An Ounce of Prevention is Worth Billions for a Cure
Were you stuck in an airport this summer when flights around the world were grounded by a security update by Crowdstrike that took out computers at airports, hospitals and financial institutions? Preliminary damage estimates from that incident are already more than $5.4 billion.
Or maybe you were impacted by the Change Healthcare hack that impacted healthcare payments all over the United States this spring? Since this private corporation processed massive numbers of Medicare claims, it impacted thousands of Medicare providers trying to get paid by the government for services provided to beneficiaries even though the hack was not on the government’s payment system. Preliminary damage estimates from that one are nearly triple the Crowdstrike number, more than $16 billion.
If you were lucky enough to avoid those, chances are you haven’t escaped the breach that may have compromised the social security number of every American. No estimates yet on damages from that one.
Although these three examples did not involve governmental entities, they nonetheless illustrate how all computer systems can be vulnerable, including the ones the federal government operates. An Executive Order issued in 2021 noted that “the security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions,” and “there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” The next year, the White House highlighted that the federal government is increasingly reliant “on information and communications technology (ICT) products and services to carry out critical functions.”
These findings provide some context for the government’s Cyber Security Initiative, which includes pursuing False Claims Act liability for companies that falsely certify compliance with cyber security requirements. TAF Coalition talked to Sara MacLean, the Head of DOJ’s Cyber Task Force in 2022 on our Fraud in America podcast about this priority and how DOJ is welcoming whistleblowers to expose vulnerabilities in the government’s cyber security infrastructure.
How big is our government’s reliance on these software supply chains? Data from the Government Accountability Office (GAO) gives an important indicator. In FY2023, the fifth largest service procurement for agencies other than the Department of Defense was $10.2 billion in IT and Telecom – business application / application development support. We looked at GAO’s data in 2022 (reporting on FY 2021) and 2023 (reporting on FY 2022), and this is the first year IT and software support has broken in to the top five.
This is noteworthy not just for making the GAO’s “Top Five,” but also for the amount spent on these “critical functions.” If one botched update can lead to $5.4 Billion in damages and one hack can cost triple that, just imagine how many opportunities there are for vulnerability in $10.2 billion worth of services! It’s no wonder the government wants to prioritize the integrity of the IT services it’s buying. And it’s no stretch to expect the billions spent on business application and application development support are only going to increase in the years ahead.
Already whistleblowers are showing how they can keep the federal government running and avert economic catastrophes like we saw earlier this year with Crowdstrike and Change Healthcare. Relying on whistleblowers to alert the government to inadequate cyber security allows for a quick and relatively inexpensive fix. It is a proverbial ounce of prevention when we know it costs billions for a cure.
Kate Scanlan is a Founding Attorney at Keller Grover