[The security box] US gov’t will slap contractors with civil lawsuits for hiding breaches

Jared Rimer jaredrimer at 986themix.com
Tue Oct 19 14:14:11 EDT 2021 

So, if I understand this correctly, this could be a good thing, but yet 
it doesn't answer the entire problem.  I don't think Colonial or even 
JBS knowingly wanted to have a breach, but yet, the company that fails 
to update software that leads to a breach should more be at fault.  I 
don't think Colonial or JBS had software that was not patched in a 
timely matter, unless we can prove that that was the problem.  Am I 
missing something?

Jared Rimer
Check out my shows on 986 the mix. www.986themix.com/schedule for more 
info. Shows are on Wednesdays, Saturdays and Sundays
Wednesday's show is on the independent channel. Check schedule for time
www.jaredrimer.net for my other site.

On 10/13/2021 9:34 PM, Michael Brock via Thesecuritybox wrote:
> 
> US gov’t will slap contractors with civil lawsuits for hiding breaches
> Ars Technica  /  Ax Sharma
> 
> Civil Cyber-Fraud Initiative mandates data-breach reporting for gov't 
> contractors.
> 
> US gov’t will slap contractors with civil lawsuits for hiding breaches
> 
> In a groundbreaking initiative announced by the Department of Justice 
> this week, federal contractors will be sued if they fail to report a 
> cyber attack or data breaches. The newly introduced "Civil Cyber-Fraud 
> Initiative" will leverage the existing False Claims Act 
> <https://en.wikipedia.org/wiki/False_Claims_Act> to pursue contractors 
> and grant recipients involved in what the DoJ calls "cybersecurity 
> fraud." Usually, the False Claims Act is used by the government to 
> tackle civil lawsuits over false claims made in relation to federal 
> funds and property connected with government programs.
> 
> Cyber contractors chose silence “for too long”
> 
> "For too long, companies have chosen silence under the mistaken belief 
> that it is less risky to hide a breach than to bring it forward and to 
> report it,” states Deputy Attorney General Lisa O. Monaco, who is 
> pioneering the initiative. "Well, that changes today. We are announcing 
> today that we will use our civil enforcement tools to pursue companies, 
> those who are government contractors who receive federal funds, when 
> they fail to follow required cybersecurity standards—because we know 
> that puts all of us at risk. This is a tool that we have to ensure that 
> taxpayer dollars are used appropriately and guard the public fisc and 
> public trust."
> 
> The introduction of the Civil Cyber-Fraud Initiative is the "direct 
> result" of the department's ongoing thorough review of the cybersecurity 
> landscape ordered by the deputy attorney general in May. The goal behind 
> these review activities is to develop actionable recommendations that 
> enhance and expand the DoJ's efforts for combating cyber threats.
> 
> The launch of the Initiative aims to curb new and emerging cybersecurity 
> threats to sensitive and critical systems by bringing together 
> subject-matter experts from civil fraud, government procurement, and 
> cybersecurity agencies.
> 
> The development comes at a time when cyberattacks are rampant, and 
> advanced ransomware gangs repeatedly target critical infrastructures, 
> such as the Colonial Pipeline 
> <https://arstechnica.com/information-technology/2021/05/colonial-pipeline-paid-a-5-million-ransom-and-kept-a-vicious-cycle-turning/> 
> and health care facilities 
> <https://arstechnica.com/gadgets/2021/08/hospitals-hamstrung-by-ransomware-are-turning-away-patients/>.
> 
> Provisions of the act would protect whistleblowers
> 
> The Civil Cyber-Fraud Initiative will utilize the False Claims Act, aka 
> the "Lincoln Law," which serves as a litigative tool to the government 
> when placing liability on those who defraud government programs.
> 
> "The act includes a unique whistleblower provision, which allows private 
> parties to assist the government in identifying and pursuing fraudulent 
> conduct and to share in any recovery and protects whistleblowers who 
> bring these violations and failures from retaliation," explains the DoJ 
> in a press release 
> <https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative>.
> 
> The initiative will hold entities, such as federal contractors or 
> individuals, accountable when they put US cyber infrastructure at risk 
> by /knowingly/ "providing deficient cybersecurity products or services, 
> knowingly misrepresenting their cybersecurity practices or protocols, or 
> knowingly violating obligations to monitor and report cybersecurity 
> incidents and breaches."
> 
> In summary, the Initiative is designed with the following objectives in 
> mind:
> 
>     Building broad resiliency against cybersecurity intrusions across
>     the government, the public sector and key industry partners.
>     Holding contractors and grantees to their commitments to protect
>     government information and infrastructure.
>     Supporting government experts’ efforts to timely identify, create
>     and publicize patches for vulnerabilities in commonly used
>     information technology products and services.
>     Ensuring that companies that follow the rules and invest in meeting
>     cybersecurity requirements are not at a competitive disadvantage.
>     Reimbursing the government and the taxpayers for the losses incurred
>     when companies fail to satisfy their cybersecurity obligations.
>     Improving overall cybersecurity practices that will benefit the
>     government, private users, and the American public.
> 
> The timing of this announcement also coincides with the deputy attorney 
> general's creation of a "National Cryptocurrency Enforcement Team 
> <https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team>" 
> designed to tackle complex investigations and criminal cases of 
> cryptocurrency misuse. In particular, the team's activities will focus 
> on offenses committed by cryptocurrency exchanges and money-laundering 
> operations.
> 
> What stands out, though, is that the Civil Cyber-Fraud Initiative would 
> pursue those who were /knowingly/ negligent in the implementation of a 
> robust cybersecurity posture or knowingly misrepresented their 
> cybersecurity practices—leaving room for plausible deniability.
> 
> Equally interesting is the fact that just two days ago, Senator 
> Elizabeth Warren and Representative Deborah Ross proposed a new bill 
> dubbed the "Ransom Disclosure Act 
> <https://www.warren.senate.gov/newsroom/press-releases/warren-and-ross-introduce-bill-to-require-disclosures-of-ransomware-payments>." 
> The act would require ransomware victims to disclose details of any 
> ransom amount paid within 48 hours of payment and to divulge "any known 
> information about the entity demanding the ransom."
> 
> 
> 
> Original Article: https://arstechnica.com/?p=1801922 
> <https://arstechnica.com/?p=1801922>
> 
> 
> Michael Brock
> 
> Thank you for subscribing to the Security Box email list.  If you need list management options, please see the link for a section to log in, manage your subscription, and possibly other options that may be of interest.
> 
> Need help?  write the owner, and the owner will get back to you as quickly as possible.  Be clear on what you need.
> 
> Thanks for subscribing!
>

More information about the Thesecuritybox mailing list