How the DOJ is using a Civil War-era law to enforce corporate cybersecurity
The Record: The DOJ is using the Civil Cyber-Fraud Initiative and the False Claims Act to hold contractors accountable for misleading the government about their cybersecurity measures. Since early 2022, the DOJ has settled five cyber-fraud cases, involving companies like Verizon, Aerojet Rocketdyne, and Insight Global, for misrepresenting their cybersecurity practices. These settlements highlight the DOJ’s commitment to using the False Claims Act to enforce cybersecurity standards in federal contracts and signal to other contractors the importance of compliance.The initiative leverages the 1863 False Claims Act, which penalizes those who defraud the government by misrepresenting service quality. DOJ officials are promising more prosecutions, indicating a growing focus on cybersecurity enforcement. While some business leaders express concerns about the potential burdens of these measures, the DOJ has reassured that it targets willful negligence, not accidents or innocent mistakes. This initiative is part of broader efforts by the Biden administration to improve digital security, which includes new disclosure requirements from agencies like CISA, the SEC, and HUD. The DOJ’s actions represent a shift from encouraging voluntary compliance to enforcing stricter accountability, reflecting the administration’s frustration with previous efforts’ effectiveness.
Ransomware Group Claims Responsibility for Christie’s Hack
NYTimes ($): A hacker group named RansomHub claimed responsibility for a cyberattack on Christie’s website just before its spring sales, forcing the auction house to use alternatives to online bidding. On the dark web, RansomHub posted examples of names and birthdays of wealthy art collectors, threatening to release more data by the end of May. Christie’s confirmed unauthorized access to parts of its network and stated that some personal data of clients was taken, though there was no evidence of financial or transactional records being compromised. The hackers demanded a ransom, which Christie’s did not pay, leading RansomHub to threaten fines under GDPR and reputation damage. Cybersecurity experts believe RansomHub, possibly linked to ALPHV, is a powerful ransomware group. Despite the hack, Christie’s spring sales proceeded, netting $528 million. The auction house is notifying privacy regulators and affected clients.
CISO as a CTO: When and Why It Makes Sense
Dark Reading: As the role of CISO’s evolves, security executives are increasingly transitioning into broader executive positions within the C-suite, such as Chief Risk Officer (CRO), Chief Information Officer (CIO), and notably, Chief Technology Officer (CTO). This shift reflects the growing recognition of the business acumen and strategic thinking that CISOs bring to their organizations. Companies like 20th Century Fox, Bank of America, and Fifth Third Bank have elevated their CISOs to CTO roles, highlighting the trend. In addition, Equifax recently appointed Jamil Farshchi to a dual CTO and CISO position. Farshchi emphasized the natural fit of his new role, given his extensive experience in technology and direct reporting to the CEO. CISOs possess skills that are highly applicable to CTO roles, including strategic thinking, cross-functional collaboration, and operational expertise. A significant advantage of CISOs becoming CTOs is their inherent risk management mindset, which can advance secure-by-design initiatives. This approach ensures that security considerations are integrated early in the innovation lifecycle, promoting the development of secure products from the outset.Overall, the transition of CISOs into CTO roles is a promising trend, leveraging their unique blend of security and business skills to enhance organizational resilience and innovation.
A recent survey found that 34% believe organizations are focusing enough on AI ethics, while 32% think they are adequately addressing deployment concerns like data privacy and bias. (source)
In 2012, the Information Commissioner’s Office in the UK issued its first-ever data breach fine to an NHS (National Health Service) organization, fining Aneurin Bevan Health Board in Wales £70,000. (source)