Rocket maker agrees to pay $9 million to settle allegations of cybersecurity violations

Aerospace and defense firm Aerojet Rocketdyne announced late last week that it has agreed to pay $9 million to settle a whistleblower lawsuit accusing the company of cybersecurity violations in its contracts with the federal government.

The firm, headquartered in El Segundo, California, was sued in a California court by a former employee under the False Claims Act, which allows individuals to file a lawsuit on behalf of the U.S. government and receive a portion of any recovery.

According to the lawsuit, Brian Markus — who will receive $2.6 million of the payout — joined the firm in June 2014 as senior director of cybersecurity, compliance and controls. In that role, Markus said he was promised a budget of $10 million to $15 million and a staff of 5 to 10 employees and up to 25 contractors to improve the security of the company’s computer systems.

Markus alleged that, during his experience with Aerojet, he found the company wasn’t meeting cybersecurity requirements to be awarded contracts with the Department of Defense, NASA, or other federal government agencies. 

“[Markus] found that defendants were understaffed and under budgeted to provide the level of cyber security that was required by the federal acquisition regulations for contractors granted access to UCTI [unclassified controlled technical information] or SBU [sensitive but unclassified information] belonging to the federal government,” the complaint reads.

Among other things, Markus alleges that he was given a budget of $3.8 million and a staff of two employees and seven contractors. Additionally, the company gave the federal government misleading information about its cybersecurity practices — for example, Aerojet would say that it had certain security equipment, even if the equipment was in a box and not connected to its computer systems, according to the complaint.

One year after Markus was hired, he refused to verify that the company’s program complied with the government’s cybersecurity regulations, and reported the incident to the firm’s ethics hotline. He was terminated later that year, according to the complaint.

A spokesman for Aerojet, which is not admitting guilt as part of the settlement, declined to comment.

First of its kind

According to legal experts, the case marks the first time the qui tam — or whistleblower — provisions of the False Claims Act have been used to hold a company accountable for alleged cybersecurity fraud.

In October 2021, the Department of Justice announced a Civil Cyber-Fraud Initiative, which “aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

The DOJ encouraged other whistleblowers to report cybersecurity violations when the settlement was reached on Friday — the second day of the Markus and Aerojet trial.

“The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act,” said Phillip Talbert, U.S. Attorney for the Eastern District of California.