Government contractors are attractive targets for cyber attacks because the U.S. federal government – the largest producer, collector, consumer, and disseminator of data in the world – entrusts sensitive information to these private companies. This includes everything from national security secrets, to information on the nation’s military and critical infrastructure, to the personal information of all U.S. citizens and residents.
If this makes you worried, don’t fret just yet. Washington is responding to the cyber threats against contractors by issuing laws, regulations, and standards that require contractors to take broad security measures to safeguard data. These regulations are tough, but protecting sensitive government information is critical to national security and the U.S. economy.
While contractors used to be responsible for protecting only classified data, the U.S. Department of Defense (DoD) is now requiring strict measures to protect certain unclassified information, as well. Next month, the DoD is scheduled to issue a new rule that requires defense contractors to report cybersecurity breaches and give the Pentagon access to their networks to investigate attacks. Intelligence community contractors are bracing for a similar new rule in late 2014 or early 2015.
In an interview, co-chair of the international law firm Covington & Burling’s government contracts practice Robert Nichols, stressed that “contractors of every size are being impacted by escalating regulatory requirements, and most contractors lack a robust cybersecurity program.” Start-ups are perhaps “the most vulnerable of all because few of them can afford the compliance costs,” according to Geoff Orazem, President of Eastern Foundry, a DC-based incubator for government contractors.
Cybersecurity is a particularly thorny issue for contractors because they face greater legal and commercial risk than other companies. Contractors must navigate a thicket of inconsistent rules and standards issued by different agencies that define key cybersecurity concepts in contradictory ways. They also face compliance obligations even though the Federal Government does not always clarify what specific cybersecurity safeguards are actually required to meet them. Emilian Papadopoulos, Chief of Staff at Good Harbor, a cyber-risk consultancy, emphasized in a phone interview that “it is critical for contractors to dedicate adequate resources towards and fully understand their cybersecurity responsibilities in light of the ever-changing regulatory landscape.”
Failure to adhere to these vague requirements can result in stiff penalties that are more severe than those faced by a typical company. For example, the government may terminate a contract by default, withhold payment, and levy penalties. It may also use past cybersecurity compliance problems to penalize a company when it competes for future government contracts. Companies can even be suspended from all current contracts and barred from future ones for breach of cybersecurity obligations. Particularly egregious lapses in cyber hygiene can result in extensive civil liability under the False Claim Act.
Moreover, contractors may also be required to flow down all cybersecurity safeguards to their sub-contractors, creating additional compliance costs. Orazem noted that “this will further increase costs for small contractors as they are forced to mirror each prime contractor’s compliance protocols and invest in the different systems each prime requires.”
Although Target received extensive negative press, saw its stock fall in value, and fired its CEO a result of its 2013 cyber breach, it remained in business and did not lose significant market share. However, a government contractor that suffers a similar attack – after failing to follow government-mandated cybersecurity rules – could be forced out of business altogether.
Nichols stresses that “it’s difficult to exaggerate the business risks to contractors that do not take their cybersecurity obligations seriously and regularly update their compliance protocols.” Small and medium sized contractors are more vulnerable because they are more easily replaced than larger contractors on whom the federal government depends for numerous contracts. Nichols rightly points out, however, that “the U.S. government can cripple even a very large contractor” that fails to make cybersecurity a corporate priority.
This threat is not merely theoretical. U.S. Investigations Services LLC (USIS), the main security background-check contractor to the federal government, recently discovered a cyber-attack on its corporate network that may have resulted in the theft of information of employees at the Department of Homeland Security (DHS). DHS responded by advising its 240,000 employees to monitor their financial accounts for any problems – and by suspending much of its work with USIS.
The Department of Defense will soon issue a new rule pursuant to the 2013 National Defense Authorization Act that requires cleared contractors (i.e. those with access to classified information) to rapidly report successful cyber-attacks against their computer systems and assist the Pentagon in investigating any such attacks. The rule will require covered contractors to provide the DoD information about the method of attack, a sample of any malware used (if identified), and a summary of any data compromised. It will also specify what type of access the contractor must give to the Pentagon to facilitate a forensic investigation of the incident. A similar rule that covers intelligence contractors is expected later this year or early next pursuant to the Intelligence Authorization Act for Fiscal Year 2014.
Several key details about these new rules are not yet known and may impose significant costs on companies. First, it is unclear what will constitute a network “penetration” that must be reported, if investigations of such breaches will be disclosed publicly, and whether unclassified computer systems (in addition to classified ones) are covered. Second, contractors are eager to know how long they will have to report successful network infiltration and how long they must retain information pertaining the attack; one existing regulation requires reporting within 72 hours of detecting an attack.
Unclassified systems may well be covered given the expansive wording of laws that require the new rules, which would drastically increase the compliance burden for contractors. Papadopoulos suggests that “companies may find it more attractive to report breaches to government if this puts off their responsibility to disclose publicly, as sometimes happens today when law enforcement investigations are ongoing.”
Finally, it is unclear how much access hacked contractors must provide to the U.S. government in the course of the ensuing investigation. Will contractors be required to give government investigators partial network access and protect business data and personal information about employees, or will the government be empowered to physically take possession of affected hardware and remove it from contractor offices for detailed study?
Contractors must take seriously their cybersecurity obligations and accept that honoring them is a cost of doing business with the government. Defense and intelligence companies in particular must closely follow the ever-shifting regulatory landscape and put aside adequate cybersecurity compliance budgets. The U.S. government is serious about cybersecurity and is starting to crack down on contractors that do not have adequate security measures and compliance programs in place. Government contractors would be wise to make cybersecurity compliance a priority and invest accordingly.