US poised to sue contractors who don’t report breaches
WASHINGTON — The Justice Department is poised to sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices, the department’s No. 2 official said Wednesday.
Deputy Attorney General Lisa Monaco said the department is prepared to take action under a statute called the False Claims Act that permits the government to file lawsuits over misused federal funds. The Justice Department will also protect whistleblowers who come forward to report those issues, she said.
“For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today,” Monaco said.
The action, unveiled at the Aspen Cyber Summit, is aimed at contractors who fail to report hacks or who knowingly provide deficient cybersecurity products. It’s an outgrowth of an ongoing
Justice Department cyber policy review, and is also part of a broader Biden administrative effort to incentivize contractors and private companies to share information with the government about breaches and to bolster their own cybersecurity defenses.
Officials have repeatedly spoken of the need for better private sector engagement as the government confronts a surge in ransomware attacks that in the last year have targeted critical infrastructure and major corporations.
The measure underscores the extent to which the government views cyberattacks as not just harmful to an individual company but also to the American public in general, especially given recent attacks against a major fuel pipeline and meat processor.
“Where those who are entrusted with government dollars, who are entrusted to work on sensitive government systems, fail to follow required cybersecurity standards, we’re going to go after that behavior and extract very hefty fines,” Monaco said.
Monaco also announced the creation of a new cryptocurrency enforcement team within the department — drawing from experts in cybersecurity and money laundering — aimed at destabilizing the financial ecosystem that drives ransomware attacks and the criminal hacking gangs behind them.
The action follows Treasury Department sanctions last month against a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency.