Belgian Security-Services Firm Agrees to Plead Guilty to U.S. Charges of Bid-Rigging, Customer Allocation, and Price-Fixing

In its enforcement of U.S. criminal antitrust laws, the Department of Justice has long focused on price-fixing, bid-rigging, and market allocation as “hard-core violations.” Since 2019, however, the Justice Department has intensified that focus with regard to federal procurement, through its creation of the Procurement Collusion Strike Force (PCSF).  The Department has described the PCSF as “a joint law enforcement effort to combat antitrust crimes and related fraudulent schemes that impact government procurement, grant, and program funding at all levels of government – federal, state and local.”  Last year, the Department expanded the ambit of the PCSF’s responsibilities with the creation of “PCSF: Global”, which it states is “designed to deter, detect investigate and prosecute collusive schemes that target government spending outside of the United States.”

On June 25, the Department announced, as the PCSF’s first international resolution, that a Belgian security-services firm, G4S Secure Solutions NV (G4S), had agreed to plead guilty for its role “in a conspiracy to rig bids, allocate customers, and fix prices for defense-related security services, including a multimillion-dollar contract issued in 2020 to provide security services to the U.S. Department of Defense for military bases and installations in Belgium.”  In a criminal information that it filed in U.S. District Court in Washington, D.C., the Department alleged that G4S had violated section 1 of the Sherman Act, which prohibits conspiracies in restraint of trade, by participating in a conspiracy between 2019 and 2020 with unspecified co-conspirators

to allocate security services contracts in Belgium among themselves and to determine the prices at which contracts would be bid. The contracts affected by the conspiracy include those for the U.S. Department of Defense and the North Atlantic Treaty Organization Communications and Information Agency, which is funded in part by the United States.

As part of a plea agreement with the Justice Department, G4S agreed to plead guilty to the information and to pay a $15 million criminal fine.  While the plea agreement is subject to court approval, the Department stated that “began cooperating with the United States in April 2020 and will continue to cooperate in the ongoing investigation.”

Observers of federal procurement law and policy should expect, that based on longstanding practice of the Department’s Antitrust Division in its criminal investigations, the Department will announce additional criminal resolutions with other firms that participated in the alleged conspiracy with G4S.  There is no set timetable for such resolutions, and the dates of the alleged conspiracy are quite recent.  No one should be surprised, therefore, if the Department does not announce additional plea agreements with other security firms for several months, if not a year or more.

European Commission Proposes Joint Cyber Unit to Respond to Major Cyberattacks

Since the start of 2020, there has been explosive growth in the number of sophisticated cyberattacks directed at public- and private-sector entities around the world.  Some of these attacks have been broadscale, such as the SolarWinds attack that successfully compromised approximately 100 companies (including leading high-tech companies such as Microsoft, Intel and Cisco and approximately a dozen U.S. government agencies (including the Departments of Defense, Energy, Justice, and the Treasury).  Others have been narrowly targeted, such as ransomware attacks directed at critical infrastructure companies including Colonial Pipeline and meat producer JBS.

Moreover, these cyberattacks are rapidly increasing the costs that governments and businesses must bear.  One recent report estimates that global cybercrime costs will increase by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025.

Although many of the widely reported cyberattacks focused on American targets, Europe is no less vulnerable to such attacks.  According to the European Union Agency for Cybersecurity (ENISA), in 2020 there were 304 significant malicious attacks against critical sectors in 2020 — more than twice as many as recorded in 2019 (146), and a 47 percent increase in cyberattacks on hospitals and health care networks.

The European Union (EU) has taken a variety of measures to provide closer coordination on cybercrime issues, such as Europol’s European Cybercrime Centre and the Joint Cybercrime Action Task Force.  But the speed and severity of recent cyberattacks, particularly when conducted by state actors confident of their impunity, make clear that closer coordination and information-sharing among EU Member States is essential to cope with such attacks.

In response to these developments, on June 23 the European Commission (EC) announced that it was proposing the creation of a new Joint Cyber Unit “to tackle the rising number of serious cyber incidents impacting public services, as well as the life of businesses and citizens across the European Union.”  First proposed by EC President Ursula von der Leyen in her Political Guidelines for 2019-2024, the Cyber Unit would constitute “a virtual and physical platform of cooperation” that would bring together cybersecurity communities (including civilian, law enforcement, diplomatic, and cyberdefense communities, as well as private sector partners) to “build progressively a European platform for solidarity and assistance to counter large-scale cyberattacks.”

The EC announcement stated that the Joint Cyber Unit would allow participants, who would be expected to contribute operational resources to the Unit, to share best-practice and real-time threat information:

It will also work at an operational and at a technical level to deliver the EU Cybersecurity Incident and Crisis Response Plan, based on national plans; establish and mobilise EU Cybersecurity Rapid Reaction Teams; facilitate the adoption of protocols for mutual assistance among participants; establish national and cross-border monitoring and detection capabilities, including Security Operation Centres (SOCs); and more.”

The EC also outlined “a gradual and transparent process” for building the new Unit, with the aim of moving the Unit to the operational phase by June 30, 2022 and full establishment by June 30, 2023.  ENISA is to serve as secretariat for the preparatory phase of the Unit, which reportedly will operate close to the Brussels offices of ENISA and the office of CERT-EU, the Computer Emergency Response Team for the EU institutions, bodies, and agencies.

Nation-state adversaries and cybercrime organizations are certain to maintain, if not to increase, the number and sophistication of their cyberattacks against European agencies and companies of all sizes.  For that reason, key European information-technology and industrial firms should actively support the Joint Cyber Unit and be prepared to provide the necessary operational resources to stand it up as early as possible.  As one EC official put it, the EU must prepare against “the nightmare scenario” that the Colonial Pipeline attack presented.  The faster that cyberattackers can infiltrate and compromise critical infrastructure, the faster that coordinated public-private responses to such attacks need to become.

Former Chief Operating Officer of Network Security Company Indicted for Conducting Cyberattack on Medical Center

It is common for companies and cybersecurity providers to talk about “cyber due diligence” as something that needs to be conducted in connection with pending mergers or acquisitions.  A 2020 survey of 1,000 executives at U.S. corporations and private equity investor firms found that cybersecurity threats were the respondents’ principal concern about executing a deal in a virtual environment.

Cyber due diligence, however, must be a year-round concern for companies as they engage external providers of cyber-related services.  Regrettably, a recent indictment that the U.S. Department of Justice obtained shows that companies cannot assume that the cybersecurity providers they engage are guaranteed to be trustworthy merely because they offer legitimate cybersecurity solutions.

On June 10, the Justice Department announced that on June 8, it had obtained an indictment in the Northern District of Georgia against Vikas Singla, the former chief operating officer of a metro-Atlanta network security company that served the health care industry, for allegedly conducting a cyberattack on Gwinnett Medical Center (GMC).  The alleged attack, which took place in 2018, was conducted, in part, for financial gain.

The indictment charges Singla with 17 counts of intentional damage to a protected computer and one count of obtaining information by computer from a protected computer.  It alleges that on September 27, 2018, Singla – aided by unknown others – intentionally caused damage to GMC computers that operated a GMC phone system and multiple printers, and obtained information from a Hologic digitizing device.

As the information regarding this indictment suggests, a company with an established working relationship with an external cybersecurity provider should maintain a “trust but verify” relationship between its internal information-security team and the external provider.  Any indications from the company’s intrusion-detection systems that the provider (or an employee thereof) is seeking to enter the company’s networks or systems without clear prior approval may require an immediate cyberdefense response that does not involve the provider.  By way of comparison, in GMC’s case GMC reportedly began investigating an unspecified security breach in 2018 after some of its patients’ data began appearing online. That investigation may have been what led to the Singla indictment.

Italian Police Disrupt Major Chinese Money-Laundering Operation

The war against money laundering, though hardly lost, has been for many years a global conflict, with many fronts whose exact contours are in constant flux.   One of the more enduring sectors along those fronts is China.  China not only is among the top 20 countries on the Basel Institute on Governance’s AML Risk Index, but has the world’s second-largest economy and largest population, and is the third-largest country in geographic size.  Its vast financial system comprises not only banking and financial markets, but a “shadow banking” system consisting of informal financial intermediaries, internal financing and trade credits, and coalitions among firms, investors, and local governments.

Unfortunately, the vastness of the Chinese economy and financial system has played an important role in China becoming what one recent report “the global hub for money laundering, not just for the Chinese but for criminals around the world.”

One example of Chinese connections to global money laundering came to light this week, as Italian authorities announced that they had successfully taken down “a complex money laundering operation and an illegal metal recycling business that had enabled criminals to transfer huge amounts of illicit cash between Italy and China.”  The police operation was the culmination of a three-year investigation that the anti-mafia prosecutor in Trieste coordinated.

The investigation revealed “a network of firms that between 2013 and 2021 sold around 150,000 tonnes of scrap metal, including copper, brass and aluminium, that came from various sources, circumventing environmental norms and evading taxes on deals estimated to be worth some €300 million (US$363 million).”  Companies in the Czech Republic and Slovenia reportedly produced falsified documents, showing that the material had been acquired in China, in order to make the metals look legitimate for end-users, and sent approximately €150 million (US$181 million) in deposits to Chinese banks as apparent payment to enhance the authenticity of the false documentation.

As part of their investigation, the Italian financial police used wiretapping, surveillance, and particularly micro-cameras.  Police surveillance operations showed, for example, that when the money was transmitted to China, certain Italian businessmen connected with the operation “received huge bundles of cash back in Italy. On one occasion, €200,000 in cash was handed over in a plastic shopping bag.”

To date, Italian police have placed 53 people under official investigation, made five arrests, and seized €66 million (US$80 million), but are continuing investigations, especially into the Chinese operations.

China certainly appears to be taking its domestic money laundering problem seriously.  Just this month, the Central Bank of China released a revised draft anti-money laundering (AML) law that would increase fines for certain offenses and expand the scope of the AML law’s coverage, and Chinese authorities reportedly arrested more than 1,100 people suspected of involvement in laundering proceeds of fraudulent schemes.

Nonetheless, the recent Italian police operation points up the need for expanded AML cooperation between Chinese and foreign law enforcement and regulatory agencies, and between leading Chinese and foreign financial institutions.  It also underscores the importance of financial firms’ AML compliance departments maintaining vigilance in identifying China-related international transactions that pose an elevated risk of money laundering.

European Public Prosecutor’s Office Begins Operations

For some time, the European Union has grappled with how best to combat financial crime directed at its budget.  As part of that effort, it has been making use of existing government bodies such as Europol (the EU’s law enforcement agency), Eurojust (the EU’s agency for criminal justice cooperation), and the European Anti-Fraud Office (OLAF) (the EU entity that investigates fraud against the EU budget, corruption, and serious misconduct within the European institutions and develops anti-fraud policy for the European Commission).

To date, however, the combined efforts of those agencies have not been making sufficient headway in combating crimes against the EU budget.  In 2019, the European Court of Auditors (ECA) issued a report that was highly critical of the European Commission’s (EC’s) existing approach to EU budget fraud.  Among other concerns, it found that between 2002 and 2016, frauds had taken at least €8.8 billion from the EU budget, and that OLAF’s administrative investigations had led to prosecution in fewer than half of its cases and resulted in recovery of less than one-third of the funds.

The ECA, however, also called attention to the creation of the European Public Prosecutor’s Office (EPPO), a new EU entity established in 2017 with powers to investigate and prosecute crimes against the EU’s financial interests.  The ECA called the EPPO’s establishment “a step in the right direction”, and noted that it would begin operations in 2020.

Although the setup of the EPPO took longer than initially expected, on June 1 the EPPO formally launched its operations at its offices in Luxembourg.   The EPPO’s mandate is “to investigate, prosecute and bring to judgment crimes against the EU budget, such as fraud, corruption or serious cross-border VAT fraud.”  As currently organized, the EPPO’s Chief Prosecutor is Laura Codruța Kövesi, the former chief prosecutor of Romania’s National Anticorruption Directorate and former Romanian Prosecutor General.  The remaining EPPO staff consists of two Chief Deputies and other prosecutors drawn from the 22 EU countries participating in the EPPO.  (Denmark, Ireland, Hungary, Poland and Sweden are not participating in the EPPO, although Sweden reportedly plans to join the EPPO in 2022.)

The EPPO already faces a considerable body of work, with some 3,000 cases already submitted to it.  According to Kövesi, the first new reports of alleged fraud against the EU budget, submitted from Germany and Italy, came in within hours of the EPPO’s online reporting system going “live.”

At the outset, Kövesi is evidently focusing on the use of EU funds for purposes other than their original intended purpose, corruption, and money laundering.  At the same time, she will need to manage public expectations about the EPPO’s progress and accomplishments with some care.  In a recent media interview, she acknowledged that the EPPO has no authority to pursue offenses committed in non-EU countries unless the alleged fraud has a clear connection with one of the 22 EPPO country participants.  As she put it, “We can look to see if there is a link with the member state… (but otherwise) it will depend on the national prosecutor and the European Anti-Fraud Office (OLAF). They will continue to be investigated by the national prosecutor.”  Some fairly early successes would certainly be helpful to the EPPO’s cause, but the complexity of the cases it will be pursuing makes quick successes unlikely.