Georgia Tech and its subsidiary GTRC face federal cybersecurity lawsuit over alleged abuses

article

ATLANTA – The Georgia Institute of Technology and Georgia Tech Research Corporation are now the subject of a federal whistleblower complaint filed with the Justice Department, alleging that the institutions failed to comply with cybersecurity requirements under U.S. Department of Defense contracts. The complaint raises claims under the False Claims Act and federal common law.

GTRC, a subsidiary of Georgia Tech, is responsible for contracting with government agencies for work performed at Georgia Tech and its related entities. The U.S. complaint, filed Feb. 20, is part of a lawsuit brought by current and former members of Georgia Tech’s cybersecurity team.

“Compliance with cybersecurity rules by government contractors is critical to protecting U.S. information and systems from threats posed by malicious actors,” said U.S. Attorney Ryan K. Buchanan. “That’s why we expect contractors to comply with cybersecurity requirements in their contracts and awards, regardless of the size or type of organization or the number of contracts involved. Our office will hold contractors accountable for ignoring cybersecurity rules.”

Principal Assistant Attorney General Bryan Boynton of the Civil Division echoed Buchanan’s sentiment, emphasizing the risks posed by failure to comply with the rules. “Government contractors that fail to fully comply with and implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security,” Boynton said. “We will continue to pursue known cybersecurity violations through the department’s Civil Cyber ​​Fraud Initiative.”

The complaint alleges that Georgia Tech engaged in a pattern of noncompliance with federal cybersecurity regulations dating back to at least 2019. The complaint claims that Georgia Tech fostered a culture in which cybersecurity policies were routinely ignored as researchers resisted compliance measures.

One of the focal points of the lawsuit is Georgia Tech’s Astrolavos Lab. The complaint claims the lab failed to develop and implement a required system security plan from May 2019 to February 2020, and that when a plan was finally put in place, it was poorly defined and poorly monitored.

Additionally, the complaint alleges that from May 2019 to December 2021, Astrolavos Lab failed to install, update, or operate antivirus or anti-malware tools on its computers and networks, allegedly with Georgia Tech’s approval, in violation of federal requirements and the institution’s own policies.

The lawsuit also claims that Georgia Tech and GTRC submitted a fraudulent cybersecurity assessment score of 98 to the DoD in December 2020. The score was allegedly based on a fictional or virtual environment, unrelated to actual research activities or contracting systems at Georgia Tech.

This case marks the first litigation under the Justice Department’s Civil Cyber ​​Fraud Initiative, launched on October 6, 2021, to hold accountable those who knowingly violate cybersecurity obligations.

The whistleblower complaint was filed by Christopher Craig and Kyle Koza, former senior members of Georgia Tech’s cybersecurity compliance team. Under the False Claims Act, they may be entitled to a portion of the recovered funds. The law also allows the government to step in and take responsibility for the case, as it did in this case.

Georgia Tech released a statement in response to the lawsuit, writing:

“We are extremely disappointed by the Justice Department’s lawsuit, which misrepresents Georgia Tech’s culture of innovation and integrity. Their lawsuit is completely without merit, and we will vigorously defend it in court. This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech it was conducting research that did not require cybersecurity restrictions, and the government itself made public the findings of Georgia Tech’s groundbreaking research. In fact, in this case, there was no breach of information or data leak. Despite the Justice Department’s misguided action, Georgia Tech remains committed to strengthening cybersecurity and continuing our collaborative relationship with the Department of Defense and other federal agencies.”

The lawsuit, titled United States ex rel. Craig v. Georgia Tech Research Corp, et al., is being handled by the Justice Department’s Civil Division and the U.S. Attorney’s Office for the Northern District of Georgia.