US DOJ to Fine Contractors for Failure to Report IncidentsDOJ Also Announces Formation of National Cryptocurrency Enforcement Team
The U.S. Department of Justice confirmed on Wednesday that it will pursue government contractors that fail to report cybersecurity incidents. Deputy Attorney General Lisa Monaco said the department's Civil Cyber-Fraud Initiative will use the False Claims Act, which imposes liability on those defrauding government programs, to hold entities accountable for "knowingly violating obligations to monitor and report incidents and breaches."
See Also: Automating Security Operations
Also on Wednesday, Monaco announced the creation of a National Cryptocurrency Enforcement Team, or NCET, which she says will investigate and prosecute the misuse of cryptocurrency - particularly crimes committed by crypto exchanges, mixing and tumbling services used to obfuscate funds, and money laundering infrastructure.
'That Changes Today'
In a statement on the fraud initiative, Monaco said, "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today."
She continued, "We will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards - because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public trust."
The effort stems from a comprehensive cyber review ordered by Monaco in May, officials confirmed.
The False Claims Act, the department noted on Wednesday, "is the government's primary civil tool to redress false claims for federal funds and property involving government programs and operations." It includes whistleblower provisions that allow private parties to assist in the identification and pursuit of fraudulent conduct, and it protects against retaliation.
The DOJ will target entities or individuals that: put U.S. IT systems at risk by providing deficient products or services, misrepresent their cybersecurity practices, or violate obligations to report incidents.
Officials say the initiative will:
- Build broad resiliency against intrusions across the government, public sector and industry partners;
- Hold contractors and grantees to related commitments;
- Support efforts to identify, create and publicize patches for vulnerabilities;
- Reimburse the government and taxpayers for losses incurred when companies fail to satisfy cybersecurity obligations.
A (Costly) Deterrent?
Dr. Jonathan Hill, dean of the Seidenberg School of Computer Science and Information Systems at Pace University, tells ISMG, "This announcement is certainly an incentive to get companies to come forward with information. Sharing real-time experiences of attempted infiltration of computer systems can help protect others from enduring a similar fate."
Not all experts are convinced, however, that the effort can drive change.
Dr. Kenneth Williams, executive director for cyber defense and a program director for the cybersecurity programs at American Public University System, tells ISMG: "In spite of DOJ's great intention with this move, I am not optimistic this will succeed. There are several hundred thousand contractors associated with the federal government, from large companies such as Lockheed Martin with prime contracts to the small support with as little as one to two employees. What the DOJ is proposing is a huge undertaking with a massive cost to taxpayers and to the bottom line of the contractors whose primary concern is to show a profit."
And Hill adds: "The threat of legal action needs to be accompanied by a promise of greater, more proactive government support to help companies protect themselves from the very sophisticated attacks currently being launched by organized crime rings and nation-state military actors around the globe."
Wave of High-Profile Attacks
The DOJ's pursuit of fraud and reporting failures comes amid an increase in cyberattacks targeting key sectors - including the SolarWinds breach in which Russia-linked actors compromised some 100 organizations globally as well as nine federal agencies. There also have been crippling ransomware attacks, including one on Colonial Pipeline, which temporarily halted the East Coast's fuel supply; one on meat producer JBS USA, and one on managed service provider Kaseya, in which some 1,500 downstream organizations were crypto-locked in July.
Bipartisan lawmakers in recent weeks have introduced legislation that would impose both cybersecurity incident and ransom payment reporting requirements on certain organizations, particularly those considered critical infrastructure. The windows for reporting - among competing bills - range from 24 to 72 hours.
A bill introduced by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, passed the Homeland Security and Governmental Affairs Committee by a voice vote on Wednesday.
In the proposed legislation, certain organizations would be required to report ransom payments within 24 hours of delivery, and owners and operators of critical infrastructure would be required to report security incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours of discovery (see: New Legislation Eyes Both Ransom, Incident Reporting).
Crypto Enforcement Team
As for the department's National Cryptocurrency Enforcement Team, or NCET, Monaco said Wednesday it will be supervised by Assistant Attorney General Kenneth Polite and share resources between the Criminal Division Money Laundering and Asset Recovery Section and the Computer Crime and Intellectual Property Section, alongside U.S. attorneys' offices.
The deputy attorney general said NCET will trace and help recover assets lost to fraud and extortion - including crypto payments to ransomware groups.
On the effort, Monaco said: "[The team will] draw on the department's cyber and money laundering expertise to strengthen our capacity to dismantle the financial entities that enable criminal actors to flourish - and quite frankly to profit - from abusing cryptocurrency platforms.
"As the technology advances, so too must the department evolve with it so that we're poised to root out abuse on these platforms and ensure user confidence in these systems."
The department noted on Wednesday that cryptocurrency continues to be used in a variety of criminal activities - including serving as the demand mechanism for ransomware payments, money laundering and the operation of illegal or unregistered money services businesses. Officials acknowledged that virtual currencies continue to be the preferred means of exchange on the darknet for drugs, weapons, malware and other hacking tools.
'Building on Leadership'
On NCET's formation, Polite said: "The creation of this team will build on [our] leadership by combining and coordinating expertise across the division in this continuously evolving field to investigate and prosecute the fraudulent misuse, illegal laundering and other criminal activities involving cryptocurrencies."
Additional NCET duties will include:
- Identifying areas for increased investigative and prosecutorial focus;
- Developing and maintaining relationships with federal, state, local and international law enforcement agencies;
- Training and advising federal prosecutors and law enforcement agencies; particularly around search and seizure warrants, restraining orders, criminal and civil forfeiture allegations, indictments and other pleadings;
- Supporting information and evidence sharing among law enforcement offices;
- Collaborating with private sector entities with expertise in crypto matters.