The US government has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its subsidiary Georgia Tech Research Corporation (GTRC) for alleged cybersecurity violations.
The U.S. Department of Justice (DoJ) has joined a whistleblower in filing an “intervention complaint” against the institutions for “knowingly” failing to implement cybersecurity controls as required by their contract with the Department of Defense (DoD).
This contract related to research to be carried out at the Georgia Institute of Technology on behalf of the US government agency.
The whistleblower lawsuit was initiated by current and former members of Georgia Tech’s cybersecurity team, Christopher Craig and Kyle Koza.
The case is the first lawsuit filed under the U.S. Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, to target government contractors and grant recipients for failing to meet statutory or contractual cybersecurity requirements under the False Claims Act.
This law allows the U.S. government to intervene and take responsibility for litigating whistleblower cases.
Georgia Tech accused of numerous cybersecurity violations
The lawsuit accuses the Georgia Institute of Technology’s Astrovalos Lab, a university computer security group, of numerous serious cybersecurity violations.
The lab was accused of failing to develop and implement a systems security plan, as required by Department of Defense regulations, until at least February 2020. When Georgia Tech finally implemented such a plan in February 2020, it allegedly failed to define the scope of that plan to include all covered laptops, desktops and servers.
In addition, Astrolavos Lab is said to have failed to install, update, or run antivirus or anti-malware tools on its desktops, laptops, servers, and networks until December 2021.
The lawsuit alleges that Georgia Tech agreed to the lab’s refusal to install antivirus software in order to comply with the demands of a professor who ran the lab.
This despite the fact that the use of antivirus and anti-malware tools is both a requirement of the US Department of Defense and Georgia Tech’s own policy.
The U.S. government also alleged that Georgia Tech and the GTRC submitted an incorrect score to the Department of Defense for the Georgia Tech campus cybersecurity assessment in December 2020.
Submission of this score was a requirement for awarding Georgia Tech’s DoD contracts. However, the government believes that the overall score of 98 submitted by Georgia Tech was incorrect because:
- The institution did not have a campus-wide IT system
- The assessment referred to a “fictitious” or “virtual” environment that did not apply to any covered contract system at Georgia Tech
Brian M. Boynton, Assistant Attorney General and Director of the Justice Department’s Civil Division, said: “Government contractors that do not fully implement required cybersecurity controls put the confidentiality of sensitive government information at risk.”
“The Department’s Civil Cyber-Fraud Initiative is designed to identify and hold such contractors accountable,” he added.
Georgia Tech will “vigorously deny” the allegations
In a statement from Georgia Tech, the university expressed its disappointment with the Justice Department’s allegations and announced that it would “vigorously contest” them in court.
“This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that this was research that did not require cybersecurity restrictions, and the government itself has made Georgia Tech’s groundbreaking research public,” the university said.
“In fact, there was no information breach in this case and no data was leaked. Despite the Department of Justice’s misguided actions, Georgia Tech remains committed to strong cybersecurity and continues to work with the Department of Defense and other federal agencies,” Georgia Tech added.
In November 2022, a study commissioned by CyberSheath found that 87% of U.S. defense contractors fail to meet basic cybersecurity regulatory requirements.
Photo credit: Chad Robertson Media / Shutterstock.com
