ETHICS CORNER CYBERSECURITY
The Nexus Between Cyber and Ethics
In September, Deputy Defense Secretary Patrick Shanahan commented that the Pentagon intends to hold industry accountable for improved cybersecurity, and in that regard “we’re in a new world.”
The department’s focus on increasing contractor accountability for cybersecurity compliance could lead to ethical and compliance problems as industry participants work to meet the evolving, sometimes uncertain contractual and technical standards, and their means of enforcement.
While these issues develop, however, contractors should address cybersecurity concerns in their ethics and compliance programs, as a means to change the culture of the organization to meet these “new world” requirements, and to ensure that a cybersecurity problem doesn’t create additional ethical or legal problems.
The Pentagon’s current approach for establishing and maintaining contractor compliance with cybersecurity standards is through the contract clause at Defense Federal Acquisition Regulation Supplement 252.204-7012, which as of Dec. 31, 2017, required covered contractors to implement the National Institute of Standards and Technology Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Importantly, contractors “self-attest” to meeting those requirements, which is often a difficult assessment.
As the Defense Department warns in its guidance accompanying these requirements, however, “[u]ltimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).”
More recently, in joint written testimony before the House Armed Services Committee, department leadership announced a pilot acquisition program dubbed “Deliver Uncompromised” that will increase the focus on and scope of contractor cybersecurity obligations. The program “aims to establish security as a fourth pillar in acquisition, on par with cost, schedule and performance” to highlight contractors’ obligation to enhance their cybersecurity capability. The pilot program will be implemented in the coming year.
Those views were confirmed when the Pentagon released its “Summary Department of Defense Cyber Strategy” in September. In setting its top-level strategy for defending civilian assets in the defense industrial base, the department promises to “set and enforce standards for cybersecurity, resilience and reporting,” and “hold DoD personnel and our private sector partners accountable for their cybersecurity practices and choices.”
With this increased attention on contractor cybersecurity as the “fourth pillar” of acquisition, the Pentagon is increasing the materiality and significance of contractors’ self-certifications regarding their compliance with these still-uncertain standards. This increases the risk that contractors may face contractual, civil or even criminal liabilities for implicit or explicit self-certifications that turn out to be incorrect, either through inadvertence or negligence, or through conduct that amounts to a reckless disregard of the truth of the self-certification or outright false statements.
At the contractual level, poor compliance could lead to a contractor being deemed ineligible for award, based on solicitation requirements and pre-award assessments of the contractor’s cybersecurity capabilities. After award, cybersecurity failures could constitute a material breach of contract resulting in claims for damages — either by the government or related prime and subcontractors — or even become grounds for contract termination.
At the enforcement level, self-certifications could be the basis for civil or criminal false claims prosecutions. At the civil level at least, this is not a theoretical risk. There have been at least two qui tam whistleblower actions brought against contractors regarding their compliance with Defense Department cybersecurity requirements. In both cases, the U.S. government declined to intervene in the matter, and one case was voluntarily dismissed while the other remains pending. Other cases could be pending but still under seal while the government investigates the allegations and decides whether to intervene.
While the requirements remain somewhat uncertain but enforcement and scrutiny over cybersecurity increases, contractors should consider using ethics and compliance programs as an element of their cybersecurity strategy. A well-founded program should already define the core values and culture of the contractor’s organization, and adding cybersecurity awareness and compliance to the organization’s core values can help bring about the culture shift expected by the Pentagon.
The program should also include ongoing training, risk assessments and reporting of potential violations to management as well as to the government, under Federal Acquisition Regulation 52.203-13 Contractor Code of Business Ethics and Conduct. The FAR clause requires mandatory reporting of suspected fraud and other matters under 52.203-13 (b)(2), as well as the establishment of an ongoing business ethics awareness and compliance program with adequate internal controls and periodic risk assessments under 52.203-13(c).
These program elements should be aligned with the NIST standards to ensure that any reportable cybersecurity events are not only reported in accordance with the standards, but are evaluated from an ethics and compliance perspective, and whether they might also be reportable under the FAR rule. Likewise, any cybersecurity risk assessment that also addresses employee training and awareness or internal controls deficiencies should be looked at as part of the ethics and compliance program.
Brian E. Sweeney’s legal practice, The Law Office of Brian E. Sweeney, focuses on technology, aerospace and defense, government and commercial contracts, and ethics and compliance programs. He can be reached at firstname.lastname@example.org.