Complying with the DoJ's Civil Cyber-Fraud Initiative

Under the Department of Justice’s (DoJ) new Civil Cyber-Fraud Initiative, government contractors will be under enhanced accountability for implementing cybersecurity measures and reporting breaches and incidents. The DoJ’s unveiling of the initiative comes in response to criticism of current department security protocols, which have often wavered across the board and permitted cybersecurity-related fraud through a lack of enforcement.

The Civil Cyber-Fraud Initiative will both focus on standardizing cybersecurity procedures for government contractors to follow and curbing cybersecurity-related fraud where companies fail to report cyber incidents.

The new initiative will give teeth to enforcement by specifying that the DoJ cooperates with the attorney general’s office to pursue fraudulent contractors through use of the pre-existing False Claims Act. Specifically, the new initiative seeks to stamp out the current practice among some contractors where breaches are concealed rather than reported, which creates a huge security risk for government agencies.

The False Claims Act, which was originally instituted in 1863 to curb fraud by government contractors during the Civil War, will be used to 1) pursue contractors who fail to comply with DoJ cybersecurity regulations 2) hold companies in violation liable for losses incurred by the federal government.

The DoJ’s announcement of the new initiative comes in response to President Biden’s "Executive Order on Improving the Nation’s Cybersecurity" issued in May 2021, which was instituted to strengthen the government’s ability to respond to cybersecurity attacks and improve the overall state of national cybersecurity.

In the wake of last year’s SolarWinds hack, which saw multiple federal departments infiltrated, all federal agencies were ordered to conduct internal reviews of their current cybersecurity procedures and develop mitigation plans.

The Civil Cyber-Fraud Initiative is the next step in strengthening cybersecurity and clarifies the federal government’s intentions to expand and enhance the role of the DoJ in fighting cyberattacks and pursuing cyber related-crime; however, this greatly changes the cybersecurity landscape for companies wishing to remain compliant.

What your business needs to know

The DoJ’s announcement identifies several types of actions for which it intends to hold individuals and companies accountable under the False Claims Act.

Firstly, government contractors can be fined a maximum of $23,000 for failure to report an incident. However, in addition to the legal penalties, companies will be held financially liable for government losses up to three-times. Therefore, if a company fails to report an incident, it will pay both legal fines and be responsible for reimbursing the money lost by the government -- these fees can grow exponentially, so companies must be vigilant with compliance.

Of note, the Civil Cyber-Fraud Initiative also includes a whistleblower clause, which allows private parties who provide information relevant to an incident to share in any assets recovered.

Considering the serious financial implications of non-compliance, it is important to remain ahead of the curve. To avoid breaching the new regulations and paying hefty penalties, government contractors must:

• Be frank about your current cybersecurity procedures -- misrepresenting your current security protocols is also subject to fines
• Monitor and immediately report breaches
• Provide only optimum cybersecurity products or services -- knowingly providing deficient products or services will result in similar financial penalties
• Develop strong teams dedicated to data security that continually monitor system activity

Ultimately, these new requirements are intended to build a culture of trust between the government and its contractors, where honesty and reliability are rewarded and clandestine activities penalized.

Raising the stakes on compliance

Contractors now face much greater penalties for failure to report breaches and other omissions, which therefore creates a pressing business case for government contractors to implement the required cybersecurity safeguards.

Traditionally, the DoJ’s cybersecurity efforts primarily focused on pursuing hackers or cybersecurity criminal syndicates. The Civil Cyber-Fraud Initiative represents a shift away from this approach, whereas only the "bad guys" were pursued priorly. Now, government contractors who fail to report cyberattacks and other breaches may find themselves at the receiving end of the DoJ’s and attorney general’s legal pursuits.

Ultimately, as cyberattacks become an ever-pressing national security threat, the risk posed by thousands of government contractors failing to implement rigorous cyber security procedures creates to great a vulnerability, which has forced the DoJ to begin pursuing contractors in non-compliance.  

The Civil Cyber-Fraud Initiative is merely the latest statute in a rapidly changing regulatory landscape as cyberattacks become more advanced and ubiquitous. The constantly-shifting cybersecurity protocols ultimately require constant attention and alertness by contractors, who will need to start dedicating more resources to ensure they’re appropriately managing their legal obligations. 

Steven Freidkin is Founder and CEO of Ntiva, a Managed Security Services Provider (MSSP) specializing in cybersecurity and compliance.