Ed. note: This is the first article in a two-part series about recent case law related to the False Claims Act (FCA), which signals a heightened need for vigilance by companies (especially government contractors) around the security of their supply chains. Part two will address proactive steps that companies can take to reduce their FCA threat profile.
When the FCA (31 U.S.C. §§ 3729 – 3733) was enacted by Congress in 1863 in response to concerns about the sale of fraudulent goods (think: Wonky horses, faulty rifles, and rancid rations) to the Union Army, private citizens became empowered to act as whistleblowers by gaining standing and financial incentives to file civil claims (known as “qui tam” actions) against those contractors on behalf of the government. Today, the FCA is gaining ground by empowering whistleblowers (known as “relators” under FCA) to combat cyber threats in government supply chains.
In April 2019, network security company Fortinet paid the U.S. government $545,000 to resolve allegations that it violated the FCA. Between 2009 and 2016, a Fortinet employee altered the label on certain products so that they would appear compliant with the Trade Agreement Act, which prohibits government contractors from purchasing products that are not entirely from, or “substantially transformed” in the United States or certain designated countries. The Department of Justice expressed concern with the Chinese origin of the technology underlying the Fortinet components and the concordant need to combat “procurement fraud and cyber risk within U.S. Department of Defense programs.”
In May of this year, the U.S. District Court for the Eastern District of California issued what appears to be the first decision to address the intersection between cybersecurity requirements and the FCA in a case against Aerojet, a supplier of rocket parts. In this case, Aerojet’s former director of cyber security compliance and controls filed a lawsuit under FCA for Aerojet’s misrepresentation of its compliance with cybersecurity requirements relating to the award of several DOD and NASA contracts. The whistleblower claims an outside consulting firm audited Aerojet’s compliance with the DOD and NASA cybersecurity requirements in early 2014 and found the company to be “less than 25 percent compliant” with the National Institute of Science and Technology and DFAR standards. He consequently refused to sign documents affirming compliance with those standards and Aerojet terminated his employment.
Most recently, in July, a whistleblower earned $1.6 million from Cisco alongside a $8.6 million government settlement for exposing security flaws in a video security software product that was sold to the local, state and federal entities within the U.S. government. The whistleblower had been terminated from his position at a Danish partner company after discovering a series of vulnerabilities and reporting them to Cisco. These flaws were embedded in the software as early as 2008 and could have created backdoors into an organization’s computer network. This is purportedly the first time a company has made a payment under the FCA for a failure to meet security standards.
With hundreds of false-claim suits filed every year and cyber flaws now fair game for whistleblowers, technology companies are increasingly at risk of violating the FCA. The sums can be substantial. These incentives may also have the effect of driving insiders who are aware of internal organizational vulnerabilities towards government reporting and whistleblower rewards, and away from exhausting their company’s internal compliance measures. Additionally, even though actual knowledge of noncompliance or reckless disregard are the requisite standards to progress a FCA claim, companies that may otherwise rely on a more lenient view towards compliance with government cybersecurity standards should plan to demonstrate more diligence in their compliance efforts.
The Changing Landscape of the Supply Chain
Advances in hardware and software have also significantly increased risk for FCA noncompliance. The more complex the supply chain grows, the harder it is to keep it secure, according to Doug Shepherd, Chief Security Officer at Nisos (disclosure: I work at Nisos). “As storage and computing power get increasingly compact, it’s easier to embed malice in a very small part of a supply chain,” he adds.
The criticality of information security protection in business practices has grown substantially especially in the wake of enforcement actions, causing a trickle-down effect. As noted by Mark Chandler, Cisco’s Executive Counsel: “As networked data becomes core to more and more activities, security failures can endanger national economic and physical security…. The standards by which suppliers are judged are also changing.”
At a CyberScoop talk in Washington, D.C., on October 24, 2019, Cybersecurity and Infrastructure Agency (CISA) director Chris Krebs described the recent creation of a CISA supply chain task force uniting both industry and government infosec leaders as a critical resource for protecting U.S. critical infrastructure, especially for companies with limited security budgets. The newly formed task force on supply chain will propose improvements to the supply chain compliance model including developing a common framework for the sharing of supply chain risk information and criteria for evaluating products, services, and vendors.
“Ultimately, vendors who prioritize short cuts over national security should be held accountable,” says Chris Brewster, Administrative Counsel of the House of Representatives. “Government contractors have heightened responsibilities — whether associated with the supply-chain, government intellectual property rights or data protection requirements — that are integral to the contracting process under the Federal Acquisition Regulation.”
In part two of this series, I’ll draw upon the guidance of industry experts to address what companies can do to improve their supply chain risk model. Until then, it’s important to keep in mind that in the eyes of regulators, legislators, judges, and whistleblowers alike, ignorance is far from blissful. Training and due diligence coupled with accuracy and transparency will help organizations that contract with the government sidestep FCA sinkholes.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.