DOJ sues Georgia Tech over failure to implement DOD-mandated cybersecurity measures

By Jacob Livesay / August 30, 2024 at 10:27 AM

The Justice Department has joined a whistleblower lawsuit against Georgia Institute of Technology and affiliate Georgia Tech Research Corp. for failing to implement cybersecurity requirements for defense contractors and submitting a false cyber assessment score to the Defense Department.

“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” Brian Boynton, head of the DOJ’s Civil Division, said in an Aug. 22 release.

Boynton said, "The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable.”

The DOJ announced the launch of the Civil Cyber-Fraud Initiative in 2021 with the mission of using the False Claims Act to “pursue cybersecurity related fraud by government contractors and grant recipients,” according to a press release.

The latest release on the initiative details how the DOJ joined whistleblowers Christopher Craig and Kyle Koza, previous members of Georgia Tech’s cybersecurity compliance team, and filed a complaint-in-intervention against the university for its “failure since at least May 2019 (the relevant time period) to meet cybersecurity requirements of Department of Defense contracts.”

The lawsuit alleges the defendants “knowingly” fell short of DOD-mandated cyber requirements in National Institute of Standards and Technology Special Publication 800-171, including a failure to develop and implement system security plans, improper scoping of cyber controls and a lack of anti-virus and anti-malware tools on equipment used in a lab setting.

Further, Georgia Tech and GTRC allegedly “submitted a false cybersecurity assessment score to DOD for the Georgia Tech campus,” according to DOJ, in order to acquire their DOD contract.

The lawsuit highlights how Georgia Tech leadership allegedly enabled the fraud. It says, “With the tacit and, in some cases, explicit approval of senior leadership, Georgia Tech routinely bent on compliance with federal cybersecurity regulations and was undeterred by the risk of submitting ‘false claims’ to the federal government.”

It compares researchers who brought in federal contracts to “star quarterbacks,” arguing the research leaders used their power to “push back against compliance with federal cybersecurity rules.”

The university did not assess an IT system on which a campus lab “processed, stored, or transmitted sensitive DOD data,” the lawsuit says. “Instead of calculating and providing to DOD an accurate score for the Astrolavos Lab, Georgia Tech and GTRC provided DOD with a score for a ‘campus-wide’ IT system at Georgia Tech when no such campus-wide IT system existed.”

DOJ explains, “[T]he summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DOD in December 2020 was false because Georgia Tech did not actually have a campus-wide IT system and the score was for a ‘fictitious’ or ‘virtual’ environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process, store or transmit covered defense information.”

Support for the ongoing investigation of charges is being provided by “the DOD Office of Inspector General, Defense Criminal Investigative Service, Air Force Office of Special Investigations and Air Force Material Command,” according to DOJ.

221969