DOJ Announces Civil Cyber-Fraud Initiative to Combat Cybersecurity Threats

The Initiative aims to hold accountable those who put federal agency information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Other goals of the Initiative include:

• Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
• Holding contractors and grantees to their commitments to protect government information and infrastructure.
• Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
• Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
• Reimbursing the government and the taxpayers for losses incurred when companies fail to satisfy their cybersecurity obligations.
• Improving overall cybersecurity practices that will benefit the government, private users and the American public.

DOJ officials foreshadowed the Initiative in February, when Acting Assistant Attorney General Brian Boyton noted in a Qui Tam Conference that cybersecurity was one of six priorities of the Civil Division. This move also follows a recent trend of enforcement actions against violators of cybersecurity regulations and requirements that accompany government contracts and grants, where FCA provisions incentivize private parties to report violations by allowing those whistleblowers to share in any recovery.

To better protect Federal agencies and to prevent against the threat of cyberattacks, the Initiative will “extract very hefty fines,” and “protect whistleblowers who bring those violations and those failures forward.”

DOJ’s announcement leaves open many important questions for government contractors and agencies alike. For example, it is unclear how DOJ will define “deficient” cybersecurity products and services and what criteria it will use to trigger an investigation into whether a given product or service is somehow “deficient.” Similarly, it is unclear what standard DOJ will use to define “misrepresentations” or “knowing violations” to monitor and report events. Different contracting agencies may set different expectations for those terms. It also is unclear how this Initiative will be harmonized with President Biden’s May 12, 2021 Executive Order directing the establishment of zero trust architectures (ZTA) across government. By its very nature, ZTA presumes some level of hacker penetration into information systems, and so DOJ may have to coordinate with other federal agencies to ensure that prosecution priorities do not interfere with cybersecurity strategies. Finally, DOJ’s announcement does not address how the Initiative will apply to subcontractors and vendors and whether prime contractors will face liability if their supply chains fail to meet cybersecurity obligations.

The Initiative comes at a time when government contractors are preparing to comply with other cybersecurity initiatives, including the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. The Initiative raises the stakes for failure to comply with cybersecurity obligations. Thus, government contractors and other companies that receive government funding must ensure—now more than ever—that they have sufficient systems in place to comply with the obligations relating to cybersecurity under their government contracts, including safeguarding data and reporting cybersecurity incidents.