Those who attempt to blur the lines regarding cybersecurity capabilities should be very afraid.
On October 6th, 2021, Deputy Attorney General Lisa O. Monaco announced a new Civil Cyber-Fraud initiative, bringing a new legal tool to hold “government contractors who receive federal funds [accountable], when they fail to follow required cybersecurity standards.” Now, before you think this will never apply to you because you do not do business with the Federal Government, please do yourself the benefit of reading to the end.
Acting Assistant Attorney General Brian M. Boynton further expanded on the new policy in briefing the Cybersecurity and Infrastructure Security Agency (CISA) during their 4th Annual National Cybersecurity Summit. Specifically, Mr. Boynton highlighted three cybersecurity failures considered common and prime candidates for potential enforcement under the False Claims Act:
- Knowing failures to comply with cybersecurity standards.
- Knowing misrepresentation of security controls and practices.
- Knowing failure to report suspected breaches.
One of the largest settlements to date involved a unique feature of the False Claims Act, where individuals (called relators) can make a claim on behalf of the Government. Aerojet Rocketdyne agreed to pay $9,000,000 for misrepresenting compliance with cybersecurity requirements within specific contracts. The relator was paid $2,900,000 from the settlement funds under the False Claims Act’s qui tam or whistleblower provisions. The whistleblower provisions of the False Claims Act open the opportunity for anyone with knowledge that an entity knowingly failed to comply or misrepresented their solution to report and receive a sizeable portion of the settlement should a settlement be reached.
Likewise, the Security and Exchange Commission (SEC) adopted new rules on July 26th, 2023, to protect investors, mandating incident reporting requirements and the management structure of any public company’s security posture. Regulation S-K Item 106 now requires “…registrants to describe their processes…for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” The intent is to inform investors of actual or potential risks cyber threats pose and to allow investors to include these risks when making investment decisions. Item 106 also requires “…registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats”, which now brings the responsibility of board members into focus should an incident occur.
The last change requires “…registrants to disclose…any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant”. This mandate to inform investors of any incident, note the word incident, not breach, that relates to our discussion of the False Claims Act. Any vendor part of the supply chain where security measures are certified to comply with Federal purchasing requirements now has increased scrutiny on any cyber incident that may have occurred. Failure to report violates the new SEC rules. It may make the vendor (aka registrant) liable under the False Claims Act through casual damage to the contractor providing products and services to the Federal Government.
It is important not to dismiss this action as only limited to U.S. Federal contracting because the False Claims Act extends to any business that could defraud the Government. Vendors of cybersecurity products should note that their customers could provide service to Government entities. Therefore, statements about their product capabilities directly affect providers’ ability to comply with cybersecurity requirements.
In 2022, Comprehensive Health Systems, Inc. (CHS) agreed to pay $930,000 for improper storage of patient medical records on unsecured systems. The issue cited regarded storing health records on non-compliant systems and failing to meet required cybersecurity measures.
The False Claims Act provides:
- A powerful way to hold accountable anyone making a misleading claim of compliance.
- Misrepresentation of cybersecurity controls.
- Withholding notification when a breach occurs.
Extending the ability for anyone with knowledge of fraudulent activity to submit a claim under the FCA enables anyone with knowledge regarding the misrepresentation to not only hold the provider accountable but also be rewarded for providing the oversight when U.S. information is put at risk. Every vendor of cybersecurity products should be mindful of what capabilities their products deliver and ensure their products are represented accurately.
Words matter. As we discussed before, monitoring is not protection. Detection and response solutions are essential when tracking attacker behavior across an enterprise. However, detection and response do not fulfill protection requirements. Vendor marketing claiming cloud or runtime protection, when those solutions actually monitor and, through misdirection, only offer information on how protection could be done, should rethink their messaging.
Remember the seatbelt analogy from part 1? Let’s say you avoid the protection of a seatbelt and, through a lot of hand-waving and misdirection, claim to only rely on your airbag. While airbags are part of a complete safety system in any modern car, airbags are not seatbelts and will never satisfy the protection of a seatbelt.
Analogously, relying on monitor-only solutions, while a tremendous additional security measure, will never meet the protection requirement. Laws are beginning to catch up, and it is only a matter of time before vendors will be held responsible for statements regarding product capabilities.