DOJ suit claims Georgia Tech ‘knowingly failed’ to meet cyber standards for DOD contracts
The Justice Department has joined onto a whistleblower lawsuit filed by two senior staffers on Georgia Tech’s cybersecurity compliance team that was filed in 2022.
The federal government is suing the Georgia Institute of Technology and an affiliated research organization over allegations that they “knowingly failed” to meet cybersecurity requirements for Pentagon contracts.
The Department of Justice said on Thursday that it joined onto a whistleblower lawsuit previously filed in 2022 against Georgia Tech and the Georgia Tech Research Corporation, filing a “complaint-in-intervention” against the entities.
The suit was originally brought by two senior staffers on Georgia Tech’s cybersecurity compliance team under provisions of the False Claims Act. DOJ’s Civil Cyber-Fraud Initiative has been using the law to crack down on contractors who lie about their cyber protections.
“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” Principal Deputy Assistant Attorney General Brian M. Boynton, who leads the DOJ's Civil Division, said in a statement. “The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable.”
In a press release, DOJ alleged that the institutions committed numerous violations of the Department of Defense’s cybersecurity policy in the years prior to the whistleblower complaint.
Among the most serious allegations was the claim that “Georgia Tech and [Georgia Tech Research Corporation] submitted a false cybersecurity assessment score to DOD for the Georgia Tech campus” in December 2020.
DOD contractors are required “to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information,” which was a “condition of contract award” for the university’s Pentagon agreement, according to the DOJ.
Although the two entities submitted a score of 98 for the Georgia Tech campus, the suit claimed this was false because the university lacked a campuswide IT system and that the score “was for a ‘fictitious’ or ‘virtual’ environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process, store or transmit covered defense information.”
The lawsuit also asserted that the Astrolavos Lab at Georgia Tech previously “failed to develop and implement a system security plan, which is required by DOD cybersecurity regulations.” Once the security document was finally implemented in February 2020, the complaint said the university “failed to properly scope that plan to include all covered laptops, desktops and servers.”
Additionally, DOJ alleged that the Astrolavos Lab did not use any antivirus or antimalware programs on its devices until December 2021. The university reportedly allowed the lab to refuse the installation of the software “in violation of both federal cybersecurity requirements and Georgia Tech’s own policies” at the request of its director.
In a statement, Georgia Tech called the complaint “entirely off base” and said it “will vigorously dispute it in court.”
“This case has nothing to do with confidential information or protected government secrets,” the university added. “The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked.”