In announcing the “Civil Cyber-Fraud Initiative” in early October, Deputy Attorney General Lisa Monaco stated that DOJ “will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.”
The efficacy of the government’s approach remains to be seen, but the Initiative provides a stark warning to defense contractors that failure to maintain adequate cybersecurity practices and procedures could lead to enforcement actions.
DOJ Announcement of the Civil Cyber-Fraud Initiative
The Initiative “is a direct result of the department’s ongoing comprehensive cyber review” that began in May 2021, which was “aimed at developing actionable recommendations to enhance and expand the Justice Department’s efforts against cyber threats,” according to the DOJ’s press release announcing the Initiative on October 6.
DOJ intends to use the False Claims Act to “hold accountable” those who “put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” The overarching goal of the Initiative is to improve “overall cybersecurity practices” pertaining to sensitive information and critical systems, including the reporting of cyberattacks. Deputy Attorney General Monaco stated that, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and report it. Well that changes today.”
Critics may question whether the False Claims Act, which is the government’s primary anti-fraud tool, is an appropriate means of enhancing contractor cybersecurity. As the Supreme Court explained in Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016), the FCA is not “a vehicle for punishing garden-variety breaches of contract or regulatory violations.” With a treble damages provision, and hefty civil penalties currently set at between $11,665 and $23,331 per false claim, the FCA may also be viewed as a heavy-handed way to deal with cybersecurity compliance issues.
On the other hand, high-profile cybersecurity attacks such as the 2020 attack on SolarWinds and this summer’s attack on Colonial Pipeline underscore the need to strengthen cybersecurity at some companies to safeguard national security. The Initiative is part of a larger government response to cyber intrusions. President Biden signed an Executive Order in May 2021 aimed at improving national cybersecurity and protecting government networks. In July 2021, a bipartisan group of senators introduced the Cyber Incident Notification Act of 2021, S. 2407, which would require federal agencies, contractors, and critical infrastructure operators to notify DHS-CISA when a breach is detected so that the federal government can respond. If passed, the bill would grant limited immunity to companies that come forward to report a breach.
Irrespective of one’s views on the Initiative, defense contractors would do well to heed DOJ’s warnings. Even without the threat of an FCA action, the importance of adequate cybersecurity practices and procedures is clear. Cyberattacks can cripple a company’s operations, damage its reputation and ability to attract customers, and expose sensitive or valuable information. The threat of an FCA action compounds these risks for a defense contractor.
Potential Efficacy of the Initiative and Current Test Case
While government contractors have reason to heed DOJ’s warnings, they may not agree that their failure to do so violates the FCA. This fight is currently playing out in a federal district court in the Eastern District of California, in a qui tam case that may pose an early test to the Initiative’s efficacy.
In United States ex rel. Markus v. Aerojet RocketDyne Holdings, Inc., a former Senior Director of Cyber Security, Compliance, and Controls at aerospace contractor Aerojet RocketDyne Inc. and Aerojet RocketDyne Holdings, Inc. (collectively, AR) accused AR of fraudulently obtaining billions of dollars of NASA and DoD contracts and subcontracts while failing to maintain mandatory NASA Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulations Supplement (DFARS) cybersecurity requirements, in violation of the FCA. In a recent filing, the relator also asserted that AR experienced data breaches during that time that, according to an outside auditor, allowed a foreign nation to exfiltrate sensitive data, an allegation AR disputes. The government declined to intervene in the case in June 2018.
In May 2019, the district court denied AR’s motion to dismiss, holding that the relator plausibly pled that AR’s “alleged failure to fully disclose its noncompliance was material to the government’s decision to enter into and pay on the relevant contracts.” United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019).
The parties filed cross motions for summary judgment in September 2021, just weeks before DOJ announced the Initiative. AR argued that its noncompliance was not material to the government’s payment decisions, and that there were no damages because AR delivered under the contracts. While DOJ remained quiet at the motion to dismiss stage in 2019, it filed an aggressive 13-page Statement of Interest in response to AR’s summary judgment motion on October 20, 2021.
DOJ’s Statement of Interest vigorously opposed AR’s arguments that noncompliance with cybersecurity requirements was immaterial to government payment decisions, claiming that materiality was not lacking merely because the government paid claims while aware of compliance problems in the industry writ large, or even while aware of some of the alleged compliance problems at AR. DOJ also argued that AR’s argument that damages are lacking “ignores that the government did not just contract for rocket engines, but also contracted with AR to store the government’s technical data on a computer system that met certain cybersecurity requirements.”
Although DOJ’s Statement of Interest does not reference the Initiative, it can be understood as the Initiative’s opening salvo, presaging the types of materiality and damages arguments the government will likely assert in the coming years under the Initiative. In the same vein, the district court’s ultimate decision in Markus could provide an early indication of how courts around the country may adjudicate cases brought under the Initiative.
While the efficacy of the Initiative remains to be seen, government contractors, grantees, and others who receive federal funds should heed DOJ’s warnings and maintain strong cybersecurity protocols, practices, and procedures. Not only is this good business, but it will mitigate risks posed by a government investigation or whistleblower suit, which could give rise to substantial treble damages and civil penalties under the FCA, as well as debarment.
Given these risks, entities that receive a government subpoena, CID, or internal complaint related to their cybersecurity protocols or practices should consider retaining experienced FCA counsel to help them assess risk and navigate these complex issues.