By the Constantine Cannon Whistleblower Team
On May 1, the Department of Justice (DOJ) settled its latest cybersecurity enforcement action, showing the Government’s continued commitment to using the False Claims Act go after cybersecurity fraud. Under the settlement, RTX subsidiary Raytheon Company and Nightwing Group agreed to pay $8.4 million to settle charges of violating key cybersecurity requirements in various Department of Defense (DoD) contracts. Even though the contracts were with Raytheon, DOJ swept Nightwing into the action because it acquired RTX’s cybersecurity business in March 2024.
GOVERNMENT CONTRACTORS MUST ENSURE STRICT CYBERSECURITY CONTROLS
Under the Federal Acquisition Regulations that govern defense contracts, Government contractors must provide adequate security for information systems that process or store sensitive defense information. According to the Government, Raytheon failed to comply with these cybersecurity requirements on 29 DoD contracts and subcontracts.
In announcing the settlement, a chorus of Government enforcers stressed the critical need to maintain proper cybersecurity controls and the Government’s commitment to go after contractors that fall short:
“Cyber threats have grown in size and reach in recent years, leaving no room for complacency among those in the public sector, private sector, or even among private citizens. Government contractors must comply with the cybersecurity rules that govern their performance and be candid about their compliance. This settlement reflects the Government’s commitment to pursue contractors that fail to live up to those expectations.” [DC US Attorney Edward Martin, Jr.]
“As cyber threats continue to evolve, it is critical that defense contractors take the required steps to protect sensitive government information from bad actors. We will continue our efforts to hold contractors accountable when they fail to honor their DoD cybersecurity commitments.” [Acting Assistant AG Yaakov Roth]
“[We] will continue to protect our service members and military technological edge by ensuring defense contractors strictly adhere to their cyber security contractual obligations.” [DoD Special Agent Kenneth DeChellis]
“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors. [We] will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.” [Air Force Special Agent William Richards]
“Strict compliance with contractual cybersecurity requirements is of dire importance to adequately safeguard sensitive information from sophisticated adversaries, assure the safety of our warfighters, and maintain our military’s competitive edge. [We] remain committed to investigating entities that do not responsibly protect critical information entrusted to them.” [Navy Special Agent Greg Gross]
CYBERSECURITY FRAUD REMAINS A TOP ENFORCEMENT PRIORITY FOR THE TRUMP ADMINISTRATION
This settlement follows a string of recent cybersecurity settlements the Government has extracted from federal contractors for failing to protect confidential information. Most recently in March, Massachusetts-based MORSECORP agreed to pay $4.6 million to settle DOJ charges of failing to comply with cybersecurity requirements in its Army and Air Force contracts. And two weeks before that, California-based Health Net Federal Services agreed to pay $11.3 million to settle similar charges relating to certain DoD contracts.
In its 2024 False Claims Act Roundup, cybersecurity failures was one of the primary areas of fraud enforcement to which DOJ pointed. It has been that way for years since the agency’s 2021 launch of the Cyber-Fraud Initiative “to promote cybersecurity compliance by government contractors and grantees by holding them accountable when they knowingly violate applicable cybersecurity requirements.”
With these recent settlements, there seems little doubt the Trump Administration is committed to cracking down on contractors who fail in their cybersecurity obligations. This is particularly reassuring given what many have viewed as the Administration’s lackadaisical response to the Signal fiasco where high-level Government officials inadvertently shared sensitive military plans with a journalist.
In an article he wrote last year for Washington Technology, Constantine Cannon whistleblower partner Gordon Schnell highlighted what he described as DOJ’s crusade against cybersecurity fraud and that “those doing business with the government would be wise to get their data protection systems in order or they may find themselves next up on DOJ’s cybersecurity hit list.”
With the Raytheon settlement, Schnell sees no slowing down in the Government’s focus on cybersecurity fraud.
WHISTLEBLOWERS ARE CRITICAL TO UNCOVERING CYBERSECURITY FRAUD
Like most False Claims Act cases, the Raytheon action originated with a whistleblower lawsuit under the qui tam provisions of the statute, which allow private parties to bring lawsuits on behalf of the Government against those that commit fraud against the Government. In return, successful whistleblower can receive up to 30% of the Government’s recovery.
The whistleblower here was Branson Kenneth Fowler, Sr., a former Raytheon Director of Engineering. He will receive an award of roughly $1.5 million from the proceeds of the Government’s recovery. Over the past 30 years, whistleblowers have received almost $10 billion in whistleblower awards under the False Claims Act. Whistleblowers are especially important in uncovering cybersecurity fraud given the lack of visibility into the cybersecurity protocols in which most companies engage.
CONSTANTINE CANNON REPRESENTS CYBERSECURITY WHISTLEBLOWERS
Constantine Cannon has substantial experience representing cybersecurity whistleblowers under the False Claims Act. Indeed, the firm represented the whistleblower in the first successful cybersecurity case ever brought under the False Claims Act. That case resulted in Cisco Systems agreeing to pay $8.6 million to settle charges of selling the Government noncompliant video surveillance software vulnerable to unauthorized access and manipulation. Our client received a whistleblower award of 20% of the government’s recovery.
If you would like more information about that case and our other work representing cybersecurity whistleblowers, or would like to learn more about what it means to be a whistleblower under the False Claims Act, please don’t hesitate to contact us. We will connect you with an experienced member of the Constantine Cannon Whistleblower Team for a free and confidential consult.
Read Trump Administration Signals Strong Commitment to Stopping Cybersecurity Fraud at constantinecannon.com
Leave A Comment