The US government has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate Georgia Tech Research Corporation (GTRC) for alleged cybersecurity violations.
The Department of Justice (DoJ) has joined a whistleblower to file a “complaint-in-intervention” against the institutions for “knowingly” failing to implement cybersecurity controls as required by their Department of Defense (DoD) contract.
This contract related to research to be performed at Georgia Tech on behalf of the US government agency.
The whistleblower suit was initiated by current and former members of Georgia Tech’s Cybersecurity team, Christopher Craig and Kyle Koza.
The case represents the first lawsuit under the DoJ’s Civil Cyber-Fraud Initiative, launched in October 2021, to hold government contractors and grantees or failing to comply with regulatory or contractual cybersecurity requirements under the False Claims Act.
This act permits the US government to intervene and take over responsibility for litigating whistleblower cases.
Georgia Tech Accused of Numerous Cybersecurity Violations
The lawsuit alleges numerous serious cybersecurity violations by Georgia Tech’s Astrovalos Lab, a computer security group in the university.
The lab was accused of failing to develop and implement a system security plan as required by DoD regulations until at least February 2020. When it finally implemented a plan in February 2020, Georgia Tech allegedly failed to properly scope that plan to include all covered laptops, desktops and servers.
Additionally, until December 2021, Astrolavos Lab allegedly failed to install, update or run anti-virus or anti-malware tools on its desktops, laptops, servers and networks.
The lawsuit claims that Georgia Tech approved the lab’s refusal to install anti-virus software to satisfy the demands of a professor who headed the lab.
This is despite the use of anti-virus and anti-malware tools being a DoD requirement as well as Georgia Tech’s own policy.
The US government further alleged that in December 2020 Georgia Tech and the GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus.
The submission of this score was a condition of contract award for Georgia Tech’s DoD contracts. However, the government believes the summary level score of 98 submitted by Georgia Tech was false because:
- The institution did not actually have a campus-wide IT system
- The score was for a “fictitious” or “virtual” environment that did not apply to any covered contracting system at Georgia Tech
Principal Deputy Assistant Attorney General Brian M. Boynton, Head of the DoJ’s Civil Division, commented: “Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information.”
“The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable,” he added.
Georgia Tech to “Vigorously Dispute” the Allegations
In a statement issued by Georgia Tech, the university expressed its disappointment at the DoJ’s allegations and vowed to “vigorously dispute” them in court.
“This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings,” the university said.
“In fact, in this case, there was no breach of information, and no data leaked. Despite the misguided action by the Department of Justice, Georgia Tech remains committed to strong cybersecurity and continuing its collaborative relationship with the DoD and other federal agencies,” Georgia Tech added.
In November 2022, research commissioned by CyberSheath found that 87% of US defense contractors are failing to meet basic cybersecurity regulation requirements.
Image credit: Chad Robertson Media / Shutterstock.com