The US Department of Justice has filed a lawsuit against the Georgia Institute of Technology – better known as Georgia Tech – and its research company Georgia Tech Research Corp. It claims that the institute failed to meet essential cybersecurity requirements in contracts with the Department of Defense.

The complaint, filed in connection with a whistleblower lawsuit, accuses the defendants of violating the confidentiality of sensitive government information.

Failures at the Georgia Institute of Technology allegedly endanger national security

According to the lawsuit, the Astrolavos Lab at the Georgia Institute of Technology (Georgia Tech) failed to develop and implement a system security plan as required by Department of Defense (DoD) regulations. It was not until February 2020 that a proper plan was developed. Even after implementing the plan, the lab allegedly failed to plan it properly and did not include all necessary equipment, including laptops, desktops, and servers.

In addition, the lab did not install and update antivirus and anti-malware tools on its devices, despite being required to do so by both federal law and Georgia Tech policy. At the request of the lab director, a professor, the lab was allowed to forgo installing antivirus software.

“Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed forces who risk their lives every day,” said Special Agent in Charge Darrin K. Jones of the Department of Defense’s Office of Inspector General, Defense Criminal Investigative Service.

False reporting on cybersecurity

The lawsuit also alleges that Georgia Tech and its research firm submitted a false cybersecurity assessment score for the entire Georgia Tech campus to the Department of Defense in December 2020. The Department of Defense requires contractors to report summary scores reflecting their compliance with applicable cybersecurity requirements for systems used to store or access covered defense information.

However, the lawsuit alleges that the reported value of 98 is incorrect because Georgia Tech does not have a campus-wide IT system and the value was determined for a “fictitious” or “virtual” environment that does not represent an actual contract system.

“Government contractors that do not fully implement required cybersecurity controls put the confidentiality of sensitive government information at risk,” said Brian M. Boynton, assistant attorney general of the Justice Department’s Civil Division. “The Department’s Civil Division Cyber ​​Fraud Initiative is designed to identify such contractors and hold them accountable,” he added.

Georgia Tech’s Responsibility and Consequences

The whistleblower lawsuit was filed by two former members of Georgia Tech’s cybersecurity compliance team under the False Claims Act, which allows private citizens to sue on behalf of the government for false claims and receive a share of any damages.

If found liable, Georgia Tech and its research company could face penalties of up to three times the government’s losses, plus applicable fines. The case is being handled by the Justice Department’s Civil Division and the U.S. Attorney’s Office for the Northern District of Georgia.

“Cybersecurity is not an optional add-on for government contractors – it is a fundamental requirement to protect sensitive information and systems,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia. “We will hold accountable those who ignore these critical security measures,” he added.

Related