CYBERLAW: May 8, 2019 — A Hallmark Day in Cybersecurity
The Recent False Claims Act (FCA) Decision
Markus v. Aerojet Rocketdyne Holdings Inc.
May 8, 2019
THE day that changed the state of Cybersecurity–finally. Is it the turning point that puts federal contractors and practitioners of secure system development on notice? Will contractors doing business with the federal government finally get the picture? If you falsify your delivery of secure systems in accordance with NIST SP 800-53, NIST 800-171, or the Cybersecurity Framework (CSF), do you now have to really know and honestly validate to the US Government you know how to do cyber? I will suggest, YES, and this is why.
BRIAN MARKUS
A name to remember as well
The US District Court for the Eastern District of California decided in favor of a plaintiff, Brian Markus, who worked for the defendant, Aerojet Rocketdyne, as their Senior Director of Cybersecurity. He alleged that Aerojet did not meet “minimal” federal cybersecurity standards required under current federal contract direction of the Federal Acquisition Regulation (FAR). Mr. Markus was not willing to hide this fraud, and would not affirm that the company was fully compliant with its federal contracting obligations.
Aerojet Rocketdyne in fact had an outside security firm review its security control implementation. Mr. Markus too was aware of the findings of that assessment. The third-party assessor determined less than 25% of the security controls were actually implemented.
While this is not the last word, it opens the way for the cybersecurity community and its whistleblowers a clear mechanism of protection for themselves and as a “wedge” to bring the full force of the law in play.
Here are the 3 main reasons, I believe this is a major turning point in
Cybersecurity Legal History
1. The US Government enters into this cybersecurity case EX REL
In this use of the FCA, the government entered the case with Mr. Markus under the concept of ex rel–“it is commonly used when a government brings a cause of action upon the request of a private party who has some interest in the matter [1].” The government has a major interest; the protection of its Information Technology (IT) systems and networks. Of special emphasis is the Department of Defense (DOD) and the National Aeronautics and Space Agency (NASA) who have both been in the forefront of developing secure solutions. They could not simply ignore the action.
2. The Department of Justice (DOJ) declined to intervene
While the presumption that the DOJ did not want to get involved in the case may appear less-than of interest to the government, it in fact was a positive event for cybersecurity. By declining to intervene, it allows the FCA to become a mechanism for cybersecurity experts and professionals to act. It further establishes the age-old concept of precedence where a federal contractor can be liable for their actions, and more specifically, their inactions in implementing security on behalf of the government.
3. Fraud is still fraud
Finally, fraud is fraud. Mr Markus, as the relator of the fraud, argued that Aerojet “induced” both DOD and NASA to award contracts even though it was clear that they had not delivered a secure system under any availing NIST cybersecurity framework–in this case, NIST 800-171.
Aerojet attempted to argue that the misrepresentation was “not material,” The court rejected their argument and the motion for dismissal was denied. The case was further referred to arbitration.
Aerojet stated that they would comply to the Federal Acquisition Regulation (FAR) clauses for cybersecurity protection in the future–really! Apparently, they had not completed their System Security Plan (SSP), Plans of Action and Milestones (POAM), or policy documents. All of these documents are base contractual artifacts required under NIST 800-171 and required under current federal contract regulations–they failed, and got caught.
While there are certainly more developments to occur in cyberlaw enforcement, I will suggest this may be the “shot” that gets federal contractors and, even more specifically, the US government’s attention. It should not just be the cybersecurity professional’s reputation and livelihood at stake. Mr. Markus should be applauded for putting himself out there, and the government to finally show some real interest in protecting federal IT assets and systems.
Reference
[1] https://en.wikipedia.org/wiki/Ex_rel.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.