$9 million to be paid by Aerojet Rocketdyne in cybersecurity whistleblower case

In order to settle claims made by a whistleblower that the aerospace and defense manufacturer misled the federal government about its compliance with cybersecurity requirements in some contracts, Aerojet Rocketdyne has agreed to pay $9 million.

In accordance with the False Claims Act's qui tam provisions, former Aerojet employee Brian Markus filed the lawsuit, which was resolved in a settlement announced on Friday. Markus will get a share of the recovery of $2.6 million.


The claims made in the lawsuit were neither accepted nor rejected by Aerojet.


According to his complaint submitted in September 2017, Markus joined Aerojet in June 2014 as senior director of cybersecurity, compliance, and controls. Because it supplied propulsion and power systems to the Department of Defense (DOD), NASA, and other federal agencies, the company was required to adhere to minimum cybersecurity standards in some contracts that were governed by acquisition regulations.


According to his complaint, Markus found that the business was not fulfilling the minimal standards for cybersecurity needed to receive contracts from the DOD or NASA. The condition of Aerojet's computer systems, in his opinion, was evidence that the company had been out of compliance with the rules for a long time. He found Aerojet to be "understaffed and under budgeted."



Markus claimed that the company's leadership changed his report that stated the system was "unpatched, misconfigured, outdated, and thus vulnerable to a cyberattack" when he was asked to present on Aerojet's cybersecurity compliance to the parent company's board in order to hide the flaws. Markus further complained that reports from outside consultants that confirmed the company's problems were either ignored or had to be rewritten to remove critical language.


Markus was requested to certify the program's compliance with the rules governing government contracts in July 2015. The company's Vice President and Chief Operating Officer Mark Tucker allegedly told him "it was not really a big deal" and that the government would not shut down their program when he refused to do so and cited the purported noncompliance with the cybersecurity requirements, according to the complaint.


Markus was fired in September 2015, the complaint claims, after he reported the incident to the business' ethics hotline.


In April, the case went to trial; on the second day, Aerojet agreed to settle.


Aerojet opted not to respond.


The case is recognized as the first to use the False Claims Act's qui tam provisions to hold a company liable for alleged cybersecurity fraud. In October 2021, the Justice Department declared that it would use the False Claims Act to pursue cases of cybersecurity-related fraud by grant recipients and government contractors.


In order to "hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches," the agency launched the Civil Cyber-Fraud Initiative.


Markus's claim that Aerojet promised him a budget of $10–15 million and a total workforce of 30–35 workers to enhance the business' cybersecurity controls is noteworthy. Instead, he began with a $3.8 million budget and nine employees, which contributed to the company's alleged shortcomings.


According to Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department's Civil Division, "whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct."

By fLEXI tEAM