DOJ to Sue Contractors Hiding Cyberattacks & Data Breaches

DOJ to Pursue Civil Action Against Contractors for Cyberattack Failures

The U.S. Department of Justice has declared its intention to initiate civil legal proceedings against federal contractors who neglect to report cyberattacks or data breaches.

Civil Cyber-Fraud Initiative Launched

Deputy Attorney General Lisa O. Monaco unveiled the Civil Cyber-Fraud Initiative this week. This initiative will utilize the established False Claims Act (FCA) to actively pursue instances of cybersecurity-related fraud perpetrated by government contractors and recipients of federal grants.

Entities, including federal contractors and individual actors, will be held accountable for compromising U.S. cyber infrastructure. This accountability arises from knowingly supplying deficient cybersecurity products or services, as stated in a DOJ press release.

Reporting Obligations and Penalties

Government contractors will now face repercussions for failing to fulfill their obligations regarding the monitoring and reporting of cybersecurity incidents and data breaches. These penalties are designed to ensure proactive security measures.

Response to Recent Federal Hacks

This action represents the latest response from the Biden administration to a series of cyberattacks targeting federal agencies. These included breaches at the Treasury Department, the State Department, and Homeland Security.

The DOJ subsequently attributed the espionage campaign to hackers associated with Russia’s foreign intelligence service, the SVR. These hackers infiltrated SolarWinds’ network.

They implanted a backdoor within the Orion software – a tool used for network and device monitoring – and disseminated it to customer networks via a compromised software update.

Building Cybersecurity Resiliency

The initiative aims to foster “broad resiliency” against cybersecurity intrusions throughout the public sector. It will also support government endeavors to identify, develop, and disseminate patches for vulnerabilities present in widely used products and services, according to the DOJ.

Furthermore, the government will seek to recover any losses incurred as a result of companies failing to adhere to established security standards.

Emphasis on Transparency and Accountability

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” Monaco stated. “That paradigm shifts today.”

“We are announcing that we will leverage our civil enforcement tools against government contractors receiving federal funds who fail to comply with mandated cybersecurity standards. This is essential to protect taxpayer dollars and maintain public trust.”

Coinciding Initiatives

The unveiling of this initiative coincides with the formation of a National Cryptocurrency Enforcement Team. This team will focus on tackling intricate investigations and criminal cases involving the misuse of cryptocurrency.

Proposed Ransom Disclosure Act

Senator Elizabeth Warren and Representative Deborah Ross have also proposed the Ransom Disclosure Act. This bicameral bill would mandate that victims of ransomware attacks disclose details of any ransom payments made within 48 hours.