DOJ will sue federal contractors that hide cyberattacks and breaches

The U.S. Department of Justice has said it will launch civil legal action against federal contractors if they fail to report cyberattacks or data breaches.

The Civil Cyber-Fraud Initiative, introduced by Deputy Attorney General Lisa O. Monaco this week, will leverage the existing False Claims Act (FCA) to “pursue cybersecurity-related fraud by government contractors and grant recipients.”

The initiative will hold entities, such as federal contractors or individuals, accountable when they put U.S. cyber infrastructure at risk by knowingly providing flawed cybersecurity products or services, according to a DOJ press release. Similarly, government contractors now also face penalties for “violating obligations” to monitor and report cybersecurity incidents and breaches.

It’s the latest response by the Biden administration following a spate of hacks targeting federal agencies, including the Treasury, the State Department and Homeland Security. The DOJ later blamed hackers working for Russia’s foreign intelligence service, the SVR, for the espionage campaign. The Russian hackers broke into SolarWinds’ network and planted a backdoor in its Orion software, which helps companies monitor their networks and fleets of devices, and pushed it directly to customer networks with a tainted software update.

The initiative will help it build “broad resiliency” against cybersecurity intrusions across the public sector and will help government efforts to identify, create and publicize patches for vulnerabilities in commonly used products and services, according to the DOJ. It will also help the government reclaim losses from the companies if found to have failed to meet the government’s security standards.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Monaco. “Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

The timing of the unveiling of the initiative coincides with the creation of a National Cryptocurrency Enforcement Team, which has been set up to tackle complex investigations and criminal cases of cryptocurrency misuse.

Also this week Sen. Elizabeth Warren and Rep. Deborah Ross proposed a new bicameral bill, the Ransom Disclosure Act, which would require ransomware victims to disclose details of any ransom amount paid within 48 hours.