Justice Department to Fine Contractors for Not Reporting Cyber Incidents

The Justice Department will impose large fines on federal contractors that fail to meet what its second in command said are “required cybersecurity standards,” including the disclosure of cybersecurity breaches.

Deputy Attorney General Lisa Monaco unveiled the new policy Wednesday at a cybersecurity conference hosted by The Aspen Institute, a nonprofit research and policy organization, saying that “For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today.”

“Where those who are entrusted with government dollars, who are entrusted to work on sensitive government systems fail to follow required cybersecurity standards, we’re going to go after that behavior and extract very hefty, very hefty fines,” she said.

The Justice Department will use powers under the False Claims Act, a law that targets people or organizations that defraud the U.S. government, and whistleblower protections will be included, Ms. Monaco said.

Companies receiving federal funds and that knowingly misrepresent their defenses, supply faulty cybersecurity equipment or fail to report incidents are all covered under the new initiative, according to the Justice Department. It didn’t respond to a request for comment.

Under the FCA, a Civil War-era law, it is a violation to submit a claim for funds to the government that includes false information, such as a contractor sending an invoice for work it didn’t do, said Kellen Dwyer, a partner in the cybersecurity and government investigations group at law firm Alston & Bird.

The Justice Department said it obtained more than $2.2 billion in settlements and judgments under the FCA in the fiscal year ending Sept. 30, 2020, mainly through violations in the healthcare sector.

An “aggressive” use of the FCA in the cybersecurity realm is part of the Biden administration’s push to use executive powers to compel companies to report cyber incidents and comply with security standards, said Mr. Dwyer, a former deputy assistant attorney general in the Justice Department’s National Security Division, where he worked on issues involving state-sponsored hacking.

For the FCA to be most effective in these situations, contracts between companies and federal bodies could require, for example, a firm submitting an invoice and certifying that it has complied with cybersecurity requirements, Mr. Dwyer said.

“Every time you submit an invoice, you’d have to include a provision that we have not had any cyber incidents that we have not reported. If you know that you’ve had an incident, then that’s potentially a false claim,” he said.

More From WSJ Pro Cybersecurity

But laws such as the FCA were written in different times, and weren’t designed to combat cybercrime, said Lisa MacLean, director of cybersecurity education at the Flatiron School, an educational organization in New York City. A review of existing legal powers used to prosecute cybersecurity matters may be needed in the near future to ensure they are fit for that purpose, she said.

“There needs to be a balance between making sure that there is some kind of an incentive for companies to avoid these things, without completely ruining their reputation or their livelihood,” Ms. MacLean said.

The Justice Department initiative comes amid increasing scrutiny by the government and Congress of how federal agencies, contractors and critical infrastructure operators secure their computer systems.

In May, President Joe Biden issued an executive order mandating various cybersecurity overhauls for federal agencies and those who do business with the government, including the use of multifactor authentication. And in recent weeks, the House and the Senate have debated new laws that would require certain companies to report serious cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency.

Additionally, the Transportation Security Administration issued two sets of cybersecurity requirements for pipeline operators this summer, after a May ransomware attack on Colonial Pipeline Co. forced a six-day shutdown of a major East Coast fuel artery. Homeland Security Secretary Alejandro Mayorkas said Wednesday that further TSA guidelines will be issued for the most important railroad and airport operators.

These initiatives and other actions to mitigate the effects of cybercrime reflect how the U.S. government is approaching cybersecurity as a national security issue, said Tom Kellermann, head of cybersecurity strategy at software company VMware Inc., by using a range of civil and criminal authorities across agencies to force changes in cybersecurity.

“The long-term sustainability of the American economy is completely underpinned and dependent on cybersecurity,” Mr. Kellermann said.

Write to James Rundle at james.rundle@wsj.com and Kim S. Nash at kim.nash@wsj.com

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8