The US Department of Justice has said it will take civil legal action against federal contractors if they fail to report cyber attacks or data breaches.
The Civil Cyber-Fraud Initiative, introduced by Deputy Attorney General Lisa O. Monaco this week, will build on the existing False Claims Act (FCA) to “prosecute cybersecurity-related fraud by government contractors and beneficiaries of subsidies”.
The initiative will hold entities, such as federal contractors or individuals, accountable when they put America’s cyber infrastructure at risk by knowingly providing faulty cybersecurity products or services, according to a press release from the Ministry of Justice. Likewise, government contractors are now also subject to penalties for “breach of duty” to monitor and report cybersecurity incidents and breaches.
This is the latest response from the Biden administration following a spate of hacks targeting federal agencies including the Treasury, State Department and Homeland Security. The DOJ later blamed hackers working for Russia’s foreign intelligence service SVR for the spy campaign. Russian hackers broke into SolarWinds’ network and planted a backdoor in its Orion software, which helps businesses monitor their networks and fleets of devices, and pushed it directly to customer networks with a corrupted software update.
The initiative will help it build “broad resilience” against cybersecurity intrusions in the public sector and help government efforts to identify, create and release patches for vulnerabilities in commonly used products and services, according to the DOJ . It will also help the government recoup losses from businesses if they are found to have failed to meet government safety standards.
“For too long, companies have chosen silence in the mistaken belief that it is less risky to hide a violation than to highlight it and report it,” Monaco said. “Well that’s changing today. We are announcing today that we will use our civil enforcement tools to prosecute companies, those that are government contractors that receive federal funds, when they fail to meet required cybersecurity standards because we know that it puts us all in danger. It is a tool at our disposal to ensure that taxpayers’ money is used appropriately and to protect public revenue and public trust. “
The timing of the initiative’s unveiling coincides with the creation of a National Cryptocurrency Enforcement Team, which has been set up to tackle complex investigations and criminal cases of cryptocurrency abuse.
Also this week, Senator Elizabeth Warren and Representative Deborah Ross proposed a new bicameral bill, the Ransom Disclosure Act, which would require ransomware victims to disclose details of any ransom amount paid within 48 hours.