Government Goes After Georgia Tech For Alleged Cybersecurity Violations
Last Thursday (August 22), the Department of Justice (DOJ) joined a whistleblower lawsuit alleging the Georgia Institute of Technology and Georgia Tech Research Corp. violated the False Claims Act by failing to meet cybersecurity requirements on certain Department of Defense contracts. The whistleblowers who originated the action were members of Georgia Tech’s cybersecurity team.
The lawsuit alleges multiple cybersecurity failures by Georgia Tech which the government claims violated several Department of Defense regulations. According to the government’s Complaint:
- Georgia Tech’s Astrolavos Lab failed to develop and implement a system security plan that set out the cybersecurity controls Georgia Tech was required to put in place. And even after it finally did so, Georgia Tech failed to properly scope the plan to include all covered laptops, desktops, and servers.
- The Astrolavos lab failed to install, update, or run anti-virus or anti-malware tools on desktops, laptops, servers, and networks at the lab. To the contrary, Georgia Tech approved the lab’s refusal to install antivirus software, apparently to satisfy the demands of the professor who headed the lab.
- Georgia Tech provided the Department of Defense with a false cybersecurity assessment score, which was a basis for the underlying defense contracts. It was false because Georgia Tech did not actually have a campus-wide IT system and it was for a “fictitious” or “virtual” environment that did not exist.
In the Complaint, the government paints a picture of an institution wanting to accommodate certain researchers who brought in lucrative government contracts but did not want to deal with cybersecurity compliance burdens. As several former employees described it, “the researchers who brought in significant government contracting money were considered the equivalent of ‘star quarterbacks’ and thus could use their ‘power on campus’ to push back against compliance with federal cybersecurity rules.” This apparently led to a culture of persistent noncompliance that would remain unchanged unless and until “an event has happened” such as “getting in trouble with the government.”
Going after cybersecurity fraud has been a high priority for DOJ since it launched its Cyber-Fraud Initiative in October 2021. The goal is to hold accountable those that put U.S information or systems at risk through deficient cybersecurity products or services, misrepresenting cybersecurity practices or protocols, or breaching obligations to monitor and report cybersecurity incidents and breaches.
In announcing this latest action, the government stressed its continued commitment to go after these kinds of cybersecurity failures because of the serious risks they pose, especially when it comes to defense contractors:
Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information. The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable. [DOJ Civil Chief Brian M. Boynton]
Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors. For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. [U.S. Attorney Ryan K. Buchanan]
Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services who risk their lives daily. As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve. [Defense Department OIG Special Agent Darrin K. Jones]
Christopher Craig and Kyle Koza, who were previously senior members of Georgia Tech’s cybersecurity compliance team, filed the original action under the qui tam provisions of the False Claims Act. The Act allows whistleblowers to bring lawsuits on the government’s behalf against those committing fraud against the government. In return, they are entitled to a significant portion of any government recovery. These types of actions have resulted in tens of billions of dollars in government recoveries over the past thirty years, with whistleblowers recovering billions of dollars in rewards.
If you have information of potential cybersecurity violations or of other areas of fraud against the government and would like to learn more about what it means to be a whistleblower, please don’t hesitate to contact us. We will put you in touch with an experienced member of our whistleblower team for a free and confidential consultation.