Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

US Poised to Go After Contractors Who Don’t Report Breaches

The Justice Department is poised to sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their cyber systems, the department’s No. 2 official said Wednesday.

The Justice Department is poised to sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their cyber systems, the department’s No. 2 official said Wednesday.

Deputy Attorney General Lisa Monaco said the department is prepared to take legal action under a statute called the False Claims Act against contractors who misuse federal dollars by failing to disclose hacks or by having deficient cybersecurity standards. The Justice Department will also protect whistleblowers who come forward to report those issues.

“For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today,” Monaco said.

The action, unveiled at the Aspen Cyber Summit, is part of a broader Biden administrative effort to incentivize contractors and private companies to share information with the government about breaches and to bolster their own cybersecurity defenses. Officials have repeatedly spoken of the need for better private sector engagement as the government confronts ransomware attacks that in the last year have targeted critical infrastructure and major corporations, including a major fuel pipeline.

The measure underscores the extent to which the government views cyberattacks as not just harmful to an individual company but also to the American public in general, especially given recent attacks against a major fuel pipeline and meat processor.

[ Read: NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy ]

“Where those who are entrusted with government dollars, who are entrusted to work on sensitive government systems fail to follow required cybersecurity standards, we’re going to go after that behavior and extract very hefty fines,” Monaco said.

Monaco also announced the creation of a new cryptocurrency enforcement team within the department, drawing from experts in cybersecurity and money laundering, aimed at destabilizing the financial ecosystem that drives ransomware attacks and the criminal hacking gangs that carry them out.

Advertisement. Scroll to continue reading.

The action follows Treasury Department sanctions last month against a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency.

Monaco’s appearance came hours after the publication of a CNBC opinion piece in which she urged Congress to pass legislation creating a national standard for the reporting of significant cyber incidents so that information about digital attacks can be quickly disseminated across the federal government.

Most breaches, she wrote, are not reported to law enforcement, hindering investigations.

“The current gap in reporting hinders the government’s ability to combat not just the ransomware threat, but all cybercriminal activity,” Monaco wrote. “It means we go at it alone, without key insights from our partners in the private sector, and it needs to change, today.”

Separately, Homeland Security Secretary Alejandro Majorkas said Wednesday that new regulations are coming for railroads and transit entities.

Mayorkas said the Transportation Security Administration this year will issue a security directive that will require railroads and transit entities to comply with new regulations similar to ones issued in May for pipeline operators following a hack that disrupted gas supplies in several states.

What the secretary called “higher risk” railroads and transit entities will be required cyber security point person, report incidents to the Cybersecurity and Infrastructure Security Agency and develop a contingency and recovery plan in case of malicious cyber activity.

Those deemed “low risk” will be subjected to guidance that “encourages” than to take those measures but don’t require it, Mayorkas said in remarks to the Billington Cybersecurity Summit.

He did not specify which railroads or transit entities were in either category.

ReadHackers Could Disrupt Industrial Processes via Flaws in Widely Used DCS

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.