The U.S. Department of Justice has filed a lawsuit against the Georgia Institute of Technology – better known as Georgia Tech – and its research corporation, Georgia Tech Research Corp, alleging that the institute failed to meet essential cybersecurity requirements in contracts with the Department of Defense.
The complaint, which was filed in conjunction with a whistleblower suit, accuses the defendants of compromising the confidentiality of sensitive government information.
Lapses at Georgia Tech Believed To Put National Security at Risk
According to the lawsuit, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is a requirement under Department of Defense (DoD) regulations, and didn’t develop a suitable plan until at least February 2020. Even after implementing the plan, the lab allegedly did not properly scope it to include all necessary equipment, including laptops, desktops, and servers.
Furthermore, the lab failed to install and update anti-virus and anti-malware tools on its devices, despite being required to do so by both federal law and Georgia Tech’s own policies. The lab had been allowed to bypass the installation of antivirus software at the request of the lab’s head, a professor.
Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services who risk their lives daily,” said Special Agent in Charge Darrin K. Jones of the DoD’s Office of Inspector General, Defense Criminal Investigative Service.
False Cybersecurity Reporting
The lawsuit also alleges that in December 2020, Georgia Tech and its research corporation submitted a false cybersecurity assessment score to the DoD for the entire Georgia Tech campus. DoD requires contractors to report summary-level scores reflecting their compliance with applicable cybersecurity requirements on systems used to store or access covered defense information.
However, the lawsuit claims the score of 98 that was reported was inaccurate, as Georgia Tech did not have a campus-wide IT system, and the score was for a ‘fictitious’ or ‘virtual’ environment not representative of any actual covered contracting system.
“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” said Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department’s Civil Division. “The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable,” he added.
Georgia Tech Accountability and Consequences
The whistleblower lawsuit was filed by two former members of Georgia Tech’s cybersecurity compliance team under the False Claims Act, which allows private parties to sue on behalf of the government for false claims and receive a share of any recovery.
If found liable, Georgia Tech and its research corporation could face penalties of up to three times the government’s losses, plus applicable fines. The case is being handled by the Justice Department’s Civil Division and the U.S. Attorney’s Office for the Northern District of Georgia.
“Cybersecurity is not an optional add-on for government contractors – it is a fundamental requirement to protect sensitive information and systems,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia. We will hold accountable those who ignore these critical security measures,” he added.