DOJ, DHS Raise Cyberattack Reporting Requirements For Critical Infrastructure Sectors

October 7, 2021

By a Biometrica staffer

The federal government is systematically clamping down on lax cyberattack reporting by critical infrastructure companies in the private sector by tightening the standards that govern when they have to report to federal authorities that they have been the subject of a cyberattack or threat. This is part of ongoing efforts this month, which has been deemed “Cybersecurity Awareness Month.”

On Wednesday, Oct. 6, Deputy Attorney General Lisa O. Monaco announced the launch of a Civil Cyber-Fraud Initiative, designed to leverage the Justice Department’s (DOJ) experience in civil fraud and cybersecurity to “pursue” companies serving as government contractors and receiving federal funds for failing to meet cybersecurity standards befitting sensitive and critical sectors and for choosing to not report any potential breach. This is part of the May directive from Deputy AG Monaco for a comprehensive cyber review of the DOJ.

The Deputy AG also announced the establishment of a National Cryptocurrency Enforcement Team (NCET) that will handle investigations into and prosecutions of “criminal misuses of cryptocurrency,” particularly those involving virtual currency exchanges, mixing and tumbling services, and money laundering organizations or individuals. The NCET will also help, as much as possible, in the recovery of assets stolen during the course of a fraud or extortion scheme, including cryptocurrency ransoms paid during cyberattacks.

Separately, the Department of Homeland Security announced Wednesday that the Transportation Security Administration (TSA) will be implementing new requirements for the railroad and airline sectors, including measures designed to “[chip] away at voluntary cybersecurity incident reporting,” and setting a new cybersecurity “baseline” that will cover more companies in these industries. In addition to stricter reporting mandates, companies will need to have a designated cybersecurity point of contact, and a comprehensive contingency and recovery plan in the case they are targeted by cybercriminals.

The Civil Cyber-Fraud Initiative will be led by the Civil Division’s Commercial Litigation Branch, Fraud Section. The aim is to use the False Claims Act (FCA) to target these federal contractors. The FCA was enacted in 1863 after widespread defense contractor fraud noted during the Civil War, and says that anyone who has knowingly submitted false claims to the federal government is subject to certain damages and fines. The DOJ says that in the fiscal year ending Sept. 30, 2020, it had collected over $2.2 billion  in settlements and judgments from civil cases involving fraud and false claims against the government.

Targets include companies that knowingly do not provide adequate security for U.S. information or systems, as well as those who knowingly misrepresent their cybersecurity practices or protocols and who knowingly do not comply with government requirements to report any breach. Under the new initiative, the DOJ says it will also protect any whistleblowers who come forward with information regarding cybersecurity breaches and false practices by these companies.

There has been a widely reported spike in the number of cyberattacks targeting the U.S., specifically in critical infrastructure sectors like healthcare, oil and gas, energy, water, and education. This phenomenon has been described as a threat to national security by some of the top figures in President Joe Biden’s administration, including the president himself. The TSA issued a directive to energy pipeline companies following a cyberattack in May that pushed offline the Colonial Pipeline, the largest energy supplier in the U.S. that is responsible for much of the energy supplied to the eastern seaboard. 

The government has been hamstrung in the past by being unable to police the private sector when it comes to handling and responding to cyberthreats and attacks. It has been able to little more than urge companies to report breaches, even as ransomware gangs have threatened dire consequences if victims do contact authorities.

Last month, the Biden administration announced sanctions against SUEX OTC, a Russia-based virtual currency brokerage that allegedly “helped at least eight ransomware gangs launder virtual currency,” to the tune of more than $370 million, with over 40% of its known transactions involving “illicit actors.”