Surging cybersecurity threats will demand the help of whistleblowers in the coming year.

The topic may sound technical or even boring, but you notice more than you think you do. Cyber attacks cause major hiccups in everyday life — and billions of dollars are at stake. This year, cybersecurity breaches have resulted in compromised Social Security numbers, grounded flights, and health care system disruption, as well as threats to our federal government’s operations.

While many of these cybersecurity issues are ongoing, we’d like to highlight an emerging hot topic: cybersecurity in the U.S. Department of Defense. 

A looming threat

Bear with us — this is worth the journey.

The Defense Department recently announced new cybersecurity requirements, calling it a top priority because of increasingly frequent and complex cyberattacks. That’s a big deal: In terms of federal contracts, the DOD outspends all other agencies combined.

A cybersecurity certification program, which takes effect Dec. 16, is intended to protect the sensitive yet unclassified information that the DOD shares with contractors and subcontractors. If a company wants to win almost any contract with the DOD, it must comply with new cybersecurity requirements.

Sounds straightforward.

But obtaining that certification could cost a collective $39 billion during the next decade for the tens of thousands of companies covered by the rule. That creates a financial incentive for contractors and subcontractors to cut corners (i.e. commit fraud) on this crucial safeguard.

And there’s another risk: The DOD doesn’t have a great track record of holding its partners accountable. In a recent audit, it was unable to account for roughly $2 trillion worth of assets.

Wanted: Vigilant allies

Given this cascade of potential problems, the government — and its people — will need help from whistleblowers to guard against vulnerabilities and potential severe consequences. The financial fallout of cyberattacks surely would dwarf the $39 billion in compliance costs over 10 years.

Statista estimates that, in 2025 alone, the global cost of cybercrime will hit $10.3 trillion.

When whistleblowers alert the government to inadequate cybersecurity measures, those gaps can be fixed quickly and easily — before costly catastrophes. 

As we move into 2025, if you suspect a DOD contractor or subcontractor of intentionally cutting cybersecurity corners, contact Keller Grover for a free and confidential consultation. We work with potential whistleblowers from the very beginning to find the best path forward, helping minimize the impact of reporting, protect rights, pursue potential whistleblower awards, and achieve the optimal outcome.

For individual victims of cyber-scams, please visit the FBI’s Internet Crime Complaint Center for more information.

Protecting taxpayer money is one of the most important purposes of the False Claims Act. A false claim against the federal government is sometimes clear to see from a whistleblower’s standpoint, such as when unrendered services are billed to Medicare. But cybersecurity is becoming an increasingly important vulnerability for the federal government and the watchful eyes of whistleblowers who understand the complexities of information technology are needed more than ever.

This year, a botched security update by Crowdstrike cost an estimated $5.4 billion while taking computers at airports, hospitals and financial institutions offline, grounding flights and causing other disruptions. Change Healthcare was hacked by cybercriminals, disrupting healthcare payments and medical services across the country and causing more than $16 billion in damages. There was also a breach that may have compromised the Social Security number of every U.S. citizen.

As Keller Grover attorney Kate Scanlan points out in a recent article for the TAF Coalition, these three examples did not involve governmental entities but they nonetheless illustrate how all computer systems are vulnerable, including those operated by the federal government. An 2021 Executive Order noted that “the security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions,” and “there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” The next year, the White House said the federal government is increasingly reliant “on information and communications technology (ICT) products and services to carry out critical functions.”

Last fiscal year, IT was the fifth-largest service procurement for agencies other than the Defense Department, totalling $10.2 billion. To protect that investment from cybercrime and preventable breaches, the federal government launched the Civil Cyber-Fraud Initiative, which includes pursuing False Claims Act liability for companies that falsely certify compliance with cyber security requirements. When whistleblowers who spot noncompliance with security standards step forward to report wrongdoing, they are helping prevent a future breach or attack that can not only cost taxpayers money but expose their private and personal data.

In three years since the Justice Department launched the initiative, it has led to nearly $30 million in recoveries and at least $5 million paid to whistleblowers who’ve come forward with information about cybersecurity fraud. In the initiative’s first full year, 2022, the government recovered $9 million when Aerojet Rocketdyne, Inc. resolved allegations that it had misrepresented its compliance with cybersecurity requirements in certain government contracts. Last year, Verizon Business Network Services paid slightly more than $4 million to settle claims that it failed to implement required cybersecurity controls in its Managed Trusted Internet Protocol Service (MTIPS) provided to federal agencies​.

As Kate wrote in her article, relying on whistleblowers to alert the government about inadequate cyber security is a proverbial ounce of prevention when we know it costs billions for a cure. For those who want to report such wrongdoing, it’s critical to engage a whistleblower attorney early in the process. With more than 30 years of combined experience litigating fraud and employment cases — and billions in recoveries for its clients — Keller Grover is uniquely positioned to represent whistleblowers. 

If you want to report cybersecurity fraud in your organization, we are here to help. For advice about how to handle suspected fraud, contact Keller Grover for a free and confidential consultation.

A recent $9 million settlement in a whistleblower case is a reminder that cybersecurity is a requirement for all contractors and grantees delivering services to the federal government, not just those providing information technology.

A former employee of Aerojet Rocketdyne Inc. filed a qui tam lawsuit against the company, alleging that it misrepresented its compliance with cybersecurity requirements, violating the False Claims Act. Aerojet, based in California, provides propulsion and power systems for launch vehicles, missiles and satellites, and other space vehicles to the Department of Defense, NASA and other federal agencies.

On the second day of trial this summer, Aerojet reached a settlement with the whistleblower, Brian Markus. His share of the $9 million False Claims Act recovery was $2.61 million.

“The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act,” said Phillip A. Talbert, U.S. Attorney for the Eastern District of California. 

In October 2021, the Department of Justice started a Civil Cyber-Fraud Initiative in which it uses the False Claims Act to enforce cybersecurity requirements for those who contract with the government or receive federal grant money. Security threats from Russia and elsewhere have put a spotlight on all parties with access to government information and how they are protecting it.

The initiative stemmed from President Biden’s May 2021 Executive Order directing government agencies to improve the nation’s cybersecurity. Biden later issued a statement calling on the private sector to strengthen its cyber defenses immediately, citing “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”

Sara McLean, assistant director of the DOJ’s Commercial Litigation branch who is overseeing the Civil Cyber-Fraud Initiative, was interviewed earlier this year by Jeb White, president and CEO of the Taxpayers Against Fraud Education Fund, on the Fraud in America podcast. (Keller Grover attorney Kathleen R. Scanlan is an executive producer on the podcast). 

McLean said the Civil Cyber-Fraud Initiative is focused mainly on three areas: 

• A knowing failure of government contractors or grantees to abide by the cybersecurity requirements in their contracts or grants 
• Telling lies or misleading the government into entering some sort of financial relationship
• Failing to timely report breach incidents to the government

She also said the False Claims Act is the government’s primary tool for going after fraud involving public money. Part of the reason why the Act is so powerful, she said, is its whistleblower provision that rewards relators like Markus, the former Aerojet employee, with a percentage of the amount the government successfully recovers.

For those who want to report wrongdoing, engaging a whistleblower attorney who can guide them through the implications of litigation is crucial. Keller Grover is committed to helping whistleblowers navigate the process of reporting fraud to the government. 

With over 30 years of combined experience litigating fraud and employment cases and billions in recoveries for its clients, Keller Grover is uniquely positioned to represent whistleblowers. 

If you want to report cybersecurity fraud in your organization, we are here to help. For advice about how to handle suspected fraud, contact Keller Grover for a free and confidential consultation.