On April 27, 2022, less than 24 hours after the jury had been impaneled and before any witnesses had testified in the first cyber-related fraud qui tam trial, United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc. (“Aerojet”), Aerojet agreed to pay more than $9 million to settle the case. The whistleblower (also known as a qui tam relator), Aerojet’s former senior director of cybersecurity, had brought a False Claims Act (“FCA”) suit in the U.S. District Court for the Eastern District of California, on behalf of the government, alleging that Aerojet had lied to the government about its compliance with applicable cybersecurity requirements to obtain contracts with DOD and NASA from 2013 to 2015 and sought damages in excess of $19 billion – three times the sum of every invoice paid under the fraudulently obtained contracts.

The Aerojet outcome provides guidance for the future of DOJ’s Civil Cyber-Fraud Initiative (“Cyber-Fraud Initiative”). In 2018, DOJ declined to intervene in this action. Yet, two weeks after the Cyber-Fraud initiative was announced, in October 2021, DOJ filed a Statement of Interest in support of the relator’s arguments opposing summary judgment. With DOJ’s assistance, the whistleblower defeated Aerojet’s summary judgment motion in a first-of-its-kind FCA case premised on cybersecurity noncompliance. The U.S. District Court rejected Aerojet’s arguments that the contracts’ cybersecurity control provisions were not material and the government did not suffer any damages because it had delivered functional rocket engines. See United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245-WBS, 2022 WL 297093, *7-8 (E.D. Cal. Feb. 1, 2022). This argument ignored the fact that the government also contracted with Aerojet to store the government’s technical data concerning its missile systems on a secure network. Accordingly, the issue of materiality and damages would be resolved by a jury. Id. This risk proved too much for Aerojet, especially after hearing the relator’s opening statement detail critical deficiencies in Aerojet’s network security that made it vulnerable to cyber-attacks during the relevant time period. Aerojet agreed to pay $9 million to settle the FCA claim and an additional undisclosed amount for attorney’s fees. This quick settlement signals how precarious the situation has become for companies that do not comply with contractual cybersecurity requirements and fail to adequately safeguard government information.

DOJ’s Cyber-Fraud Initiative

On October 6, 2021, Deputy Attorney General (“DAG”) Lisa Monaco announced DOJ’s Cyber-Fraud Initiative to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” This Initiative was the direct result of DOJ’s ongoing comprehensive cyber review, launched as a result of President Biden’s May 2021 Executive Order (“EO”) 14028 on Improving the Nation’s Cybersecurity, and the government’s perceived inability to respond to numerous cyberattacks against critical infrastructure (i.e., Solarwinds, Colonial Pipeline, Microsoft Exchange) because it lacked information from the private sector. DAG Monaco’s announcement made clear that DOJ intends to use the FCA to hold government contractors accountable for putting U.S. information and systems at risk by knowingly: (1) providing deficient cybersecurity products or services; (2) misrepresenting cybersecurity practices or protocols; or (3) failing to monitor and report cybersecurity incidents and breaches.

The FCA prohibits knowingly submitting or causing the submission of false or fraudulent claims to the government. It permits the government to recover three times its losses, plus a civil penalty of $ 12,537-25,076 for each claim. What is unique about the FCA is that it contains a whistleblower provision, which creates a financial incentive for company insiders/whistleblowers to uncover and report fraud. If their disclosure results in the recovery of funds by the United States, the whistleblower will be entitled to 15-30% of the funds recovered.

Biden Administration’s Efforts to Increase Reporting of Cyberattacks

DOJ’s Cyber-Fraud Initiative was not created in isolation. Government agencies were directed under EO 14028 to improve cybersecurity, encourage information sharing about cyberattacks, and take measures to protect critical infrastructure. After the signing of EO 14028, in addition to DOJ’s Cyber-Fraud Initiative, DHS formed a Cyber Safety Review Board, the Federal Trade Commission announced its intention to seek enforcement actions against organizations that fail to mitigate known cybersecurity vulnerabilities, and the Securities Exchange Commission proposed new cybersecurity disclosure rules substantially increased public companies reporting obligations. Furthermore, on March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) became law and will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 and 24 hours, respectively. ‎See ‎‎H.R. 2471, 116th Cong. (2022). ‎These requirements, however, do not go into effect for two years to give CISA sufficient time to draft the pertinent regulations.

Cybersecurity Controls Continue to Become More Stringent in Government Contracts

Since 2011, federal government contractors have been subject to evolving and increasingly stringent cybersecurity requirements designed to safeguard the government’s controlled unclassified information (“CUI”). CUI is information owned or created by the government which is sensitive but not classified. Beginning in 2013, DOD contracts have contained cybersecurity standards set forth in the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clause at Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012 (“Section 7012”). DOD has amended Section 7012, most recently in 2019. Currently, Section 7012 requires that defense contractors “provide adequate security” on its information systems that are used to process, store, or transmit CUI and report cyber incidents to DOD within 72 hours of their discovery. See 48 C.F.R. § 252.204-7012. To demonstrate adequate security, defense contractors are required to implement the cybersecurity controls set forth in the National Institute of Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171.

Cybersecurity standards are expected to further increase with the official rollout of DOD’s Cybersecurity Maturity Model Certification, known as CMMC, version 2.0, which will begin to be incorporated into defense contracts in or around May through July 2023. As of this date, however, there is still a lengthy rulemaking process that needs to be completed and the Code of Federal Regulations have not been updated. The new rules are expected to be publicly available in or around March 2023.

How the Relator Succeeded in Getting Aerojet to Pay Millions to Settle

After being fired by Aerojet, the whistleblower brought a wrongful termination and FCA case against Aerojet. As noted above, the whistleblower alleged that Aerojet knowingly misrepresented its compliance with applicable cybersecurity requirements (including DFARS Section 7012) and thereby fraudulently obtained contracts with DOD and NASA. The whistleblower contended that the cybersecurity requirements were material and sought damages for every claim the government paid under contracts it entered with Aerojet from 2013 to 2015.

During pre-trial litigation, Aerojet unsuccessfully argued, first in a motion to dismiss, and later in a summary judgment motion, that the applicable cybersecurity requirements were not material because it disclosed to the government that it was not fully compliant with them. The Court disagreed and denied both motions. In its summary judgment decision, the Court concluded that materiality was an issue for the jury and there was a triable issue of fact regarding the “sufficiency” of Aerojet’s disclosures. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245-WBS, 2022 WL 297093, *7 (E.D. Cal. Feb. 1, 2022). The Court further found that the whistleblower presented evidence demonstrating that Aerojet had concealed the true breadth of its noncompliance from the government; it did not share with the government information about data breaches or the results of external audits detailing numerous deficiencies. Id. at *5-7.

The whistleblower also defeated Aerojet’s summary judgment motion on damages. Id. at *8. Aerojet argued that there was “no evidence that the government suffered actual damages” because it had supplied defect free, functional rocket engines as required under the contracts. The government contracts, however, also required Aerojet to store the government’s technical data on a secure network that met applicable cybersecurity requirements.

Shortly after the Court issued its summary judgment decision, the trial began. In its opening statement, the whistleblower juxtaposed Aerojet’s sensitive missile defense work for DOD with its deficient cybersecurity practices, undisclosed data breaches, and cybersecurity non-compliance. On the second day of trial, Aerojet agreed to settle the case.

Increased Threat of Liability for Weak Cybersecurity

In light of flurry of cybersecurity advisories and initiatives, it shouldn’t come as a surprise that DOJ intends to aggressively use the FCA to bring cyber-related fraud claims against government contractors. This falls squarely within DOJ’s renewed emphasis on corporate crime. While there is no question after Aerojet that noncompliance with cybersecurity requirements can form the basis for FCA liability, DOJ may find it difficult to prove materiality and damages in some instances. One exception will be the failure to report cyber-attacks. Such violations would clearly be both material and cause extensive monetary damages if they threaten critical infrastructure or jeopardize the security of the government’s information and systems. If China or another adversary were to obtain technical data related to weapons systems, they may be able to disable them. At a minimum, this data would provide U.S. adversaries a technological advantage.

Conclusion

Federal contractors should heed the government’s warnings about implementing a strong cybersecurity program to avoid becoming the next target in DOJ’s Cyber-Fraud initiative. Your cybersecurity program should incorporate the criteria in NIST 800-171, especially, items characterized as “foundational measures … of a strong cybersecurity program” by CISA: (a) updating software to the latest version and routinely installing software updates/patches; (b) implementing multifactor authentication on all systems and databases; and (c) replacing end-of-life software products that no longer receive software updates.

As noted above, the new CMMC 2.0 rules are not expected to be publicly available until in or around March 2023, which doesn’t give contractors much time to become CMMC compliant. All defense contractors should therefore ensure that they are currently in compliance with NIST SP 800-171, which is already required in defense contracts. The Defense Industrial Base Cybersecurity Assessment Center could perform audits of contractors to ensure that they are meeting these current contractual standards.

Training is a critical part of a cybersecurity program. Ensure your employees – who also could become potential whistleblowers under the FCA – are aware of your efforts in this regard. Everyone who works on your network poses a cyberthreat to your organization and should be trained on their role in protecting your network and customer data. This is particularly important to defense contractors who possess and maintain CUI.

Research Assistance provided by Christian Mines.