The Justice Department is set to prosecute government contractors and other businesses who receive grants from the U.S. government if they fail to report breaches to their computer systems or misrepresent their cybersecurity practices, said Wednesday. responsible n Â° 2 of the ministry.
Deputy Attorney General Lisa Monaco said the department was ready to take action under a law called the False Claims Act which allows the government to sue for embezzled federal funds. The Justice Department will also protect whistleblowers who report these issues, she said.
â€œFor too long, companies have chosen silence, mistakenly believing that it is less risky to hide a violation than to expose and report it. Well that is changing today, â€said Monaco.
The action, unveiled at the Aspen Cyber â€‹â€‹Summit, is aimed at entrepreneurs who either fail to report hacks or knowingly supply deficient cybersecurity products. This is an extension of an ongoing review of the Department of Justice’s cyber policy and is also part of a larger administrative effort by Biden to get entrepreneurs and private companies to share information with the government. on breaches and strengthen their own cybersecurity defenses.
Officials have repeatedly spoken of the need for better private sector engagement as the government faces an increase in ransomware attacks that last year targeted critical infrastructure and large corporations.
In 2019, a ransomware attack wiped out 750 government computers across Texas in less than 90 minutes. As hospitals, local governments, agencies, and businesses increasingly become the targets of ransomware attacks, here’s what you need to know about the threat.
The measure underscores how the government views cyber attacks as harmful not only to an individual business, but also to the American public in general, especially given the recent attacks on a major fuel pipeline and a meat processor.
“When those who are entrusted with government dollars, who are responsible for working on sensitive government systems, fail to meet the required cybersecurity standards, we will continue that behavior and get very heavy fines,” Monaco said. .
Monaco also announced the creation of a new team in charge of the application of cryptocurrencies within the department, composed of experts in cybersecurity and money laundering, aimed at destabilizing the financial ecosystem at the origin of the ransomware attacks and the criminal hacking gangs behind them.
The action follows Treasury Department sanctions last month against a Russia-based virtual currency brokerage firm that officials say has helped at least eight ransomware gangs launder virtual currency.
Monaco’s appearance came hours after the publication of a CNBC opinion piece urging Congress to pass a law creating a national standard for reporting significant cyber incidents so that information about digital attacks can be be quickly disseminated throughout the federal government.
Most violations, she wrote, go unreported to law enforcement.
â€œThe current gap in reporting hampers the government’s ability to fight not only the threat of ransomware, but also all cybercrime activity,â€ Monaco wrote. “This means we are going on our own, without key information from our private sector partners, and that must change, today.”
Separately, Homeland Security Secretary Alejandro Mayorkas said on Wednesday that new regulations would be forthcoming for railways and transit entities.
Mayorkas said the Transportation Security Administration will issue a safety directive this year that will require railways and transport entities to comply with new regulations similar to those issued in May for pipeline operators as a result of the hack. of Colonial Pipeline which disrupted gas supplies in several states.
What the secretary called “higher risk” railways and transport entities will be required to identify a cybersecurity contact, report incidents to the Cybersecurity and Infrastructure Security Agency and develop a contingency and recovery plan in the event of malicious cyber activity.
Those deemed “at low risk” will be subject to guidelines that “encourage” them to take these steps but do not require it, Mayorkas said in a speech at the Billington summit on cybersecurity.
He did not specify which railways or transit entities fell into either category.
Associated Press writer Ben Fox contributed to this report.