A company affiliated with the Georgia Institute of Technology agreed to pay $875,000 to the U.S. government to settle a case involving allegations that it knowingly failed to meet cybersecurity requirements for obtaining Pentagon contracts, the Justice Department announced Tuesday.
Two Georgia Tech whistleblowers who worked on the university’s cybersecurity team first filed suit in 2022 under the False Claims Act, a Civil War-era law aimed at combatting shady contractors. The Justice Department joined the suit two years later on behalf of the Defense Department, Air Force and Defense Advanced Research Projects Agency.
The settlement resolves the suit against Georgia Tech and Georgia Tech Research Corporation over allegations that they failed to install antivirus tools at Georgia Tech’s Astrolavos Lab while it conducted sensitive cyber-defense research for the Pentagon. The Justice Department also had said that Georgia Tech and the affiliate company submitted a false cybersecurity assessment score to the Defense Department.
“When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Brett Shumate, assistant attorney general of the Justice Department’s Civil Division.
Under the settlement agreement, neither side concedes to the other over the allegations.
“From the outset, Georgia Tech denied the government’s allegations that mischaracterized our commitment to cybersecurity,” said a spokesperson for the university, Blair Meeks. “We worked hard to educate the government about the strong compliance efforts of our researchers and are pleased to avoid the distraction of litigation by resolving this matter without any admission of liability. Georgia Tech looks forward to continued collaboration with the Department of Defense and other federal partners in conducting ground-breaking research in a secure manner.”
The two sides first reached a tentative settlement agreement in May. The government will pay the two whistleblowers, Kyle Koza and Christopher Craig, $201,250 out of the settlement.
The Justice Department began using the False Claims Act in 2022 to punish contractors over cybersecurity shortcomings under its Civil Cyber-Fraud Initiative. It has since settled with a number of parties in those cases, including for $9 million with Aerojet Rocketdyne, $8.4 million with Raytheon and Nightwing, $4.6 million with MORSECORP and $4 million with Verizon Business Network Services.
