- The Georgia Institute of Technology is being sued by the DOJ for failing to meet security guidelines set by the Department of Defense (DOD) for contract awardees.
- The first lawsuit was filed by two insiders, Christopher Craig and Kyle Koza, in 2022.
- This Thursday, the US government joined the lawsuit and also filed an additional suit on behalf of the Defense Department, the Air Force, and the Defense Advanced Research Projects Agency.
The US Justice Department is suing the Georgia Institute of Technology and its contracting entity Georgia Tech Research Corporation (GTRC) for failing to meet the cybersecurity guidelines set by the Department of Defense (DOD) for receiving contracts.
It started in July 2022 with a whistleblower suit brought by two insiders, Christopher Craig and Kyle Koza. They accused the university of failing to protect controlled unclassified information (CUI).
The US government joined this suit, and on Thursday, the DOJ filed an additional lawsuit, suing the university on behalf of the Defense Department, the Air Force, and the Defense Advanced Research Projects Agency.
About the Allegations
The issues were first recognized by Koza in 2018 and the first official allegation dates back to 2019.
For starters, between May 2019 and February 2020, Georgia Tech’s Astrolavos Lab (the group responsible for focusing on cybersecurity issues affecting national security) failed to create and implement a security plan that aligned with the DOD’s requirements.
Next, in February 2020, when the security plan was finally chalked out, it fell short of the requirements – it didn’t even include all the necessary security endpoints.
Not only that, but the university then failed to align the plan with the regulations imposed by the Pentagon even in the years that followed.
The other set of allegations concerns its failure to install antimalware solutions on the devices – between May 2019 and December 2021.
Not only did Astrolavos Lab fail to install antivirus software, but what’s absolutely bizarre is that this activity was also approved by the university just “to satisfy the demands of the professor that headed the lab.”
It’s important to note that installing antimalware solutions isn’t optional – it’s compulsory for all who have an agreement with the Pentagon. In fact, Georgia’s own internal policies mandate anti-malware installations, yet it was ignored.
Last but not least, both the university and the GTRC submitted false cybersecurity assessment scores in December 2020. Each of them provided a score of 98, which was later proved to be fraudulent.
What Happens Now?
The lawsuits are being filed under the False Claims Act (FCA) – a law designed to combat individuals or entities that knowingly risk or harm government programs – which is being utilized by the Civil Cyber-Fraud Initiative (CCFI).
This is a first-of-its-kind case because all other lawsuits were settled before they reached the litigation stage. Legal experts from O’Melveny who were analyzing the case said that given the accusations, it was “a textbook case of potential FCA liability predicated on alleged non‐compliance with NIST standards.”
The authorities are quite displeased by the university’s actions, considering what they have done puts the entire nation at risk and its consequences could also extend to all military personnel.
Darrin K Jones, Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS) said that contracts like these are sensitive and they put utmost trust in their contractors. In return, they’re expected to meet certain strict regulations, and failing to do so is inexcusable.
Georgia Tech’s Response
A representative for Georgia Tech University, Blair Meeks, said that they’re disappointed with the DOJ’s decision and will challenge it. According to her, this case has nothing to do with confidential information.
In fact, when the contract was handed over, the government apparently told the university that they were conducting research that didn’t require any special restrictions.
She also added that the government itself publicized the university’s findings – there have been no data leaks or breaches on their side. In short, this lawsuit is baseless.