The US government has initiated a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate, Georgia Tech Research Corporation (GTRC), for alleged cybersecurity violations.
The Department of Justice (DoJ) has partnered with a whistleblower to submit a “complaint-in-intervention” against these institutions for “knowingly” neglecting to enforce cybersecurity controls as mandated by their Department of Defense (DoD) contract.
This contract pertains to research conducted at Georgia Tech on behalf of a US government agency.
The whistleblower lawsuit was brought forth by members of Georgia Tech’s Cybersecurity team, Christopher Craig and Kyle Koza.
This case marks the first lawsuit filed under the DoJ’s Civil Cyber-Fraud Initiative, established in October 2021, aimed at holding government contractors accountable for not adhering to regulatory or contractual cybersecurity requirements as outlined in the False Claims Act.
This act allows the US government to intervene and take charge of litigating whistleblower cases.
Georgia Tech Faces Allegations of Multiple Cybersecurity Breaches
The lawsuit against Georgia Tech reveals serious cybersecurity violations attributed to its Astrovalos Lab, a computer security group within the university. Here are the main allegations:
- Failure to Develop a Security Plan: The lab allegedly did not create and implement a required system security plan as mandated by DoD regulations until at least February 2020. When a plan was finally developed, it reportedly did not cover all required devices, including laptops, desktops, and servers.
- Neglecting Anti-Virus Tools: Until December 2021, Astrovalos Lab apparently failed to install, update, or run anti-virus or anti-malware tools across its computers and networks.
- Approval of Non-Compliance: The lawsuit claims that Georgia Tech approved the lab’s decision to omit anti-virus software, which was reportedly influenced by a professor leading the lab. This decision contradicted both DoD requirements and Georgia Tech’s own policies.
- False Cybersecurity Assessment Score: In December 2020, Georgia Tech and GTRC allegedly submitted a misleading cybersecurity assessment score to the DoD for the campus. This score was necessary for contract awards related to their DoD work. The government contends that the reported score of 98 was inflated.
These allegations raise significant concerns about compliance with regulatory and contractual cybersecurity protocols, highlighting the critical importance of maintaining robust security measures in research institution
Georgia Tech Promises to “Vigorously Challenge” the Claims
In a statement from Georgia Tech, the university expressed disappointment regarding the allegations from the DoJ and pledged to “vigorously challenge” them in court.
The university clarified, “This case does not pertain to confidential information or protected government secrets. The government informed Georgia Tech that the research being conducted did not require cybersecurity restrictions, and it was the government that publicized Georgia Tech’s innovative research findings.”
“Importantly, there was no breach of information, and no data was leaked in this instance. Despite the unjust actions by the Department of Justice, Georgia Tech remains dedicated to maintaining robust cybersecurity and fostering its collaborative efforts with the DoD and other federal agencies,” the statement continued.
A November 2022 study conducted by CyberSheath revealed that 87% of US defense contractors are not meeting basic cybersecurity regulatory requirements.
Leave a Reply