Leading lawyers expect increased government actions under the False Claims Act to enforce cybersecurity requirements for contractors, as evidenced by recent court actions in two major cases involving extensive federal investigations about data protection claims.
“So the gloves have come off, and we've seen a few cases, they're just starting to pop up, where [the Department of Justice] is going after, or through a qui tam action," a lawsuit where a private individual is assisting prosecutors, to enforce cybersecurity requirements, according to Johana Reed of the law firm McMahon, Welch and Learned.
Reed and Jennifer Short, of the law firm KaiserDillon, noted actions this year in two separate court cases involving contractor claims about cybersecurity compliance, as indications of future enforcement efforts under the False Claims Act related to data-security requirements.
Jennifer Short, Partner, KaiserDillon PLLC
The federal government's use of the FCA opens up a whole new legal front on cybersecurity enforcement, the lawyers say.
Johana "Jody" Reed, Counsel, McMahon, Welch and Learned
“I've heard people say that cybersecurity is the next Medicare fraud under the False Claims Act, as far as DOJ is concerned,” Reed said. “Is it true? I obviously don't know because I'm not a DOJ attorney. But in conversations I've heard it often enough that I've got to believe there's at least some level of truth to it."
Reed and Short will be speaking at the Federal Bar Association's annual meeting Sept. 5-7 in Tampa, FL, as part of a panel discussion that will include SAIC Chief Information Security Officer Alicia Lynch. All three panelists spoke with Inside Cybersecurity in separate interviews to provide a preview of what they plan to discuss on the panel titled “Cybersecurity Compliance: The Next Wave of FCA Enforcement?”
The two cases being cited by the two lawyers on the panel include an agreement announced July 31 that CISCO Systems will pay the federal government and 15 states an $8.6 million settlement for alleged misrepresentations about the cybersecurity compliance of its surveillance equipment. That case was filed with the U.S. district court for western New York.
The second case is pending against Aerojet Rocketdyne Holdings, in which a former employee “whistleblower” is accusing the company of falsely certifying to the government that it was in compliance with the Defense Department's cybersecurity requirements. The U.S. district court for eastern California has scheduled an Oct. 27, 2020, trial in the case, after it rejected Aerojet's motion to dismiss in May.
“There's a lot of ambiguity in what is required,” said Short. “But what these cases say, initially to me, is it's less about the fact of the contractors' non-compliance. It's really more about what's catching the court's attention in [the Aerojet case], and what I think was catching attention in the other case, is it's really about the cover-up, the not disclosing.”
Short described the issue in this way: “So the contractor knows that it has an issue and hasn't told its government customers or its prime contractors, or the resellers. It has not disclosed the fact that there is a known vulnerability or a failure to meet these standards.”
Short noted that unlike more traditional cybersecurity claims, focused on what constitutes compliance, which can be difficult to determine in the face of changing requirements, the FCA cases are focused on what was not disclosed.
“So where I think you see these cases coming in, it's not the non-compliance -- those allegations are there -- but both of these cases are saying 'Look these companies knew that they had problems and they didn't come forward to disclose.'” Short said.
At issue in both cases are cybersecurity requirements imposed on federal contractors under the National Institute of Standards and Technology's Special Publication 800-171, which is in the process of being revised to include tougher requirements in response “advance persistent threats” from foreign adversaries such as China and Russia.
At the same time, the Defense Department is working on the Cybersecurity Maturity Model Certification for contractors, expected to be released in January 2020, with DOD officials planning to include the CMMC in requests for information by next June. The standard will contain five different levels, ranging from basic cyber controls to strict security requirements.
Alicia Lynch, SAIC Chief Information Security Officer
SAIC's Lynch cited the upcoming CMMC to argue the certification program should have a positive effect in reducing the number of contractor “false claims” alleged by the government.
“If a company validates to the government that they are compliant to 171 controls, and there's a breach where the government can link to the lack of a tech control that was implemented, there's your opening to a False Claims action,” Lynch said. “When you have an outside assessing entity come in, they are going to identify where the gaps are -- vulnerabilities and lack of controls -- [and] organizations will then remediate or mitigate the issues, leading to less false claims, once [DOD] implements the CMMC.”
She also expressed strong support for current and upcoming revisions to NIST 800-171. “I think I would embrace the NIST 800-171 controls and the new standards the government is putting out. It's good for the government and the country,” she said in describing what she plans to tell the FBA audience next week.
“The 171 controls and the draft 171B are good basic cyber hygiene,” she said. “These things are your battle rhythm for cyber. Accept this as the norm and embrace it.” -- Rick Weber (firstname.lastname@example.org)