The DOJ wants you to admit your cybersecurity problem

So the recent news that the Justice Department plans to use Civil War-era powers, derived from the so-called “Lincoln Law,” to enforce cybersecurity disclosure is a fun exercise in worlds colliding. I’m no lawyer, but I feel pretty confident that Honest Abe didn’t intend this law to force companies to disclose they’ve been hacked.

Tech executives have recently bristled at the possibility of old laws applying to new things. Remember when the CEO of crypto wallet Coinbase accused the Securities and Exchange Commission of acting “sketchy” in regards to Coinbase’s yes-I’m-pretty-sure-this-is-a-security lending product? The company’s chief lawyer doubled down in a blog post, insinuating that because the relevant court decisions dated back to the Truman and Bush I presidencies, they were somehow not applicable to the crypto economy. 

Now the DOJ said it’s ready to apply the 19th century “Lincoln Law”, officially called the False Claims Act, in a novel way — that is, to require companies to disclose “cybersecurity incidents and breaches.” The idea here is that, businesses that serve as government contractors must disclose everything to the government about any incidents — and, potentially, to the public at large. To date, the DOJ has used the law prolifically to go after Medicare fraud by healthcare companies and kickbacks by opioid manufacturers, after the law was updated during the Obama administration. In December, the government telegraphed that it may use the law to enforce cyber disclosures, which an Assistant Attorney General acknowledged would be an “expanded” use of the statutes.

Since the government awarded about 5 million private contract jobs in 2020, according to the Brookings Institute, the list of companies that would fall under the new cyberdisclosure regime is going to be long. If the contractors don’t disclose breaches, they could face a civil lawsuit, fines, and potentially losing the US government as a client.

I’ve written before about the complexities of disclosure. Must every hacking attempt be aired? What if the company says it’s not a “material” breach? And doesn’t this shut out the smallest mom-and-pop contractors?

As a journalist, I’m biased toward transparency. I just got a message phishing for my information to my email account last night, one of many I’m aware of during the last few months. As far as I can tell, the current system of secrecy around corporate breaches just isn’t working. We’re all getting hacked all the time and we’re just pretending that it’s not happening. 

The DOJ’s disclosure rules are a kind of group therapy. The agency would like to welcome you into a closed room where everyone talks about their problems. As anyone who’s been a part of a 12-step program knows, the first step toward fixing a problem is admitting that you have one in the first place. 

Will it work? Who knows? The DOJ has to actually enforce it, and that may be too big of an ask. There is a whistleblower component, which could be the kind of whipping stick needed to actually get companies to comply. But a lot of companies will probably take their chances and ignore it, and probably get away with it, until they’re exposed after the fact.

Kevin T. Dugan
@kevintdugan

NEWSWORTHY

Blowing in the wind. The people behind the SolarWinds hack, believed to be part of a Russian state operation, took information about the U.S.’s Russian counter-intelligence operations and sanctions, says Reuters. The lost counterintelligence information, which included U.S. intelligence tactics and targets, is said to be among the most sensitive of the breached files. To date, nine federal agencies are known to have been breached in the hack. 

Ad buy. Twitter sold MoPub, a mobile ad company, to AppLovin in a $1.05 billion cash deal. MoPub let users sell ad space and reach a mobile audience, according to the Wall Street Journal. The sale comes as Twitter tries to make more money off its platform and increase its share price in line with its biggest competitors. 

Amazon EV. Electric vehicle maker Rivian, which is prepping to sell its shares on the public markets, disclosed that Amazon’s stake is larger than previously thought — about 20-25%, according to The Verge. The company also has about 48,000 preorders for its vehicles, though questions still remain about its capacity. 

Emerald Isle. Binance, the world’s largest crypto exchange, plans to establishing one of its headquarters in Ireland as its CEO Changpeng Zhao seeks to improve relations with regulators, according to Reuters. The company previously hasn’t had a central location, but has run into scrutiny from European and U.S. regulators over its compliance with anti-money laundering laws.

FOOD FOR THOUGHT

Hold my beer. Reporter Zeke Faux at Bloomberg has a truly bonkers story about Tether, the so-called stablecoin that is — surprise! — maybe not so stable. You have to read the whole thing. In the early years of my career as a business reporter, I used to sit next to Faux when we were both part of Bloomberg’s corporate finance team, and listening to him report was always a delight. This story is no different. 

Tether is supposed to have one U.S. dollar backing each cryptocurrency it issues— hence, the stability. People use Tether to buy other crypto, like Bitcoin. The problem is this: Tether has issued 69 billion in its digital coins, which would put it in the same league as some of the largest banks, if it were a bank. Faux went around the world to find where the money backing the coins are, and got a glimpse. There is just too much to summarize here, but apparently its assets are in Chinese commercial paper and, uh, Bitcoin, which could be a problem if everybody starts to pull their money at once. 

From the story: 

After I returned to the U.S., I obtained a document showing a detailed account of Tether Holdings’ reserves. It said they include billions of dollars of short-term loans to large Chinese companies—something money-market funds avoid. And that was before one of the country’s largest property developers, China Evergrande Group, started to collapse. I also learned that Tether had lent billions of dollars more to other crypto companies, with Bitcoin as collateral…

Tether’s Chinese investments and crypto-backed loans are potentially significant. If Devasini is taking enough risk to earn even a 1% return on Tether’s entire reserves, that would give him and his partners a $690 million annual profit. But if those loans fail, even a small percentage of them, one Tether would become worth less than $1. Any investors holding Tethers would then have an incentive to redeem them; if others did it first, the money could dry up. The bank run would be on.

IN CASE YOU MISSED IT

Welcome to the TikTok economy by Jeffrey M. O’Brien

MGM wants full control of BetMGM if partner Entain sells to DraftKings, CEO says by Jeremy Kahn

Inside Substack, where authors are suddenly making serious money in the newsletter game—but it’s publish or perish by Jen Doll

Microsoft: Russia is behind 58% of detected state-sponsored hacks by Frank Bajak and the Associated Press

Ozy CEO Carlos Watson is a charismatic, obsessive, and demanding leader, say employees by Megan Leonhardt

Some of these stories require a subscription to access. Thank you for supporting our journalism.

BEFORE YOU GO

Lend me your ear. I picked on Coinbase CEO Brian Armstrong in the top section, and by the time I got around to writing this part, he’d taken to Twitter to complain about people being mean to him and other CEOs. In this instance, he is comparing criticism from people like me to the Chinese government, which has the power to send Alibaba co-founder Jack Ma off to relative isolation on an island or, you know, imprison practically the entire Uyghur population in concentration camps. Journalists, he grouses, are “putting something that gets too successful in its place,” which supposedly runs counter to American values. I suppose that, for a man whose interpretation of basic securities law were challenged by the Securities and Exchange Commission, that the two would look the same.