Aerojet Rocketdyne to pay $9M in cybersecurity whistleblower case

The settlement, announced Friday, resolves a lawsuit brought by former Aerojet employee Brian Markus on behalf of the United States under the qui tam provisions of the False Claims Act. For his part, Markus will receive $2.6 million of the recovery.

Aerojet neither admitted nor denied the allegations raised in the lawsuit.

The details: Markus joined Aerojet in June 2014 as senior director of cybersecurity, compliance and controls, according to his complaint filed in September 2017. The company was a provider of propulsion and power systems for the Department of Defense (DOD), NASA, and other federal agencies and therefore required to comply with minimum standards of cybersecurity in certain contracts subject to acquisition regulations.

In his role, Markus discovered the company wasn’t meeting the minimum cybersecurity requirements to be awarded DOD or NASA contracts, according to his complaint. He found Aerojet to be “understaffed and under budgeted” and regarded the state of the company’s computer systems as indication it hadn’t been in compliance with the requirements for years.

When Markus was asked to present to the parent company’s board on Aerojet’s cybersecurity compliance, his report indicating the system was “unpatched, misconfigured, outdated, and thus vulnerable to a cyberattack” was changed by the company’s leadership to conceal the deficiencies, he alleged. Markus’s complaint further contended reports from outside consultants reaffirming the issues at the company were either disregarded or ordered to be rewritten to reduce critical language.

In July 2015, Markus was asked to sign off on the program’s compliance with the government contract regulations. When he refused to do so, citing the alleged noncompliance with the cybersecurity requirements, the company’s Vice President and Chief Operating Officer Mark Tucker told him “it was not really a big deal” and that the government wouldn’t shut down their program, according to the complaint.

After Markus reported the incident to the company’s ethics hotline, he was terminated in September 2015, according to the complaint.

The case went to trial in April; Aerojet agreed to settle on the second day.

Aerojet declined to comment.

Compliance considerations: The case is acknowledged as the first to utilize the qui tam provisions of the False Claims Act to hold a company accountable for alleged cybersecurity fraud. The Justice Department in October 2021 announced it would use the False Claims Act to pursue cases of cybersecurity-related fraud by government contractors and grant recipients.

The agency’s Civil Cyber-Fraud Initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

Of note in Markus’s complaint, he said Aerojet promised him a budget of $10-15 million and total staff of 30-35 employees to improve the company’s cybersecurity controls. Instead, he started with a budget of $3.8 million and a total staff of nine, which contributed to the company’s alleged deficiencies.

“Whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct,” said Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division, in a press release.