The US government has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate Georgia Tech Research Corporation (GTRC) for alleged cybersecurity violations.
The Department of Justice (DoJ) has joined a whistleblower to file a “complaint-in-intervention” against the institutions for “knowingly” failing to implement cybersecurity controls as required by their Department of Defense (DoD) contract.
This contract related to research to be performed at Georgia Tech on behalf of the US government agency.
Christopher Craig and Kyle Koza, current and former members of Georgia Tech’s Cybersecurity team, initiated the whistleblower suit.
The case represents the first lawsuit under the DoJ’s Civil Cyber-Fraud Initiative, launched in October 2021, to hold government contractors and grantees for failing to comply with regulatory or contractual cybersecurity requirements under the False Claims Act.
This act permits the US government to intervene and take over responsibility for litigating whistleblower cases.
Georgia Tech Accused of Numerous Cybersecurity Violations
The lawsuit alleges numerous severe cybersecurity violations by Georgia Tech’s Astrovalos Lab, a computer security group in the university.
The lab was accused of failing to develop and implement a system security plan as required by DoD regulations until at least February 2020. When it finally implemented a plan in February 2020, Georgia Tech allegedly failed to properly scope it to include all covered laptops, desktops, and servers.
Additionally, until December 2021, Astrolavos Lab allegedly failed to install, update or run anti-virus or anti-malware tools on its desktops, laptops, servers and networks.
The lawsuit claims that Georgia Tech approved the lab’s refusal to install anti-virus software to satisfy the demands of a professor who headed the lab.
This is despite the use of anti-virus and anti-malware tools being a DoD requirement and Georgia Tech’s policy.
The US government further alleged that in December 2020, Georgia Tech and the GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus.
The submission of this score was a condition of contract award for Georgia Tech’s DoD contracts. However, the government believes the summary level score of 98 submitted by Georgia Tech was false because:
- The institution did not have a campus-wide IT system
- The score was for a “fictitious” or “virtual” environment that did not apply to any covered contracting system at Georgia Tech.
Principal Deputy Assistant Attorney General Brian M. Boynton, Head of the DoJ’s Civil Division, commented: “Government contractors that fail to implement required cybersecurity controls fully jeopardize the confidentiality of sensitive government information.”
“The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable,” he added.
Georgia Tech to “Vigorously Dispute” the Allegations
In a statement, Georgia Tech expressed its disappointment at the DoJ’s allegations and vowed to “vigorously dispute” them in court.
“This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings,” the university said.
“In fact, there was no information breach in this case, and no data leaked. Despite the misguided action by the Department of Justice, Georgia Tech remains committed to strong cybersecurity and continuing its collaborative relationship with the DoD and other federal agencies,” Georgia Tech added.
In November 2022, research commissioned by CyberSheath found that 87% of US defence contractors fail to meet basic cybersecurity regulation requirements.
Source:
https://www.infosecurity-magazine.com/news/georgia-tech-sued-cybersecurity
Latest News:
- Cicada3301 Ransomware Targets Critical Sectors in US and UK
A new ransomware group, Cicada3301, has emerged as a significant threat since its discovery in June 2024. It targets businesses in critical sectors across the US and UK. In just three months, the group has reportedly published data from 30 companies on their dedicated leak sites, underscoring the severity of the threat. Multi-Platform Ransomware and… Read more: Cicada3301 Ransomware Targets Critical Sectors in US and UK - #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity Professionals
Software updates are critical in protecting systems from cyber threats and providing new and improved functionality to software products. They are necessary to patch vulnerabilities that can be exploited by malicious actors, ensuring that systems remain secure. Software updates are one of the four pillars of the 2024 International Cybersecurity Awareness Month campaign. As part… Read more: #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity Professionals - Universal Music Group Admits Data Breach
Universal Music Group (UMG), one of the world’s largest music corporations, disclosed a data breach in mid-July 2024. According to a filing with the Maine Attorney General’s Office, the breach may have exposed the personal information of 680 US residents. In the filing, UMG said it detected unauthorized activity in one of its internal applications on July 15,… Read more: Universal Music Group Admits Data Breach - Sellafield Fined for Cybersecurity Failures at Nuclear Site
Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England. Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060). The offences… Read more: Sellafield Fined for Cybersecurity Failures at Nuclear Site - Ransomware Attack Forces UMC to Divert Emergency Patients
The University Medical Center (UMC) Health System in Lubbock, Texas, has confirmed a ransomware attack that disrupted its IT infrastructure last week, forcing the diversion of emergency and non-emergency patients. UMC, the only level 1 trauma centre within 400 miles, faced significant operational challenges, with phone systems down and the patient portal inaccessible. Despite this,… Read more: Ransomware Attack Forces UMC to Divert Emergency Patients
Latest Blogs:
- #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity ProfessionalsSoftware updates are critical in protecting systems from cyber threats and providing new and improved functionality to software products. They are necessary to patch vulnerabilities that can be exploited by malicious actors, ensuring that systems remain secure. Software updates are one of the four pillars of the 2024 International Cybersecurity Awareness Month campaign. As part… Read more: #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity Professionals
- Get Safe Online Launches New Scam Detector
Get Safe Online has launched a new tool that uses the power of AI technology to flag potential digital scams to users. Ask Silver is a smartphone-based tool that interacts with users via WhatsApp. Once they sign up, users receive a one-time email with a QR code to scan, which opens the WhatsApp chat. All… Read more: Get Safe Online Launches New Scam Detector - Process Analysis in Cybersecurity: Its Importance and Steps
What is Process Analysis in Cybersecurity? Process Analysis in cybersecurity refers to systematically examining security processes and procedures to understand their effectiveness and identify vulnerabilities. This analysis breaks down each step of a security task, making it easier to pinpoint weaknesses and improve defences against cyber threats. Using process analysis, organizations can better secure their… Read more: Process Analysis in Cybersecurity: Its Importance and Steps
