Published by The Lawfare Institute
in Cooperation With
In early 2023, the Department of Justice announced that it will be expanding its resources to focus on the intersection of corporate crime and national security, placing domestic and international corporations on high alert. This is consistent with statements made in the past by the Biden administration. For instance, at the end of 2022, Deputy Attorney General Lisa Monaco announced that misconduct that threatens national security will be deemed an aggravating factor that enforcers will consider when evaluating the severity of an enforcement action against a company. Funds for defense spending have increased dramatically across multiple sectors with the implementation of the National Defense Authorization Act (NDAA) for 2023. More specifically, for fiscal year 2023, the NDAA focuses on national security priorities, including “strategic competition with China and Russia; disruptive technologies like hypersonic weapons, artificial intelligence, [and] 5G”; and the modernization of defense ships, aircraft, and vehicles.
The FCA is one of the most important laws in the government’s toolbox to prevent fraudulent activity in government contracting and government programs. The FCA prohibits knowingly presenting or causing to be presented a false or fraudulent claim, record, or statement for payment or approval by the federal government or its agents; knowingly making or using, or causing to be used, a false record or statement “material” to a false or fraudulent claim; or conspiring with others to commit such a violation. Violations of the FCA may result in significant penalties, including civil penalties (ranging from $12,537 to $25,076) per false claim and treble the amount of the government’s damages. In the fiscal year ending Sept. 20, 2022, the Department of Justice obtained more than $2.2 billion in settlements and judgments from civil cases involving false claims and fraud.
With the U.S. government’s increased focus on national security and geopolitical issues, FCA enforcement focused in areas meant to combat national security threats will likely increase. In particular, 2023 and beyond may see increased enforcement related to federal contractors in the cybersecurity industry.
Monaco, during remarks at the American Bar Association’s (ABA’s) Institute on White Collar Crime, explained that the Justice Department will be “doubling down” on its efforts to combat cyber and crypto crime by focusing on prevention, deterrence, and accountability. While trade compliance—including shipment of covered articles to designated individuals—has traditionally been a more obvious and robust area for national security enforcement, especially since the 2017 blacklist of Kaspersky products from certain federal information systems, cybersecurity seems to be catching up. At the same ABA event in March, Monaco spoke directly about the need to bolster cyber vulnerabilities to prevent foreign cyberattacks. To “every general counsel [and] every executive board member,” she said that, “where your company discovers criminal misconduct, the pathway to the best resolution will involve prompt voluntary self-disclosure to the Department of Justice.” Monaco reassured potential whistleblowers that every U.S. Attorney’s Office that prosecutes corporate crime now has in place an operative and transparent voluntary self-disclosure program. The NDAA for 2023 took one step further and authorized increased spending for the Defense Department’s cybersecurity initiatives. Thus, considering the sharp increase in spending for military contracts, in conjunction with enforcers’ focus on national security, contractors should be vigilant regarding their cybersecurity controls. Otherwise, they risk facing a variety of criminal and civil enforcement actions, especially under the False Claims Act.
Further, the White House issued a new cybersecurity strategy in March focused, in part, on “shift[ing] the responsibility for security onto hardware and digital service providers.” The White House acknowledged that cyberattacks are becoming increasingly sophisticated and, to strengthen its own five-point strategy, called upon Congress to enact new legislation that (a) imposes duties on hardware and software vendors and (b) includes a safe harbor framework that enables vendors to mitigate litigation risks. As part of enacting the strategy, the administration indicated that it would use the False Claims Act to bring cases under the Justice Department’s Civil Cyber Fraud Initiative—which is intended to “combat new and emerging cyber threats to the security of sensitive information and critical systems”—to ensure that government grantees and contractors live up to their cybersecurity obligations.
Recent enforcement matters further highlight the need for government contractors to take cybersecurity compliance seriously to avoid False Claims Act liability. The Justice Department has demonstrated increased commitment to scrutinizing the cybersecurity compliance certifications of government contractors, particularly for contractors in the aerospace and defense industries. For example, in July 2022, Aerojet Rocketdyne (Aerojet), an aerospace manufacturer, agreed to pay $9 million to resolve allegations that it violated the FCA by misrepresenting its compliance with cybersecurity requirements under a contract with the Defense Department and NASA. The lawsuit was brought as a qui tam action (which allows private individuals to sue on behalf of the U.S. to recover money that was fraudulently obtained) by an employee whistleblower who alleged that Aerojet failed to have the requisite controls for protecting sensitive information, as required under cybersecurity regulations. Despite these gaps, Aerojet still entered into the contract knowing that its system was not compliant. While Aerojet had previously disclosed that certain areas of its system were noncompliant, the judge in the action ruled that the whistleblower had sufficiently pleaded materiality under the FCA because Aerojet’s disclosure did not reveal the full extent of its noncompliance. The Aerojet case is the second settlement announced since the Justice Department’s launch of its Civil Cyber-Fraud Initiative in October 2021. It is also the first FCA cybersecurity compliance case to move past a motion to dismiss, a motion for summary judgment, and then trial and settlement.
The Justice Department also settled with Comprehensive Health Services (CHS)—a medical management services provider used by the federal government—to resolve allegations of falsely certifying its compliance with contractual cybersecurity requirements under a contract to provide medical services at Air Force and State Department facilities overseas. CHS submitted claims for payment for these services, despite its alleged failure to store patient medical data on a secure system. Both the CHS and Aerojet settlements suggest a new trend of relying on the FCA as a means to enforce contractors’ cybersecurity compliance, particularly for contractors working with sensitive government information. The most common cybersecurity failures that the Justice Department will look out for as an avenue for FCA liability include knowing failures to comply with cybersecurity standards, knowing misrepresentation of security practices and controls, and knowing failures to timely report suspected breaches.
With such invigorated focus on national security efforts, it is likely that the government and qui tam relators will enhance their scrutiny of contractors performing government and military contracts. This will likely translate into increased reliance on the False Claims Act to go after contractors found to support actors whom the U.S. government views as threats to the country’s national security. In fact, in October 2022, the Justice Department secured its first guilty plea for corporate material support for terrorism. In this case, a building materials manufacturer pleaded guilty to conspiring to provide material support and resources to designated foreign terrorist organizations (FTOs) in Syria. The charges stemmed from allegations that the company paid for permission to operate its cement plants in the territory. Enforcement agencies are aggressively pursuing national security-related concerns—both big and small.
While this matter did not involve allegations of FCA violations, qui tam relators have aggressively relied on the FCA to target entities that receive government funding and that may also be in violation of the material support statute. The cases traditionally involve recipients of USAID funds who in the course of their work for vulnerable populations end up working in areas controlled by FTOs. Whistleblowers have taken the position that such work violates certifications made to USAID in that it constitutes material support for FTOs. It is likely that the plaintiff bar will rely on such cases to also go after corporate defense contractors.
Given the increasing aggressions of Russia in Ukraine, enforcement agencies have also increased scrutiny of compliance with Russia-related sanctions and export controls. As defense contracts may include representations regarding compliance with sanctions and export controls, including International Traffic in Arms Regulations, it is likely that the government will add the False Claims Act to its sanctions and trade compliance toolkit.
In light of this strong shift toward national security-related enforcement, compliance should climb to (or near) the top of any contractor’s list of compliance priorities.