The United States joined a whistleblower suit and filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC) asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with the Department of Defense (DoD) contracts. GTRC is an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech. The whistleblower suit was initiated by current and former members of Georgia Tech’s Cybersecurity team.
“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable.”
Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab. Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers.
Additionally, the lawsuit alleges until December 2021, the Astrolavos lab failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at the lab. Instead, Georgia Tech approved the lab’s refusal to install antivirus software — in violation of both federal cybersecurity requirements and Georgia Tech’s own policies — to satisfy the demands of the professor who headed the lab.
The lawsuit further alleges that in December 2020 Georgia Tech and GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information. The submission of this score was a “condition of contract award” for Georgia Tech’s DoD contracts. The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false because (1) Georgia Tech did not actually have a campus-wide IT system and (2) the score was for a “fictitious” or “virtual” environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process, store or transmit covered defense information.
“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia. “For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules.”
“Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services who risk their lives daily,” said Special Agent in Charge Darrin K. Jones of the DoD’s Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office. “As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve.”
The whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, who were previously senior members of Georgia Tech’s cybersecurity compliance team, under the qui tam or whistleblower provisions of the False Claims Act, which allow private parties to file suit on behalf of the United States for false claims and to receive a share of any recovery. The act permits the United States to intervene and take over responsibility for litigating these cases, as it has done here. A defendant who violates the act is subject to liability for three times the government’s losses, plus applicable penalties.
On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.
Senior Trial Counsel Jake M. Shields of the Justice Department’s Civil Division and Assistant U.S. Attorneys Adam D. Nugent and Melanie D. Hendry for the Northern District of Georgia are handling the matter.
The case is captioned United States ex rel. Craig v. Georgia Tech Research Corp, et al., No. 1:22-cv-02698 (N.D. Ga.). Investigative support is being provided by the DoD Office of Inspector General, Defense Criminal Investigative Service, Air Force Office of Special Investigations and Air Force Material Command.
The claims alleged by the United States are allegations only. There has been no determination of liability.
Discussion about this post