Adam Cook headshot
Adam Cook
Partner, Birch Horton
Bittner & Cherot
The Associated General Contractors of Alaska logo
CONTRACTORS & THE LAW
Heightened Protection
New cybersecurity requirements on the horizon
By Adam Cook
L

ast October the federal government announced it was considering additions to the Federal Acquisition Regulations, or FAR, that would place new cybersecurity obligations on contractors. The rules are prompted by a 2021 Executive Order from President Joe Biden focused on protecting the country from new cybersecurity threats. These new rules underscore a growing challenge faced by contractors working for the federal government, as well as in other sectors.

If adopted, the rules will greatly expand FAR 52.239, imposing extensive requirements for safeguarding, reporting, and remediating cybersecurity breaches. Contractors using both cloud-based and non-cloud-based computing services will have to implement and maintain certain minimum security and privacy safeguards. And they will have to demonstrate to federal agencies through regular reporting that they are compliant.

Vulnerability Poses National Risks
For an idea of what the federal government is trying to address, consider the ongoing threat of ransomware. This is a malicious software that encrypts a user’s or organization’s critical data, making files, databases, or applications inaccessible. Once the data is encrypted, the attacker demands a ransom payment in exchange for a decryption key or other tool for regaining access to the encrypted files. Ransomware can infiltrate a system at any time through means such as phishing emails, malicious links, or exploiting other vulnerabilities in a system. The damage can be severe. Victims can face significant financial losses and disruption.

One example demonstrates how serious the problem is. In September of last year, the federal Department of Homeland Security announced that a ransomware attack on government contractor Johnson Controls International had compromised sensitive DHS data. Johnson Controls is a major manufacturer of alarm and building automation systems. The hacked data included detailed descriptions of physical security systems in DHS facilities, including floor plans. Johnson Controls later admitted that the hackers stole more than 27 terabytes of data. The hackers demanded $51 million in ransom in exchange for destruction of the stolen data and delivery of a decryption key to “unlock” the frozen software.

Information depicting the physical security of DHS facilities is, of course, extremely sensitive. That sensitivity gave the hackers increased leverage as the contractor responded to the attack. In January this year, Johnson Controls reported that the attack had cost it about $27 million. The company warned that the cost was still climbing.

Demise of the Government Contractor’s Defense
Most contractors are already aware that vigilance against cybersecurity threats is a part of their job. The proposed FAR provisions shine a light on two hurdles contractors now must deal with as a part of their work. One is dedicating valuable resources to developing and maintaining a security system that complies with applicable regulations and secures against the latest threats. Contractors are not necessarily in the business of information technology. But they cannot avoid the expansive impact new requirements will have on their organization and their bottom line.

The other challenge is risk. The new FAR rules will, if adopted, require contractors to indemnify the federal government from “any liability” that is incurred “because of the contractor’s introduction of certain information or matter into government data or the contractor’s unauthorized disclosure of certain information and material.”

If the contractor’s software infects the government’s software, there is potential liability. The contractor would presumably need to demonstrate that it took all reasonable measures to safeguard against such an attack in order to avoid liability.

Then there is the increased risk of liability to parties other than the government. Contractors have traditionally enjoyed a special protection here. The “Government Contractor Defense” is an important legal immunity passed along to contractors, protecting them from claims brought by other parties for actions undertaken by the contractor at the behest of the federal government. The case that started it all was Boyle v. United Technologies, a lawsuit brought against a helicopter manufacturer by the family of a US Marine Corps co-pilot who drowned when an emergency escape system failed. The US Supreme Court held that allowing the family to sue using Virginia tort law would significantly conflict with federal interests. The decision was an extension of the “discretionary function” exception to government liability under the Federal Tort Claims Act.

The proposed new FAR rule requires that a contractor “waive any and all defenses that may be asserted for its benefit, including (without limitation) the ‘Government Contractor’s Defense’.”

The waiver will open up contractors to liability to other parties following a data breach or other cybersecurity incident. Consider what happened to government contractor SolarWinds in late 2020. A ransomware attack did not stop with SolarWinds but passed on “malicious code” to at least nine federal agencies and 100 private-sector companies. In that scenario, both the federal government and aggrieved third parties can claim that the insufficient cybersecurity measures of the hacked contractor were to blame.

A Likely Chain Reaction
For many contractors, the most valuable protection against such liability will be insurance. Insurers already provide policies that can protect contractors against such breaches. It is foreseeable that cybersecurity policies will become an insurance requirement as routine as general liability and builder’s risk. The additional cost of these policies will have to be carried by contractors and, ultimately, passed along to their customers.

Where the FAR goes, other contracting systems are not far behind. State, local, and even private contracts may soon see similar provisions requiring heightened vigilance by contractors. The result will be added costs in the form of additional IT support, administrative reporting, and insurance. Cybersecurity firms will become a part of the basic stable of subcontractors maintained by general contractors for every project. The precautions required from contractors are likely to become only more stringent over time.

Adam Cook is a partner at the law offices of Birch Horton Bittner & Cherot in Anchorage. He has specialized in assisting federal and state contractors, and in particular builders and engineers, with their legal needs for more than seventeen years.