[The security box] US gov’t will slap contractors with civil lawsuits for hiding breaches

Jared Rimer jaredrimer at 986themix.com
Tue Oct 19 12:50:30 EDT 2021 

i'M going through articles trying to see what I want to cover for News 
Notes.

While this was sent about a week ago, I'm not really sure how successful 
this is going to be.

The problem is, that no company knowingly puts us at risk, but yet, 
after a breach, their silence does us no good.  The article states that 
they'll go after them if they knowingly put us at risk, but i don't know 
if the company who got breached would knowingly have the breach or 
problem to begin with!  I've got questions about this one.

Jared Rimer
Check out my shows on 986 the mix. www.986themix.com/schedule for more 
info. Shows are on Wednesdays, Saturdays and Sundays
Wednesday's show is on the independent channel. Check schedule for time
www.jaredrimer.net for my other site.

On 10/13/2021 9:34 PM, Michael Brock via Thesecuritybox wrote:
> 
> US gov’t will slap contractors with civil lawsuits for hiding breaches
> Ars Technica  /  Ax Sharma
> 
> Civil Cyber-Fraud Initiative mandates data-breach reporting for gov't 
> contractors.
> 
> US gov’t will slap contractors with civil lawsuits for hiding breaches
> 
> In a groundbreaking initiative announced by the Department of Justice 
> this week, federal contractors will be sued if they fail to report a 
> cyber attack or data breaches. The newly introduced "Civil Cyber-Fraud 
> Initiative" will leverage the existing False Claims Act 
> <https://en.wikipedia.org/wiki/False_Claims_Act> to pursue contractors 
> and grant recipients involved in what the DoJ calls "cybersecurity 
> fraud." Usually, the False Claims Act is used by the government to 
> tackle civil lawsuits over false claims made in relation to federal 
> funds and property connected with government programs.
> 
> Cyber contractors chose silence “for too long”
> 
> "For too long, companies have chosen silence under the mistaken belief 
> that it is less risky to hide a breach than to bring it forward and to 
> report it,” states Deputy Attorney General Lisa O. Monaco, who is 
> pioneering the initiative. "Well, that changes today. We are announcing 
> today that we will use our civil enforcement tools to pursue companies, 
> those who are government contractors who receive federal funds, when 
> they fail to follow required cybersecurity standards—because we know 
> that puts all of us at risk. This is a tool that we have to ensure that 
> taxpayer dollars are used appropriately and guard the public fisc and 
> public trust."
> 
> The introduction of the Civil Cyber-Fraud Initiative is the "direct 
> result" of the department's ongoing thorough review of the cybersecurity 
> landscape ordered by the deputy attorney general in May. The goal behind 
> these review activities is to develop actionable recommendations that 
> enhance and expand the DoJ's efforts for combating cyber threats.
> 
> The launch of the Initiative aims to curb new and emerging cybersecurity 
> threats to sensitive and critical systems by bringing together 
> subject-matter experts from civil fraud, government procurement, and 
> cybersecurity agencies.
> 
> The development comes at a time when cyberattacks are rampant, and 
> advanced ransomware gangs repeatedly target critical infrastructures, 
> such as the Colonial Pipeline 
> <https://arstechnica.com/information-technology/2021/05/colonial-pipeline-paid-a-5-million-ransom-and-kept-a-vicious-cycle-turning/> 
> and health care facilities 
> <https://arstechnica.com/gadgets/2021/08/hospitals-hamstrung-by-ransomware-are-turning-away-patients/>.
> 
> Provisions of the act would protect whistleblowers
> 
> The Civil Cyber-Fraud Initiative will utilize the False Claims Act, aka 
> the "Lincoln Law," which serves as a litigative tool to the government 
> when placing liability on those who defraud government programs.
> 
> "The act includes a unique whistleblower provision, which allows private 
> parties to assist the government in identifying and pursuing fraudulent 
> conduct and to share in any recovery and protects whistleblowers who 
> bring these violations and failures from retaliation," explains the DoJ 
> in a press release 
> <https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative>.
> 
> The initiative will hold entities, such as federal contractors or 
> individuals, accountable when they put US cyber infrastructure at risk 
> by /knowingly/ "providing deficient cybersecurity products or services, 
> knowingly misrepresenting their cybersecurity practices or protocols, or 
> knowingly violating obligations to monitor and report cybersecurity 
> incidents and breaches."
> 
> In summary, the Initiative is designed with the following objectives in 
> mind:
> 
>     Building broad resiliency against cybersecurity intrusions across
>     the government, the public sector and key industry partners.
>     Holding contractors and grantees to their commitments to protect
>     government information and infrastructure.
>     Supporting government experts’ efforts to timely identify, create
>     and publicize patches for vulnerabilities in commonly used
>     information technology products and services.
>     Ensuring that companies that follow the rules and invest in meeting
>     cybersecurity requirements are not at a competitive disadvantage.
>     Reimbursing the government and the taxpayers for the losses incurred
>     when companies fail to satisfy their cybersecurity obligations.
>     Improving overall cybersecurity practices that will benefit the
>     government, private users, and the American public.
> 
> The timing of this announcement also coincides with the deputy attorney 
> general's creation of a "National Cryptocurrency Enforcement Team 
> <https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team>" 
> designed to tackle complex investigations and criminal cases of 
> cryptocurrency misuse. In particular, the team's activities will focus 
> on offenses committed by cryptocurrency exchanges and money-laundering 
> operations.
> 
> What stands out, though, is that the Civil Cyber-Fraud Initiative would 
> pursue those who were /knowingly/ negligent in the implementation of a 
> robust cybersecurity posture or knowingly misrepresented their 
> cybersecurity practices—leaving room for plausible deniability.
> 
> Equally interesting is the fact that just two days ago, Senator 
> Elizabeth Warren and Representative Deborah Ross proposed a new bill 
> dubbed the "Ransom Disclosure Act 
> <https://www.warren.senate.gov/newsroom/press-releases/warren-and-ross-introduce-bill-to-require-disclosures-of-ransomware-payments>." 
> The act would require ransomware victims to disclose details of any 
> ransom amount paid within 48 hours of payment and to divulge "any known 
> information about the entity demanding the ransom."
> 
> 
> 
> Original Article: https://arstechnica.com/?p=1801922 
> <https://arstechnica.com/?p=1801922>
> 
> 
> Michael Brock
> 
> Thank you for subscribing to the Security Box email list.  If you need list management options, please see the link for a section to log in, manage your subscription, and possibly other options that may be of interest.
> 
> Need help?  write the owner, and the owner will get back to you as quickly as possible.  Be clear on what you need.
> 
> Thanks for subscribing!
>

More information about the Thesecuritybox mailing list