For the Defense - Vol. 6, Issue 4 - 49

Biden Administration to the Private Sector: We
Need Better Cybersecurity Now
After months of advisories and admonitions
related to recent ransomware attacks,8
in June
2021, the White House issued an extraordinary
letter to " Corporate Executives and Business
Leaders, " beseeching them to " immediately
convene their leadership teams to discuss the
ransomware threat and review the corporate
security posture and business continuity plans
to ensure you have the ability to continue or
restore operations quickly. " 9
Referring back to the
May 2021 executive order on cybersecurity, the
letter encouraged business leaders to implement
" high impact " best practices, such as multifactor
authentication, encryption, endpoint detection
and response, and the use of security teams to share
and analyze threat information and to administer
an effective patch management program.
Less than two months later, President Biden
signed a National Security Memorandum that
directed federal agencies to create " cybersecurity
performance
goals "
to
" assist
companies
responsible for providing essential services like
power, water, and transportation to strengthen
their cybersecurity. " 10
The memorandum also
formalized the Industrial Control System
Cybersecurity (ICSC) Initiative, which has been
a " voluntary, collaborative effort between the
federal government and the critical infrastructure
community to facilitate the deployment of
technology and systems that provide visibility,
indicators, detections, and warnings. "
On August 25, 2021, the White House hosted a
cybersecurity summit with private sector leaders,
after which several participants like Apple,
Google, IBM, Microsoft, and Amazon announced
commitments and initiatives to bolster national
cybersecurity.11
senior official in Biden Administration explained:
" The federal government can't solve this complex,
growing international challenge alone, and we
can't do it overnight. The public and private
sectors must meet this moment together, and the
American people are counting on us. " 12
False Claims Act and Cybersecurity Compliance
In order to secure compliance with federal
cybersecurity standards and safeguard the
Nation's cybersecurity, the new Civil Cyber-Fraud
Initiative will use the FCA to " hold accountable
entities or individuals that put U.S. information or
systems at risk by knowingly providing deficient
A contractor's FCA liability would ultimately
hinge on whether compliance was a condition
" material " to the government's decision to pay
under the contract.16
To be " material, " compliance
with the contractual requirement must either
" hav[e] a natural tendency to influence, or be
capable of influencing, the payment or receipt of
money or property. " 17
Court has explained,
However, as the Supreme
The False Claims Act is not an all-purpose
antifraud statute, or a vehicle for punishing
garden-variety breaches of contract or
regulatory violations. A misrepresentation
cannot be deemed material merely because
the Government designates compliance
with a particular statutory, regulatory, or
contractual requirement as a condition of
payment. Nor is it sufficient for a finding of
materiality that the Government would have
the option to decline to pay if it knew of the
defendant's noncompliance.18
In connection with the summit, a
Before the DOJ announced the Civil Cyber-Fraud
Initiative, courts suggested that the FCA's strict
materiality requirement would limit impliedcertification
liability to rare cases, such as when the
government contract expressly conditions payment
on compliance with cybersecurity standards.19
Nevertheless,
the
extent
to
which
a
federal
contractor is compliant with the government's
cybersecurity requirements is still relevant to the
government's decision to enter into a contract
in the first place.20
Therefore, a contractor may
violate the FCA if its misrepresentations as to
its compliance with the cybersecurity provisions
affected the government's decision to enter the
contract.
Most recently in 2020, a federal district court
in the District of Columbia dismissed a qui tam
action21
cybersecurity
products
or
services,
knowingly
misrepresenting their cybersecurity practices or
protocols, or knowingly violating obligations to
monitor and report cybersecurity incidents and
breaches. " 13
Under the " implied certification "
theory of liability, a contractor may violate the FCA
if it knowingly misrepresents its compliance with
a contractual requirement and submits a claim for
reimbursement under that federal contract.14
The
contractor must have acted with actual knowledge,
deliberate ignorance, or reckless disregard of its
noncompliance with the requirement.15
alleging that a contractor had failed to
disclose a security vulnerability in the computer
systems that it sold to the United States.22
The
Vol. 6, Issue 4 l For The Defense 49
For the Defense - Vol. 6, Issue 4

Table of Contents for the Digital Edition of For the Defense - Vol. 6, Issue 4
