Biden Administration Focuses on Cybersecurity in Government Contracting – What Can Whistleblowers Do?
Following a number of high-profile cybersecurity incidents, the Biden administration is taking steps to improve the nation’s cybersecurity infrastructure. The federal government is making cybersecurity an enforcement priority, devoting additional resources to enforcement and upgrades, and strengthening technology standards. Many of these planned improvements focus on the federal government’s own information resources and modernization of federal networks.
Government information systems provided and managed by private contractors have long been required to comply with security standards. As a significant technology purchaser, security standards set by the government can benefit all technology purchasers.
Cybersecurity Enforcement in Government Contracting
Where government contractors fail to meet these security obligations, they can face liability under the False Claims Act. In 2019, we were proud to represent the whistleblower who secured the first-ever False Claims Act recovery alleging a tech company’s breaches of federal cybersecurity standards in products sold to government purchasers. Widely recognized as precedent-setting, the recovery illustrates the important role that whistleblowers can play in blowing the whistle on data breaches and cybersecurity flaws.
With the growing threat of cyberattacks, federal agencies are relying heavily on robust cybersecurity protections to safeguard our vital governmental data and information. To the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.
The False Claims Act empowers individuals with knowledge of cybersecurity failings affecting government-purchased systems to report fraud and misconduct in government contracts and programs. Whistleblowers can bring a lawsuit on the government’s behalf and share in the government’s recovery.
Cybersecurity Incidents and their Impact on Government Systems
Weak security in government information systems poses obvious threats, including to national security interests. In addition, security flaws can be exploited by bad actors to expose confidential information held by the government or engage in ransomware attacks.
- In March 2021, federal, state, and local government agencies were among those affected by hacks that exploited vulnerabilities in Microsoft Exchange Server email software.
- In November 2020, it was disclosed that hackers had been able to inject code into software updates distributed by SolarWinds for Orion, a network monitoring and management program through a supply chain exploitation. When customers, including many government customers, downloaded software updates, the trojan code added a backdoor that the hackers could then use to access affected systems. Federal agencies impacted by the breach included the Department of Defense, Department of Justice, Department of Energy, and Homeland Security.
- In December 2020, it was reported that hackers had exploited vulnerabilities in VMware software that allowed them to install malicious code.
- In 2015, the Office of Personnel Management disclosed that hackers had accessed millions of government personnel and background check records, obtaining personally identifiable information.
State and local governments are also regularly targeted by hackers and have been the victims of ransomware attacks.
Federal Responses to Cybersecurity Risks through Procurement Policy Changes
The Biden Administration budget requests substantial additional funding for cybersecurity initiatives, including $650 million for the Cybersecurity and Infrastructure Security Agency (CISA) and more than $1 billion for the General Service Administration (GSA) Technology Modernization Fund.
As said above, when providing technology to the federal government, federal contractors are already required to comply with cybersecurity standards including those established in National Institute of Standards and Technology (NIST) Special Publication 800-171.
A Biden Executive Order, issued May 21, 2021, mandates additional standards, including new reporting standards for cybersecurity issues. When cybersecurity failings are reported and remediated before they are exploited by hackers, systems can be secured and larger problems avoided.
- Planned new regulations will require IT contractors to comply with data collection and information-sharing requirements, as well as cooperate in responses to and investigations of cybersecurity incidents.
- Planned new regulations will require IT contractors to report cyber incidents involving software and services purchased by the government.
- Revisions to FAR cybersecurity requirements for unclassified systems will aim to standardize requirements across agencies.
- NIST will develop guidelines to enhance software supply chain security.
- The GSA announced plans to develop a new government-wide cloud acquisition program through a multiple-award schedule contract with a blanket purchase agreement (BPA) for Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service cloud offerings.
The Need for Cybersecurity Whistleblowers
IT company insiders, security experts, and white-hat hackers often have critical non-public information about cybersecurity flaws. While there are a number of ways to report such flaws – including “bug bounty” programs offered by software developers and others – when cybersecurity flaws impact software and systems purchased and used by the government, and the company knew about those flaws but failed to act, the False Claims Act provides an additional reporting avenue.
The FCA allows private persons, known as relators, to bring what are called qui tam lawsuits to report fraud and misconduct in federal government contracts and programs. Qui tam actions are filed under seal, permitting the government to investigate the whistleblower’s allegations before they are made public. If money is recovered for the government as a result of the qui tam case, the whistleblower is ordinarily entitled to a share of the government’s recovery, usually between 15 and 30% of the amount recovered.
Many potential FCA whistleblowers have already reported the fraud or misconduct, either directly to the company involved, or to government personnel. Usually, this prior reporting does not prevent a whistleblower from filing a case to obtain an award. Indeed, in the successful case against Cisco, Relator James Glenn had reported the security flaws internally, and this internal reporting supported the government’s claim that Cisco knew about the flaw and failed to act. An experienced whistleblower attorney can provide additional advice.
Almost anyone with evidence of fraud or misconduct can be a whistleblower. Whistleblowers do not have to be a current or former employee of the company that engaged in the fraud or misconduct. Whistleblowers do not need to be American citizens or residents. Whistleblowers do not even have to be individuals; corporate competitors can use the FCA to report cybersecurity flaws. And, whistleblowers can even have been involved to some extent in the misconduct.
Contact a Whistleblower Lawyer
The whistleblower attorneys of Constantine Cannon have extensive experience representing whistleblowers under the qui tam provisions under the False Claims Acts on claims involving government contract fraud involving cybersecurity breaches and other contract non-compliance.
If you have evidence of cybersecurity failings affecting government technology systems, please contact us. We can advise you on the merits of your potential claim, help you decide whether to blow the whistle, and work with you to plan your next steps.
- Blowing the Whistle on Data Breaches and Cybersecurity Flaws
- Government Contract Fraud
- The False Claims Act
- Think you have a whistleblower case?
- The Constantine Cannon Whistleblower Team – Our Successes
- Contact us for a confidential consultation