The U.S. Department of Justice has recently taken legal action against the prestigious Georgia Institute of Technology, also known as Georgia Tech, and its research corporation for allegedly failing to meet essential cybersecurity requirements outlined in contracts with the Department of Defense. The lawsuit, filed alongside a whistleblower suit, accuses the defendants of jeopardizing the confidentiality of sensitive government information, which could potentially put national security at risk.
According to the lawsuit, the Astrolavos Lab at Georgia Tech neglected to develop and implement a system security plan as mandated by Department of Defense regulations. It was revealed that the lab did not create a suitable security plan until February 2020, and when it finally did, the plan did not comprehensively cover all necessary equipment such as laptops, desktops, and servers. Moreover, the lab failed to install and update anti-virus and anti-malware tools on its devices, despite being obligated to do so by federal law and Georgia Tech’s internal policies.
The deficiencies in cybersecurity controls at the Astrolavos Lab are highlighted as a significant threat not only to national security but also to the safety of armed service members who rely on secure information systems in their daily operations. Special Agent in Charge Darrin K. Jones from the DoD’s Office of Inspector General emphasized the gravity of the situation, underscoring the potential risks posed by inadequate cybersecurity measures.
Additionally, the lawsuit accuses Georgia Tech and its research corporation of submitting a false cybersecurity assessment score to the Department of Defense in December 2020. The reported score of 98 was deemed inaccurate as it pertained to a non-existent campus-wide IT system, representing a fictional or virtual environment that did not align with any genuine contracting system holding defense information. Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of contractors fully implementing required cybersecurity controls to safeguard sensitive government data.
The whistleblower lawsuit, initiated by two former members of Georgia Tech’s cybersecurity compliance team under the False Claims Act, could result in severe penalties for the institute and its research corporation. Potential consequences include penalties of up to three times the government’s losses, in addition to applicable fines. The case, currently under the purview of the Justice Department’s Civil Division and the U.S. Attorney’s Office for the Northern District of Georgia, underscores the non-negotiable nature of cybersecurity compliance for government contractors.
U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia reiterated the critical importance of cybersecurity measures for protecting sensitive information and systems. He affirmed the commitment to holding accountable those who neglect such fundamental security protocols, emphasizing the gravity of the issue at hand. As the legal proceedings unfold, the spotlight remains on Georgia Tech’s accountability and the potential ramifications of its alleged failure to adhere to essential cybersecurity standards.