Two different federal Justice Department cybersecurity cases announced May 1 underscored the complex challenges the agency faces in policing cybersecurity issues.The first case involved an $8.4 million civil settlement with Raytheon Company and Nightwing for resolving allegations that Raytheon violated the False Claims Act by failing to comply with federal cybersecurity controls on 29 Defense Department contracts.In the second case, Ukrainian national Artem Stryzhak was extradited from Spain and then indicted in a federal court in Brooklyn for alleged involvement in a series of attacks using the Nefilim ransomware.According to the Justice Department, Nefilim’s preferred ransomware targets were companies located in the United States, Canada, or Australia with more than $100 million in annual revenue. Stryzhak and others are alleged to have researched the companies to which they gained unauthorized access, including by using online databases to gather information about the victim companies’ net worth, size, and contact information. Morgan Wright, a senior fellow at the Center for Digital Governemnt, said in the grand scheme, Raytheon got off pretty cheap, considering the original contract was more than $1 billion. However, Wright said this still highlights the issues we have in the defense industrial sector, which is that the companies delivering cybersecurity services are themselves negligent in their own practices.“Civil judgments to force compliance will lose effectiveness over time,” said Wright. “Filing criminal charges against companies for willful criminal conduct will do more to improve compliance than slaps on the wrist. Sarbanes-Oxley validated that legislation will have a lasting impact when litigation and regulation fail. When’s the last time a CEO was perp-walked by the FBI for misstating financials?”On the ransomware extradition of the Ukrainian national, Wright called this one a “snoozer,” saying that extradicting one person will not have much impact.“To them, it’s the cost of doing business,” said Wright. “Eventually, someone is going to get nabbed. The way to put a stake in the heart of ransomware is to go after the payment mechanism and not make anecdotal arrests. While the dollar amount is significant, it’s the same world view the cartels had. The only way to lose a lot of money is to have made a ton of money.”Dave Gerry, chief executive officer at Bugcrowd, pointed out that these are two very different examples, one relating to a well-respected U.S. company that was held accountable to contractual requirements, and one relating to a foreign national maliciously attacking U.S. interests.“But the message is clear,” said Gerry. “Cybersecurity has real-world consequences and the U.S. government is serious about enforcing the law.”
