US Government contractors and other firms that receive federal funding will be slapped with “hefty fines” if they fail to disclose breaches under a new initiative put forward by the US Department of Justice (DOJ).
The plans were unveiled by US Deputy Attorney General Lisa Monaco at the Aspen Institute Cyber Summit as part of the DOJ’s “civil cyber fraud initiative”.
The Justice Department will for the first time use civil enforcement powers to fine government contractors that fail to follow mandated cybersecurity standards.
The Department will use existing authorities under the False Claims Act, which holds that any person (or corporate entity) who knowingly submits false claims to the government could be liable to a financial penalty.
“Where those who are entrusted with government dollars or work on sensitive government systems fail to follow required cybersecurity standards, we’re going to go after that behaviour and extract very hefty fines,” Monaco said.
The Attorney General acknowledged that companies were too often choosing to remain silent on breaches “under the mistaken belief that it’s less risky to hide a breach than to bring it forward and report it.”
“We know that puts all of us at risk,” she said.
Monaco added that the DOJ would also put protections in place for whistle-blowers who bring forward any violations and failures.
The move comes as US companies and government agencies faced a string of high-profile cyberattacks this year.
Among the worst of these breaches was the ransomware attack on Colonial Pipeline earlier this year, which forced the company to freeze IT systems and operations, effectively shutting off half the East Coast’s fuel supplies.
During her virtual speech, Monaco also announced the launch of the National Cryptocurrency Enforcement Team, a mix of anti-money laundering and cybersecurity experts, established to “strengthen” the DOJ’s ability to target and disable currency markets used by cybercriminals.
Cybercriminals attacking with ransomware typically demand ransom payment through cryptocurrency services, allowing them to hide payments from law enforcement authorities.
The US Congress is also considering a number of cybersecurity-related bills to regulate the way companies report cyber incidents to the Government.
Democratic Senator Mark Warner, Chair of the Senate Select Committee on Intelligence, has introduced legislation into the US senate to enforce cyber incident reporting through fines, requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.
The proposed bill would use subpoenas to try to draw information on incidents out of companies.