US government to sue contractors who don’t report a breach
The Justice Department (DoJ) is poised to sue government contractors and other companies who receive US government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices, the department's No. 2 official has said.
Deputy Attorney General Lisa O. Monaco explained that the initiative allows the DoJ to pursue government contractors who don’t comply with cybersecurity standards or keep silent about a breach.
”We will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards,” said Deputy Attorney General Lisa O. Monaco.
The initiative, led by the Commercial Litigation Branch’s Fraud Section, will make use of the False Claims Act (FCA), which renders anyone who intentionally files false claims to the government liable.
“The initiative will hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” explained the DoJ.
The initiative will also:
- Build broader resilience against cybersecurity intrusions across the government, the public sector, and key industry partners
- Ensure that companies follow the rules and invest in meeting cybersecurity requirements
- Reimburse the government and taxpayer for the losses incurred when companies fail to satisfy their cybersecurity obligation
- Improve overall cybersecurity practices that will benefit the government, private users, and the American public
The action, unveiled at the Aspen Cyber Summit, is aimed at contractors who fail to report hacks or who knowingly provide deficient cybersecurity products. It's an outgrowth of an ongoing Justice Department cyber policy review, and is also part of a broader Biden administrative effort to incentivize contractors and private companies to share information with the government about breaches and to bolster their own cybersecurity defenses.
Officials have repeatedly spoken of the need for better private sector engagement as the government confronts a surge in ransomware attacks that in the last year have targeted critical infrastructure and major corporations.
The measure underscores the extent to which the government views cyberattacks as not just harmful to an individual company but also to the American public in general, especially given recent attacks against a major fuel pipeline and meat processor.