WASHINGTON (AP) – The Justice Department stands ready to sue government contractors and other companies that receive U.S. government grants for failing to report violations of their cyber systems, the Department’s No. 2 official said Wednesday.
Assistant Attorney General Lisa Monaco said the department is ready to take legal action under a law called the False Claims Act against contractors who misuse federal funds by failing to disclose hacks or exhibiting poor cybersecurity standards. The Justice Department will also protect whistleblowers who stand up to report these issues.
“For too long, companies have chosen to remain silent because they mistakenly believed that it is less risky to hide a breach than to present and report it. That changes today, ”said Monaco.
The action, unveiled at the Aspen Cyber Summit, is part of a broader management effort by Biden to motivate contractors and private companies to share information about violations with the government and strengthen their own cybersecurity defenses. Officials have repeatedly spoken of the need for better private sector engagement as the government faces ransomware attacks targeting critical infrastructure and large businesses, including a large fuel pipeline, over the past year.
The move underscores the extent to which the government views cyberattacks as harmful not only to an individual company but also to the American public in general, especially given the recent attacks on a large fuel pipeline and meat processor.
“If those entrusted with government funds who are entrusted with working on sensitive government systems do not adhere to the required cybersecurity standards, we will pursue this behavior and impose very heavy fines,” said Monaco.
Monaco also announced the creation of a new cryptocurrency enforcement team within the department, comprised of cybersecurity and money laundering experts, to destabilize the financial ecosystem that powers ransomware attacks and the criminal hacking gangs that carry them out.
The action follows the Treasury Department’s sanctions last month against a Russia-based virtual currency broker who, according to official reports, helped at least eight ransomware gangs launder virtual currencies.
Monaco’s appearance came hours after a CNBC opinion piece was published calling on Congress to pass laws creating a national standard for reporting major cyber incidents so that information about digital attacks can be quickly disseminated across the federal government.
Most violations, she wrote, are not reported to law enforcement, which hinders investigation.
“The current reporting gap is hampering the government’s ability to address not just the ransomware threat but all cybercriminal activity,” Monaco wrote. “That means we can do it alone, with no key insights from our private sector partners, and it has to change today.”
Separately, Homeland Security Minister Alejandro Majorkas said on Wednesday that new regulations for railways and transit companies are coming.
Mayorkas said the Transportation Security Administration will enact a security policy this year that will oblige railways and transit companies to comply with new regulations, similar to those enacted in May for pipeline operators after a hack that disrupted gas supplies in several states .
What the secretary calls “higher risk” railroad and transportation companies are required as a cybersecurity point person to report incidents to the Cybersecurity and Infrastructure Security Agency and develop a contingency and recovery plan in the event of malicious cyber activity.
Those classified as “low risk” will be subjected to guidelines that “encourage” but not required to take these measures, Mayorkas said in his remarks at the Billington Cybersecurity Summit.
He did not specify which railways or transit companies fell into either category.
Associate press writer Ben Fox contributed to this report.