DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts
The Justice Department is suing the Georgia Institute of Technology and an affiliate company, claiming they failed to meet the cybersecurity standards required for obtaining Pentagon contracts.
The U.S. government had earlier joined a whistleblower suit brought by current and former members of Georgia Tech’s cybersecurity team and on Thursday the DOJ filed an additional motion to sue on behalf of the Defense Department, the Air Force and the Defense Advanced Research Projects Agency.
In advancing the suit, the DOJ makes use of the False Claims Act — a Civil War-era law aimed at combatting shady contractors— which has been used for cyber cases since 2022 under its Civil Cyber-Fraud Initiative.
“Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab,” a release summarizing the complaint states. “Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers.”
According to the lawsuit, the lab didn’t install anti-malware software on devices, and that the university and affiliate company submitted a false cybersecurity assessment score to the Pentagon.
A spokesperson for Georgia Tech said the complaint “misrepresented Georgia Tech’s culture of innovation and integrity,” was “disappointed” in the DOJ maneuver and would “vigorously dispute” it.
“This case has nothing to do with confidential information or protected government secrets,” said the spokesperson, Blair Meeks. “The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked.”
The two Georgia Tech whistleblowing personnel whose names are listed as plaintiffs, Kyle Koza and Christopher Craig, first filed their suit in 2022.
One whistleblower claimed that for years there was “no enforcement” of cybersecurity regulations at Georgia Tech, with the school prioritizing financial gain over compliance. The whistleblowers have also detailed their allegations in an interview.
“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia said in a statement. “For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules.”
