The U.S. Department of Justice has taken legal action against the Georgia Institute of Technology and Georgia Tech Research Corporation for allegedly providing false information about their cybersecurity measures in order to secure Department of Defense contracts. The DOJ’s involvement comes after current and former members of Georgia Tech’s cybersecurity team filed a whistleblower lawsuit, with additional allegations against the institution and its affiliate, GTRC.
The accusations include claims of submitting misleading cybersecurity risk assessment scores, inadequacies in system security plans, and a failure to install necessary antivirus tools. Specifically, Georgia Tech is accused of violating federal cybersecurity requirements and its own policies by neglecting to implement antivirus software. The lawsuit also points fingers at Dr. Emmanouil Antonakakis, a professor at the Astrolavos Lab, for contributing to the alleged security deficiencies.
According to the DOJ’s Civil Division principal deputy assistant attorney general Brian M. Boynton, contractors that fail to comply with cybersecurity controls put sensitive government information at risk. The Civil Cyber-Fraud Initiative aims to identify and hold accountable such contractors who do not meet the required standards.
The original whistleblower lawsuit was initiated by former cybersecurity team members Christopher Craig and Kyle Koza, highlighting Georgia Tech’s failure to develop and implement a system security plan as demanded by DOD regulations. The complaint alleges that even when a system security plan was eventually put in place in 2020, it was not comprehensive enough to cover all necessary devices and systems.
The DOJ’s complaint reveals that Georgia Tech has received billions of dollars in government contracts over the years and accuses GTRC of knowingly presenting false information to the government for payment approval. The lawsuit also states that Georgia Tech did not adhere to National Institute of Standards and Technology controls for all contracted systems, particularly referencing NIST SP 800-171 standards for defense contractor networks.
One of the most alarming allegations is that Georgia Tech and GTRC purposely misrepresented their cybersecurity posture by providing a false score of 98 out of 110 to the DOD. This misleading information was supposedly for a non-existent “campus-wide” IT system, highlighting a deliberate attempt to maintain contracts through falsified data.
Additionally, cybersecurity experts have weighed in on the significance of the DOJ’s legal action against Georgia Tech. They stress the importance of validating security claims, especially in the context of federal contracts, to ensure that organizations meet cybersecurity standards effectively. The case underscores the need for transparency and ongoing assessment to maintain cybersecurity integrity and prevent breaches or incidents.
Ultimately, the lawsuit against Georgia Tech serves as a reminder of the critical role that cybersecurity plays in government contracts and the repercussions of failing to uphold the necessary standards. By holding organizations accountable for their cybersecurity practices, the DOJ aims to strengthen overall security posture and prevent potential breaches that could compromise sensitive information.