.”
The initiative will use the False Claims Act (FCA) to hold companies or individuals accountable for any security discrepancies or events that put US information or systems at risks “by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
The Act also includes a whistleblower provision that allows “private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.”
The DOJ has high expectations from this initiative. It aims to increase security in the private and public sectors and improve cybersecurity practices under the rapidly evolving cyberthreat landscape.
Predicted benefits of the Cyber-Fraud Initiative include:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
- Holding contractors and grantees to their commitments to protect government information and infrastructure.
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
- Improving overall cybersecurity practices that will benefit the government, private users and the American public.