
In an interesting turn of events, the Massachusetts-based defense contractor MORSECORP, Inc. has agreed to settle for $4.6 million over cybersecurity fraud allegations. The company, commonly known as MORSE, came under scrutiny for falsifying compliance with cybersecurity requirements in their contracts with the U.S. Army and Air Force. As reported by the U.S. Attorney's Office for the District of Massachusetts, the settlement includes an admission by MORSECORP of several facts detailing its non-compliance from January 2018 to February 2023. The company's oversight, or lack thereof, led to a significant gap between the cybersecurity provisions they claimed to enforce and the actual state of their digital defenses.
Among the acknowledged failures, MORSECORP admitted to the use of an email hosting company that did not meet the appropriate security standards. This third-party was tasked with managing sensitive communications without the necessary compliance with Federal Risk and Authorization Management Program Moderate baseline or the Department of Defense’s cyber incident reporting protocols. Statements obtained by the Department of Justice reveal that the company failed to fully implement controls that, if lacking, "could lead to significant exploitation of the network or exfiltration of controlled defense information," as well as other measures vital to securing network integrity.
Federal agencies are taking a strong standpoint against such negligence, with U.S. Attorney Leah B. Foley commenting, “Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats." As outlined in the official press release, Foley expressed determination to hold contractors to their commitments to cybersecurity to "ensure that federal agencies and taxpayers get what they paid for." This stance also protects contractors who faithfully adhere to the rules from competitive disadvantage.
Federal law enforcement agencies perceive such failures as a direct threat to national security. Special Agent in Charge of the Department of the Army Criminal Investigation Division Fraud Field Office, Keith K. Kelly, stressed the importance of protecting the warfighter and maintaining the Army's operational readiness. In similar sentiment, Special Agent in Charge Patrick J. Hegarty of the Defense Criminal Investigative Service emphasized that failing to comply with DoD contract specifications "puts DoD information and programs at risk." These concerns highlight the serious consequences of not maintaining rigorous cybersecurity standards in defense contracting.
The settlement also addresses the contributions of a whistleblower, who, according to the Department of Justice, will receive an $851,000 share of the settlement amount. This resolution stems from a lawsuit filed under the whistleblower provisions of the False Claims Act, which allows private parties to sue on behalf of the government if they believe that a defendant has submitted false claims for government funds. In this case, the whistleblower's vigilance has led to a significant financial recovery and underscores the ongoing efforts of the U.S. government to safeguard its cyber assets amidst a landscape fraught with digital threats.