Cybersecurity

DOJ to go after government contractors that fail to report breaches

by Maggie Miller

The Department of Justice (DOJ) said Wednesday it will go after federal contractors that fail to report cybersecurity incidents to the U.S. government.

“Today, we are launching a Civil Cyber Fraud Initiative,” Deputy Attorney General Lisa Monaco said at the virtual Aspen Institute Cyber Summit. “For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today.”

Monaco said the initiative will allow the Justice Department to use its authorities under the False Claims Act to fine government contractors that “fail to follow required cybersecurity standards.”

“We are going to go after that behavior and extract very hefty fines, so this is a tool that we have to ensure that taxpayer dollars are used appropriately and to guard the public trust, and that is what we are going to do with respect to this civil fraud initiative,” Monaco said.

She added that protections will be provided to whistleblowers who report violations of federal cybersecurity standards by government contractors.

The new effort follows a wave of cyberattacks against critical organizations, including the SolarWinds hack, which allowed Russian government-linked hackers to compromise numerous federal agencies for much of 2020. Ransomware attacks against companies like Colonial Pipeline, meat producer JBS USA and IT company Kaseya have also wreaked havoc over the past year.

In response to the attacks, bipartisan lawmakers in the House and Senate have introduced several bills that would require federal agencies, critical infrastructure owners and operators and other organizations to report major breaches to the federal government.

Monaco wrote in a CNBC op-ed on Wednesday that Congress needs to take action to help “solve the ransomware threat” by approving breach reporting legislation.

“Congress can help close this gap by enacting legislation to create a national standard for reporting cyber incidents that pose significant risk, including ransomware and incidents that affect critical infrastructure and their supply chains,” she wrote.

In addition, Monaco on Wednesday announced that the Justice Department will establish a National Cryptocurrency Enforcement Team in an effort to “dismantle” cryptocurrency exchanges that are often used by hackers to facilitate ransomware payments by victims.

“We have been enforcing the securities law for decades, we police fraud on the markets, with insider trading cases, or market manipulation cases, and the point of course is to protect consumers and to ensure we can all have confidence in the markets that we are engaging in,” Monaco said.

“The same has got to be true as the technology advances, we need to evolve with it,” she said. “Cryptocurrency exchanges want to be the banks of the future, well, we need to make sure that folks have confidence when they are using these systems, and we need to make sure we are poised to root out abuse that can take hold on them, so the national cryptocurrency enforcement team is something we are launching today.”

This isn’t the first time the Justice Department has announced new steps to combat the rise in cyberattacks. The agency established a ransomware task force in April, and last month created a program to train prosecutors on how to handle cybersecurity cases.

“We need to use all of the tools that we can to disrupt malicious cyber activity,” Monaco said Wednesday.