Bittner & Cherot
ast October the federal government announced it was considering additions to the Federal Acquisition Regulations, or FAR, that would place new cybersecurity obligations on contractors. The rules are prompted by a 2021 Executive Order from President Joe Biden focused on protecting the country from new cybersecurity threats. These new rules underscore a growing challenge faced by contractors working for the federal government, as well as in other sectors.
If adopted, the rules will greatly expand FAR 52.239, imposing extensive requirements for safeguarding, reporting, and remediating cybersecurity breaches. Contractors using both cloud-based and non-cloud-based computing services will have to implement and maintain certain minimum security and privacy safeguards. And they will have to demonstrate to federal agencies through regular reporting that they are compliant.
One example demonstrates how serious the problem is. In September of last year, the federal Department of Homeland Security announced that a ransomware attack on government contractor Johnson Controls International had compromised sensitive DHS data. Johnson Controls is a major manufacturer of alarm and building automation systems. The hacked data included detailed descriptions of physical security systems in DHS facilities, including floor plans. Johnson Controls later admitted that the hackers stole more than 27 terabytes of data. The hackers demanded $51 million in ransom in exchange for destruction of the stolen data and delivery of a decryption key to “unlock” the frozen software.
Information depicting the physical security of DHS facilities is, of course, extremely sensitive. That sensitivity gave the hackers increased leverage as the contractor responded to the attack. In January this year, Johnson Controls reported that the attack had cost it about $27 million. The company warned that the cost was still climbing.
The other challenge is risk. The new FAR rules will, if adopted, require contractors to indemnify the federal government from “any liability” that is incurred “because of the contractor’s introduction of certain information or matter into government data or the contractor’s unauthorized disclosure of certain information and material.”
If the contractor’s software infects the government’s software, there is potential liability. The contractor would presumably need to demonstrate that it took all reasonable measures to safeguard against such an attack in order to avoid liability.
Then there is the increased risk of liability to parties other than the government. Contractors have traditionally enjoyed a special protection here. The “Government Contractor Defense” is an important legal immunity passed along to contractors, protecting them from claims brought by other parties for actions undertaken by the contractor at the behest of the federal government. The case that started it all was Boyle v. United Technologies, a lawsuit brought against a helicopter manufacturer by the family of a US Marine Corps co-pilot who drowned when an emergency escape system failed. The US Supreme Court held that allowing the family to sue using Virginia tort law would significantly conflict with federal interests. The decision was an extension of the “discretionary function” exception to government liability under the Federal Tort Claims Act.
The proposed new FAR rule requires that a contractor “waive any and all defenses that may be asserted for its benefit, including (without limitation) the ‘Government Contractor’s Defense’.”
The waiver will open up contractors to liability to other parties following a data breach or other cybersecurity incident. Consider what happened to government contractor SolarWinds in late 2020. A ransomware attack did not stop with SolarWinds but passed on “malicious code” to at least nine federal agencies and 100 private-sector companies. In that scenario, both the federal government and aggrieved third parties can claim that the insufficient cybersecurity measures of the hacked contractor were to blame.
Where the FAR goes, other contracting systems are not far behind. State, local, and even private contracts may soon see similar provisions requiring heightened vigilance by contractors. The result will be added costs in the form of additional IT support, administrative reporting, and insurance. Cybersecurity firms will become a part of the basic stable of subcontractors maintained by general contractors for every project. The precautions required from contractors are likely to become only more stringent over time.