DOJ: Government MSSPs, MSPs Failing to Report Cyber Incidents Face “Hefty” Fines
The Department of Justice (DOJ) has launched a new action to slap “hefty” fines on government contractors, including MSSPs and MSPs, that fail to report a cybersecurity incident, the agency’s second in command said.
“Today, we are launching a Civil Cyber Fraud Initiative,” Deputy Attorney General Lisa Monaco said at the virtual Aspen Institute Cyber Summit. “For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it.” (via The Hill)
Monaco also said the DOJ will establish a National Cryptocurrency Enforcement Team to crack down on cryptocurrency exchanges hackers commonly use to collect ransom payments from ransomware victims. The unit will be tasked with rooting out abuse in the exchanges, she said. “We have been enforcing the securities law for decades, we police fraud on the markets, with insider trading cases, or market manipulation cases, and the point of course is to protect consumers and to ensure we can all have confidence in the markets that we are engaging in,” she said.
Monaco’s remarks come in the wake of newly introduced Senate legislation that would require critical infrastructure owners and operators to report a cyber attack within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). The Cyber Incident Reporting Act also requires federal contractors–including MSSPs, MSPs and managed detection and response (MDR) service providers–and certain other organizations to report to CISA within 24 hours of making a ransom payment.
A separate measure is forthcoming to update the Federal Information Security Modernization Act that requires federal agencies and contractors to report cyber attacks.
The DOJ will consider contractors’ failure to follow “required cybersecurity standards” as civil fraud, Monaco said, referencing the agency’s authority to levy fines under the False Claims Act. “We are going to go after that behavior and extract very hefty fines, so this is a tool that we have to ensure that taxpayer dollars are used appropriately and to guard the public trust, and that is what we are going to do with respect to this civil fraud initiative,” she said.
In a CNBC op-ed, Monaco advocated for a national standard to report significant cyber incidents. “Unfortunately, most breaches are not reported to law enforcement,” she said. “Absent prompt reporting, investigative opportunities are lost, our ability to assist other victims facing the same threats are degraded, and the government loses the full picture of the threat facing our country.” The “current gap in reporting” confines the government to “go at it alone, without key insights from our partners in the private sector, and it needs to change, today,” Monaco said.
She called for Congress to enact legislation to create a national standard for reporting cyber incidents that pose significant risk and a “single mechanism” where victims can file reports to the federal government that can be shared among relevant agencies.
Both CISA director Jen Easterly and National Cyber Director Chris Inglis have repeatedly voiced support for federal reporting requirements as well as enforcement mechanisms, including fines. “My personal view is, [subpoena authority] is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors, so I think we should look at fines,” Easterly said at a hearing of the Senate Homeland Security and Governmental Affairs Committee last month.