The Nexus Between Cyber and Ethics

ETHICS CORNER CYBERSECURITY

The Nexus Between Cyber and Ethics

11/2/2018
By Brian E. Sweeney

Photo: iStock

In September, Deputy Defense Secretary Patrick Shanahan commented that the Pentagon intends to hold industry accountable for improved cybersecurity, and in that regard “we’re in a new world.”

The department’s focus on increasing contractor accountability for cybersecurity compliance could lead to ethical and compliance problems as industry participants work to meet the evolving, sometimes uncertain contractual and technical standards, and their means of enforcement.

While these issues develop, however, contractors should address cybersecurity concerns in their ethics and compliance programs, as a means to change the culture of the organization to meet these “new world” requirements, and to ensure that a cybersecurity problem doesn’t create additional ethical or legal problems.

The Pentagon’s current approach for establishing and maintaining contractor compliance with cybersecurity standards is through the contract clause at Defense Federal Acquisition Regulation Supplement 252.204-7012, which as of Dec. 31, 2017, required covered contractors to implement the National Institute of Standards and Technology Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Importantly, contractors “self-attest” to meeting those requirements, which is often a difficult assessment.

As the Defense Department warns in its guidance accompanying these requirements, however, “[u]ltimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).”

More recently, in joint written testimony before the House Armed Services Committee, department leadership announced a pilot acquisition program dubbed “Deliver Uncompromised” that will increase the focus on and scope of contractor cybersecurity obligations. The program “aims to establish security as a fourth pillar in acquisition, on par with cost, schedule and performance” to highlight contractors’ obligation to enhance their cybersecurity capability. The pilot program will be implemented in the coming year.

Those views were confirmed when the Pentagon released its “Summary Department of Defense Cyber Strategy” in September. In setting its top-level strategy for defending civilian assets in the defense industrial base, the department promises to “set and enforce standards for cybersecurity, resilience and reporting,” and “hold DoD personnel and our private sector partners accountable for their cybersecurity practices and choices.”

With this increased attention on contractor cybersecurity as the “fourth pillar” of acquisition, the Pentagon is increasing the materiality and significance of contractors’ self-certifications regarding their compliance with these still-uncertain standards. This increases the risk that contractors may face contractual, civil or even criminal liabilities for implicit or explicit self-certifications that turn out to be incorrect, either through inadvertence or negligence, or through conduct that amounts to a reckless disregard of the truth of the self-certification or outright false statements.

At the contractual level, poor compliance could lead to a contractor being deemed ineligible for award, based on solicitation requirements and pre-award assessments of the contractor’s cybersecurity capabilities. After award, cybersecurity failures could constitute a material breach of contract resulting in claims for damages — either by the government or related prime and subcontractors — or even become grounds for contract termination.

At the enforcement level, self-certifications could be the basis for civil or criminal false claims prosecutions. At the civil level at least, this is not a theoretical risk. There have been at least two qui tam whistleblower actions brought against contractors regarding their compliance with Defense Department cybersecurity requirements. In both cases, the U.S. government declined to intervene in the matter, and one case was voluntarily dismissed while the other remains pending. Other cases could be pending but still under seal while the government investigates the allegations and decides whether to intervene.

While the requirements remain somewhat uncertain but enforcement and scrutiny over cybersecurity increases, contractors should consider using ethics and compliance programs as an element of their cybersecurity strategy. A well-founded program should already define the core values and culture of the contractor’s organization, and adding cybersecurity awareness and compliance to the organization’s core values can help bring about the culture shift expected by the Pentagon.

The program should also include ongoing training, risk assessments and reporting of potential violations to management as well as to the government, under Federal Acquisition Regulation 52.203-13 Contractor Code of Business Ethics and Conduct. The FAR clause requires mandatory reporting of suspected fraud and other matters under 52.203-13 (b)(2), as well as the establishment of an ongoing business ethics awareness and compliance program with adequate internal controls and periodic risk assessments under 52.203-13(c).

These program elements should be aligned with the NIST standards to ensure that any reportable cybersecurity events are not only reported in accordance with the standards, but are evaluated from an ethics and compliance perspective, and whether they might also be reportable under the FAR rule. Likewise, any cybersecurity risk assessment that also addresses employee training and awareness or internal controls deficiencies should be looked at as part of the ethics and compliance program.

Brian E. Sweeney’s legal practice, The Law Office of Brian E. Sweeney, focuses on technology, aerospace and defense, government and commercial contracts, and ethics and compliance programs. He can be reached at besweeney@besweeneylaw.com.

Topics: Cyber, Cybersecurity, Ethics, Ethics Corner

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES