Good afternoon. My name is Brian Boynton and I am the Acting Assistant Attorney General for the Civil Division at the Department of Justice.
It is a pleasure to speak with you today. I am grateful to our partners at CISA for hosting this conference, and giving us the opportunity to share our thoughts on fighting the ever-evolving cyber threat.
Today, I want to talk about the Justice Department’s newly announced Civil Cyber-Fraud Initiative. This initiative will combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to promote the critical mission of combating new and emerging cyber-threats.
The Civil Cyber-Fraud Initiative arises out of the cyber review ordered by the Deputy Attorney General this past May. The purpose of the review is to develop recommendations to enhance and expand the department’s efforts against cyber threats.
As this group is well aware, protecting against malicious cyber campaigns is a matter of national concern and a top priority for the Administration. In the earliest days of this administration, the President signed an Executive Order announcing that the prevention, detection, assessment and remediation of cyber incidents would be a top priority. That order directed the federal government to use the full scope of its authorities and resources to protect its systems.
The Department of Justice is engaged in several efforts pursuant to the order, and the Civil Cyber-Fraud Initiative is intended to supplement and complement those efforts.
The Civil Division at DOJ is the largest litigating division in the department, with more than a thousand lawyers across six different branches. Within the Commercial Litigation Branch is the Civil Fraud Section. That office spearheads the department’s enforcement of the False Claims Act throughout the United States. The Fraud Section partners with U.S. Attorney’s Offices and federal agencies in bringing False Claims Act cases.
The Civil Cyber-Fraud Initiative will use the False Claims Act to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.
The False Claims Act is the government’s primary tool for addressing the knowing misuse of taxpayer funds. The Act prohibits knowingly submitting or causing the submission of false claims to the government. And it permits the government to recover three times its losses, plus a penalty for each false claim.
The False Claims Act was enacted during the Civil War to address fraud involving contractors selling defective goods to the Union Army. Since the Act was revitalized by Congress in 1986, the department has recovered more than $65 billion on behalf of the American taxpayers, and the Act has been employed to address fraud across all federal programs and operations. Procurement fraud remains one of the main areas of False Claims Act enforcement.
One of the unique features of the False Claims Act is its whistleblower, or “qui tam,” provisions. While government employees play a critical role in rooting out fraud on federal programs, the department also relies on whistleblowers from outside of the government. The False Claims Act allows private parties, known as relators, to bring cases on the government’s behalf. If their action results in a recovery of government funds, the whistleblowers are entitled to a share of those proceeds. Whistleblowers with inside information have been critical to identifying and pursuing new and evolving fraud schemes that might otherwise remain undetected. They also bring considerable technical expertise to complex investigations. As they have in many other aspects of False Claims Act enforcement, we expect whistleblowers to play a significant role in bringing to light knowing failures and misconduct in the cyber arena. False Claims Act enforcement and whistleblower reporting will help spur compliance by contractors and grantees.
The Civil Cyber-Fraud Initiative will build on the department’s already extensive work pursuing fraud and abuse relating to the government’s procurement of information technology products and services. Importantly, this initiative will focus on cases where federal agencies are victims. When companies that do business with the government knowingly make misrepresentations about their own cybersecurity practices, or when they fail to abide by cybersecurity requirements in their contracts, grants or licenses, the government does not get what it bargained for. Even more significantly, when false assurances are made to the government, sensitive government information and systems may be put at risk without the government even knowing it.
We have identified at least three common cybersecurity failures that are prime candidates for potential False Claims Act enforcement through this initiative.
First, the False Claims Act is a natural fit to pursue knowing failures to comply with cybersecurity standards. When government agencies acquire cyber products and services, they often require contractors and grantees to meet specific contract terms, which are often based on uniform contracting language or agency-specific requirements. For example, cybersecurity standards may require contractors to take measures to protect government data, to restrict non-U.S. citizen employees from accessing systems or to avoid using components from certain foreign countries. The knowing failure to meet these cybersecurity standards deprives the government of what it bargained for.
Second, False Claims Act liability may be based on the knowing misrepresentation of security controls and practices. In seeking a government contract, or performing under it, companies often make representations to the government about their products, services, and cybersecurity practices. These representations may be about a system security plan detailing the security controls it has in place, the company’s practices for monitoring its systems for breaches, or password and access requirements. Misreporting about these practices may cause the government to choose a contractor who should not have received the contract in the first place. Or it could cause the government to structure a contract differently than it otherwise would have. Knowing misrepresentations of this kind also deprive the government of what it paid for and violate the False Claims Act.
Finally, the knowing failure to timely report suspected breaches is another way a company may run afoul of the Act. Government contracts for cyber products, as well as for other goods and services, often require the timely reporting of cyber incidents that could threaten the security of agency information and systems. Prompt reporting by contractors often is crucial for agencies to respond to a breach, remediate the vulnerability and limit the resulting harm.
At bottom, the department’s Civil Cyber-Fraud Initiative will hold accountable entities or individuals that put U.S. information or systems at risk.
We recognize that most companies and people who do business with the government abide by contract terms and obligations. We also recognize that cyber incidents and breaches may result even when a contractor has a robust monitoring, detection and reporting system. But when contractors or grantees knowingly fail to implement and follow required cybersecurity requirements or misrepresent their compliance with those requirements, False Claims Act enforcement is an important part of the federal response.
By using this important enforcement tool, the Civil Cyber-Fraud Initiative will achieve an array of significant benefits.
First, the initiative will improve overall cybersecurity practices and help prevent cybersecurity intrusions across the government, the public sector and key industry partners. The federal government is one of the largest purchasers of cyber products and services. Federal agencies spend billions of dollars each year on contracts and grants relating to cybersecurity. The cybersecurity requirements that the federal government sets for companies that it does business with can raise the bar for the industry as a whole – benefiting both the government and the public generally.
Second, the Cyber-Fraud Initiative will hold contractors and grantees to their commitments to protect government information and infrastructure. The Civil Division takes seriously its responsibility to protect government programs, and enforcement of the False Claims Act against those who defraud the government remains a top enforcement priority. Particularly as the government increasingly refines its cybersecurity requirements for contracts and grants, False Claims Act enforcement can play a powerful role in promoting adherence to those rules. It can also bolster the efforts of those trying to promote compliance within an organization.
Third, the initiative will ensure a level playing field. Companies that follow the rules and invest in meeting cybersecurity requirements will have assurance that they will not be at a competitive disadvantage for doing so.
Fourth, the initiative will support the work of government experts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
Finally, the initiative will reimburse the taxpayers for the losses incurred when entities or individuals fail to satisfy their cybersecurity obligations.
I have asked the Civil Division’s Fraud Section to lead the implementation of this initiative. We have already secured additional department resources for the initiative and we have appointed a supervisor in the Fraud Section as its Chairperson. We have also created a mechanism for reporting fraud in the cyber arena. It is located on the Civil Fraud Section’s page within the department’s website – usdoj.gov. The page contains valuable information about the Section’s cyber practice, including how to report tips and complaints, either through a hotline, or by obtaining a lawyer and filing a whistleblower suit.
Finally, we also have brought together critical agency partners to launch this initiative within the government. We are partnering on this initiative with Inspector General Offices across numerous federal agencies. These are the offices within agencies that are charged with combatting waste, fraud and abuse. Our collaboration will promote information sharing and technical expertise, generate referrals for investigations and multiply the number of experienced federal agents and attorneys dedicated to combatting knowing cybersecurity failures. As a result of these efforts, we expect False Claims Act enforcement to play a key role in the department’s continuing efforts to promote cybersecurity and protect taxpayer funds from fraud, including cyberfraud against the government.
Thank you again for the opportunity to speak with you today. I hope everyone enjoys the rest of this terrific conference.