Defense contractor pays $9m to settle whistleblower's cybersecurity allegations

Former Aerojet Rocketdyne employee cites failure to meet minimums for NASA, Pentagon

Aerojet Rocketdyne, which makes propulsion and power systems for launch vehicles, missiles and satellites for NASA and the US military, has agreed to pay $9 million to settle charges it misrepresented its products' compliance with cybersecurity requirements in federal government contracts.

The El Segundo, California-based company has a deep history in American space and military contracting, including on long-term development efforts such as a hypersonic cruise missile design, recently tested by DARPA and manufactured by Aerojet Rocketdyne and Lockheed Martin.

The settlement stems from a five-year-old whistleblower lawsuit brought by former Aerojet employee Brian Markus. Federal district judge William Shubb last week approved [PDF] the out-of-court deal struck by the biz and Markus, who joined the defense contractor in 2014 as senior director of cybersecurity, compliance, and controls. He is set to receive a $2.61 million share of the False Claims Act recovery. 

In his 2017 complaint, Markus alleged the company's computer systems failed to meet minimum cybersecurity standards that the federal government requires for contracts funded by NASA and the Department of Defense.

Almost immediately upon being hired, Markus found Aerojet was understaffed and underbudgeted to meet federal cybersecurity rules, according to his lawsuit's complaint [PDF]. 

Markus alleged he was promised a budget of $10 million to $15 million to improve the corporation's IT security, along with an internal staff of five to 10 employees and an external staff of up to 25 contractors. Instead, Markus claimed he received a $3.8 million budget, two internal staffers and seven contractors.

Additionally, Aerojet's computer systems didn't comply with federal regulations, and when asked about cybersecurity, the defense firm "gave the government misleading information," the lawsuit alleged. Here's an excerpt from the 2017 complaint:

For example, they were asked if they had a certain piece of security equipment, they would say 'yes' even though the equipment was sitting in a box and not connected to their computer system. Defendants represented they had cybersecurity software/hardware installed to protect the systems when in reality the software/hardware in question only covered part of the environment, leaving defendants vulnerable to a cyberattack. In some cases, they claimed compliance only considering the primacy control and not the sub-controls, which were clearly not being met.

Aerojet hired outside consulting firm Emagined in 2014 to determine DFARS compliance, and according to the lawsuit that audit found the defense contractor was "less than 25 percent compliant." The consultancy's report also found it would cost more than $34.5 million over a five-year period to bring Aerojet's computer systems' into compliance, the court documents allege.

Markus claimed he then prepared a report for the company's board of directors, which showed the IT systems were "unpatched, misconfigured, outdated and thus vulnerable to a cyberattack." When the company's president Warren Boley got wind of the presentation, Boley allegedly changed it so the board wouldn't know that Aerojet's computers didn't comply with federal laws.  

A year later, in April 2015, Ernst & Young assessed Aerojet's vulnerability to cyberattacks, according to the lawsuit. 

"Within four hours the EY team was able to utilize vulnerabilities in defendants' computer systems to fully compromise the windows network and retrieve all defendants' user accounts and passwords," the lawsuit alleged. "Information accessed included the CEO and CFO's inbox and network files that included board strategy documents and merger and acquisition files and technical documents. Employee personal information was accessed including social security numbers and salary."

The EY team also accessed legal documents along with rocket design blueprints and other unclassified technical information, and remotely compromised the security cameras so they could view and listen to Aerojet's security camera footage, according to the court papers. 

Markus claimed that in July 2015, Aerojet COO Mark Tucker and CIO Jose Ruiz asked him to sign documents stating the defense contractor's computer systems complied with federal rules. He refused, and said two months later he was fired.

In canned statements about the settlement, US attorneys applauded Markus' actions.

Aerojet Rocketdyne (2021 net income: $142.8 million) did not respond to The Register's request for comment.

"Whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct," said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022