The US government has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate Georgia Tech Research Corporation (GTRC) for alleged cybersecurity violations.
The Department of Justice (DoJ) has joined a whistleblower to file a “complaint-in-intervention” against the institutions for “knowingly” failing to implement cybersecurity controls as required by their Department of Defense (DoD) contract.
This contract related to research to be performed at Georgia Tech on behalf of the US government agency.
Christopher Craig and Kyle Koza, current and former members of Georgia Tech’s Cybersecurity team, initiated the whistleblower suit.
The case represents the first lawsuit under the DoJ’s Civil Cyber-Fraud Initiative, launched in October 2021, to hold government contractors and grantees for failing to comply with regulatory or contractual cybersecurity requirements under the False Claims Act.
This act permits the US government to intervene and take over responsibility for litigating whistleblower cases.
Georgia Tech Accused of Numerous Cybersecurity Violations
The lawsuit alleges numerous severe cybersecurity violations by Georgia Tech’s Astrovalos Lab, a computer security group in the university.
The lab was accused of failing to develop and implement a system security plan as required by DoD regulations until at least February 2020. When it finally implemented a plan in February 2020, Georgia Tech allegedly failed to properly scope it to include all covered laptops, desktops, and servers.
Additionally, until December 2021, Astrolavos Lab allegedly failed to install, update or run anti-virus or anti-malware tools on its desktops, laptops, servers and networks.
The lawsuit claims that Georgia Tech approved the lab’s refusal to install anti-virus software to satisfy the demands of a professor who headed the lab.
This is despite the use of anti-virus and anti-malware tools being a DoD requirement and Georgia Tech’s policy.
The US government further alleged that in December 2020, Georgia Tech and the GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus.
The submission of this score was a condition of contract award for Georgia Tech’s DoD contracts. However, the government believes the summary level score of 98 submitted by Georgia Tech was false because:
- The institution did not have a campus-wide IT system
- The score was for a “fictitious” or “virtual” environment that did not apply to any covered contracting system at Georgia Tech.
Principal Deputy Assistant Attorney General Brian M. Boynton, Head of the DoJ’s Civil Division, commented: “Government contractors that fail to implement required cybersecurity controls fully jeopardize the confidentiality of sensitive government information.”
“The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable,” he added.
Georgia Tech to “Vigorously Dispute” the Allegations
In a statement, Georgia Tech expressed its disappointment at the DoJ’s allegations and vowed to “vigorously dispute” them in court.
“This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings,” the university said.
“In fact, there was no information breach in this case, and no data leaked. Despite the misguided action by the Department of Justice, Georgia Tech remains committed to strong cybersecurity and continuing its collaborative relationship with the DoD and other federal agencies,” Georgia Tech added.
In November 2022, research commissioned by CyberSheath found that 87% of US defence contractors fail to meet basic cybersecurity regulation requirements.
Source:
https://www.infosecurity-magazine.com/news/georgia-tech-sued-cybersecurity