ARSTECHNICA.COM
In IT? Need cash? Cybersecurity whistleblowers are earning big payouts.
blow that whistle In IT? Need cash? Cybersecurity whistleblowers are earning big payouts. The US government now relies on whistleblowers to bring many cases. Nate Anderson Dec 16, 2024 5:38 pm | 20 Credit: Getty Images | spxChrome Credit: Getty Images | spxChrome Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreMatthew Decker is the former chief information officer for Penn State Universitys Applied Research Laboratory. As of October, he's also $250,000 richer.In his Penn State position, Decker was well placed to see that the university was not implementing all of the cybersecurity controls that were required by its various contracts with NASA and the Department of Defense (DoD). It did not, for instance, use an external cloud services provider that met the DoD's security guidelines, and it fudged some of the self-submitted "scores" it made to the government about Penn State's IT security.So Decker sued the school under the False Claims Act, which lets private individuals bring cases against organizations on behalf of the government if they come across evidence of wrongdoing related to government contracts. In many of these cases, the government later "intervenes" to assist with the case (as it did here), but whether it does so or not, whistleblowers stand to collect a percentage of any fines if they win.In October, Penn State agreed to a $1.25 million settlement with the government; Decker got $250,000 of the money.On the regularThis now happens in IT with some regularity. In November, Dell, Dell Federal Systems, and Iron Bow Technologies settled with the government for $4.3 million over claims that they "violated the False Claims Act by submitting and causing the submission of non-competitive bids to the Army and thereby overcharging the Army under the Army Desktop and Mobile Computing 3 (ADMC-3) contract."But once again, this wasn't something the government uncovered on its own; a whistleblower named Brent Lillard, who was an executive at another company in the industry, brought the initial complaint. For his work, Lillard just made $345,000.In early December, Gen Digital (formerly Symantec) paid a much larger fee$55.1 millionafter losing a trial in 2022. Gen Digital/Symantec was found liable for charging the government higher prices than it charged to companies.Once again, the issue was brought to light by a whistleblower, Lori Morsell, who oversaw the contract for Gen Digital/Symantec. Morsell's award has not yet been determined by the court, but given the amount of the payout, it should be substantial.False Claims Act goes digitalDue to the complexity of investigatingor even finding out abouttechnical failures and False Claims Act cases from the outside of an organization, the government has increasingly relied on whistleblowers to kick-start these sorts of IT cases.The False Claims Act goes back to the Civil War, where it was used on unscrupulous vendors who sold poor-quality goods to the Union army. Today, it has become the tool of choice to prosecute cyber-failures regarding government contractors, largely because of the Act's robust whistleblower rules (technically known as its "qui tam" provisions).This was, even just a few years ago, a novel proposition. In 2020, the law firm Carlton Fields noted that "two significant whistleblower cases sent ripples through the False Claims Act (FCA) community by demonstrating the specter of FCA liability resulting from the failure to comply with cybersecurity requirements in government contracts."In one of these cases, Brian Markus earned $2.61 million for his False Claims Act case against Aerojet Rocketdyne.In the other, James Glenn sued Cisco over a video surveillance product that had known security flaws and yet was sold to numerous government agencies. Cisco eventually paid $8.6 million, of which Glenn walked away with more than $1 million.By 2021, however, False Claims Act cases to go after government contractors, especially in the IT sector, had become downright normal. The Department of Justice even stood up a special program called the Civil Cyber-Fraud Initiative to assist with such cases. In a late 2021 speech, Acting Assistant Attorney General Brian Boynton said that the initiative would use whistleblowers and the False Claims Act to focus on three things:Knowing failures to comply with contractual cyber standardsKnowing misrepresentation of security controls and practicesKnowing failure to report suspected breaches in a timely fashionIn the last four years, the initiative has brought in judgments and settlements against many major companies like Boeing (which paid $8.1 million in 2023; several whistleblowers split $1.5 million), and it has gone after huge universities like Penn State (see above) and Georgia Tech (earlier this year, still tied up in court).Blowing a whistle for yearsThese cases all rely on insiders, and the payouts can be hefty, but the cases can also take years to reach their conclusions. The Cisco case, for instance, lasted eight years before the whistleblower got his money. The Penn State case was relatively speedy by contrasta mere two years from its filing in October 2022 to the university's payout earlier this year.To report fraud against the federal government, contact the Department of Justice here. But be aware that, if you're hoping to collect a share of any future payout, you generally need to retain a lawyer and file a whistleblower case first.Nate AndersonDeputy EditorNate AndersonDeputy Editor Nate is the deputy editor at Ars Technica. His most recent book is In Emergency, Break Glass: What Nietzsche Can Teach Us About Joyful Living in a Tech-Saturated World, which is much funnier than it sounds. 20 Comments
0 Commenti 0 condivisioni 17 Views