Amid an onslaught of high-profile cyberattacks showing how companies often neglect basic security measures, the Department of Justice is trying to use a law passed during the Civil War to put businesses on notice that these failures are unacceptable.
Under the umbrella of DOJ’s Civil Cyber-Fraud Initiative, federal prosecutors have since early 2022 deployed the pointedly named False Claims Act to punish contractors that mislead the government about their cybersecurity defenses, hoping to send a shot across the bow of other vendors that aren’t complying with rules intended to fend off hackers.
It’s an approach that reflects the goals in President Joe Biden’s National Cybersecurity Strategy, which emphasizes holding companies to a higher standard of cybersecurity and shifting the burden of combating hackers from customers to vendors.
The government has already closed five cyber-fraud cases as part of the initiative, with the defendants ranging from a rocket manufacturer to a web hosting firm to the telecom giant Verizon. And despite the business community’s concerns about the burden of another new accountability measure for cyber negligence, the Justice Department is promising more prosecutions in the months ahead.
“We are seeing a steady tempo of cases,” a senior Justice Department cyber official said in an interview, “and there’s going to be more to come.”
From sick horses to cybersecurity
As high-profile hacks of major companies have demonstrated, corporate executives often prioritize profits over cybersecurity. The Biden administration has spent the past three years trying to change that, primarily by using the government’s massive purchasing power as a cudgel to shape the behavior of federal contractors, in the hope that improvements will ripple outward across the entire industry.
DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, represents the administration’s strategy for enforcing cybersecurity rules in federal contracts — and putting contractors on notice about the seriousness of failing to protect their computer systems and the sensitive government data they often store.
“This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust,” Deputy Attorney General Lisa Monaco said in announcing the initiative.
The program is an extension of DOJ’s long-running effort to hold accountable contractors that defraud the government. It is built around the 1863 False Claims Act, which makes it a crime for someone seeking federal payments to misrepresent the quality of services being provided to the government. The law — a response to widespread dishonesty by Civil War contractors who sold the Union Army sick horses, faulty weapons and spoiled food — includes a provision that financially rewards corporate whistleblowers who report their employers’ fraud.
The cyber-fraud initiative predates the release of Biden’s cyber strategy, but the administration sees it as a logical extension of the strategy’s goals.
The initiative fits into the White House’s focus on “incentivizing and shaping the market forces” driving companies’ cybersecurity decisions, said the senior DOJ cyber official, who requested anonymity to delve behind the scenes of the department’s legal strategy.
The cyber strategy’s first implementation plan, released in July 2023, urged DOJ to use the initiative to “expand efforts to identify, pursue, and deter” contractors’ willful cybersecurity failures.
“Now that the initiative is part of the national strategy,” the DOJ official said, “it’s gotten even more amplified.”
Vulnerable satellites and insecure pandemic data
In the two and a half years since its launch, the cyber-fraud initiative has spawned five settlements, and DOJ says more are on the way.
The existing cases follow a familiar pattern, with companies allegedly making claims about their security practices that they knew to be false, resulting in material harm to government agencies or federally funded projects.
In March 2022, Florida-based Comprehensive Health Services LLC paid $930,000 to settle allegations that it misrepresented how safely it stored medical records in a system that it built for the State Department and the U.S. Air Force. In July 2022, California-based Aerojet Rocketdyne Inc. paid $9 million to settle allegations that it misrepresented its compliance with cybersecurity requirements in contracts for propulsion and power systems for satellites, missiles and other critical technology.
In March 2023, Florida-based Jelly Bean Communications Design LLC and its manager agreed to pay $293,000 for allegedly failing to protect data stored on a state children’s health insurance portal. (Jelly Bean’s case was the only one that involved an actual data breach.) In September 2023, telecom giant Verizon agreed to pay more than $4 million for allegedly failing to meet cybersecurity standards on a secure internet gateway platform for federal agencies. And earlier this month, Georgia-based Insight Global LLC paid $2.7 million to settle allegations that it failed to digitally secure data collected during a Covid-19 contact-tracing program.
“What we’re seeing is quite a wide range of types of contracts and kinds of cases and affected agencies,” the DOJ official said.
“Dozens of attorneys” in the Fraud Section of DOJ’s Civil Division are each currently handling at least one cyber-fraud case, according to the official.
“The initiative’s focus in this space has certainly started ramping up expertise and focus on this particular area,” the official said. “Stay tuned for more announcements to come.”
These prosecutors, who partner on cases with colleagues in the 93 U.S. Attorney’s offices around the country, don’t necessarily specialize in cybersecurity. But many of them are experts in False Claims Act investigations, giving them vital experience with the often-difficult task of proving fraud.
DOJ isn’t just pursuing violators. In 2022, Civil Division lawyers began reviewing new federal contracts to ensure that their cybersecurity requirements were clear and legally enforceable.
Addressing fears about ‘an impossible position’
As prosecutors lean into the cyber-fraud initiative, businesses and their outside counsels have eyed the project warily, worried that DOJ’s aggressive approach could unfairly penalize them.
“We don’t encounter companies knowingly providing [services in a manner that is] substandard, but even to be accused would be devastating for many,” said Luke Dembosky, a former top DOJ national security official who now co-leads Debevoise & Plimpton’s cyber practice.
Behind the scenes, executives are grumbling, according to Adam Hickey, who succeeded Dembosky as deputy assistant attorney general for national security in 2016 and is now a partner at Mayer Brown.
Chief information security officers have expressed “concerns that they are in an impossible position,” Hickey said.
The Biden DOJ has tried to reassure companies that it is only interested in prosecuting wilfully negligent contractors.
“We recognize that most entities and individuals who do business with the government … take their cybersecurity obligations seriously,” the DOJ official said, “and that sometimes cyber incidents and breaches occur because of accidents or innocent mistakes. Those are not the kinds of cases that we’re focused on as part of the initiative.”
DOJ officials have fanned out across the business community to deliver this message and calm tensions. Monaco, the deputy attorney general, has spoken at several conferences, as has Brian Boynton, a top Civil Division official overseeing the initiative. Maya Song, a senior adviser to Monaco who handles cyber issues, spoke at a White House event in April that explored legal frameworks for holding software vendors accountable for security vulnerabilities. Department officials have also discussed the project at conferences hosted by “legal bar associations, trade groups, universities, and continuing legal education groups,” a DOJ spokesperson said.
According to the spokesperson, industry feedback indicates that companies “recognize the need for a greater focus on compliance with cybersecurity obligations given the department’s enforcement efforts.”
Explaining the initiative to the business community could even make it more successful, the DOJ official said, “because so much of our work depends on companies coming forward and self-disclosing or cooperating.”
The government offers an olive branch to companies that disclose False Claims Act violations after discovering them: a “cooperation credit” in the form of a reduction to their penalty. Prosecutors offered such a credit to Verizon, and the DOJ official said the government very deliberately highlighted this reward in the settlement announcement. The official wouldn’t say much about the credit, except that it depends on how a company fixes its problem and how responsible employees are disciplined.
From carrot to stick
The Civil Cyber-Fraud Initiative may represent the Biden administration’s strictest oversight of negligent companies, but it is far from the only way in which the administration is trying to improve the private sector’s digital security posture.
The Cybersecurity and Infrastructure Security Agency (CISA), the Securities and Exchange Commission (SEC) and the Department of Housing and Urban Development (HUD) have new or pending rules requiring companies to disclose when they are hacked. The White House also is pushing other agencies to enact new cyber rules for companies that provide critical infrastructure to Americans. “You can almost see policymakers throwing up their hands in frustration that cajoling and information sharing hasn’t worked to improve cybersecurity,” Hickey said.
In this context, the cyber-fraud initiative is “another sign of the shift from the carrot to the stick approach” that has been the hallmark of the Biden administration’s cyber agenda, according to Dembosky.
Meanwhile, there is likely no shortage of potential new cases for prosecutors to pursue. The Justice Department is currently considering whether to joina lawsuit filed by a Penn State University IT executive who says the university — a military contractor — failed to protect sensitive government data.