The U.S. government has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech), alleging serious breaches of cybersecurity protocols. The legal action accuses Georgia Tech and its contracting arm, Georgia Tech Research Corporation (GTRC), of failing to safeguard controlled unclassified information (CUI) as required by the Department of Defense (DoD) standards.
Whistleblower Revelations Spark Legal Action
The case stems from a whistleblower lawsuit initiated by former and current members of Georgia Tech’s cybersecurity team, Christopher Craig and Kyle Koza. On Thursday, the U.S. Department of Justice (DOJ) intensified the legal proceedings by filing a motion to sue on behalf of the DoD, the Air Force, and the Defense Advanced Research Projects Agency (DARPA). These whistleblowers claim that the Astrolavos Lab at Georgia Tech, a facility specializing in cybersecurity, failed to develop and implement a required security plan, as stipulated by the National Institute of Standards and Technology (NIST) Special Publication 800-171.
Allegations of Inadequate Cybersecurity Measures
The lawsuit alleges that between May 2019 and February 2020, the Astrolavos Lab did not establish a compliant cybersecurity plan. Even after a plan was finally put in place in February 2020, it was reportedly insufficient, failing to cover all essential devices like laptops and servers. Additionally, the university is accused of neglecting to install anti-malware software—a key cybersecurity measure—on its systems. The DOJ’s complaint highlights that Georgia Tech’s reluctance to deploy such software, reportedly influenced by a professor’s preferences, violated federal requirements and the university’s own policies.
Legal Framework and Cybersecurity Enforcement
This lawsuit employs the False Claims Act (FCA), a historical law designed to combat fraud among government contractors. The FCA has been applied to cyber-related cases since 2022 under the Civil Cyber-Fraud Initiative (CCFI), which targets entities failing to meet cybersecurity standards. Ryan K. Buchanan, the U.S. Attorney for the Northern District of Georgia, underscored the significance of cybersecurity compliance, stressing that contractors must meet these standards to protect U.S. information systems. The DOJ aims to hold accountable those who disregard cybersecurity requirements.
False Cybersecurity Assessment Claims
Another significant accusation in the lawsuit is that Georgia Tech and GTRC provided a fraudulent cybersecurity assessment score to the Pentagon in December 2020. They reportedly awarded themselves a high score of 98, which was later found to be based on inaccurate information. This score was supposedly derived from a “fictitious” assessment environment, casting doubt on its validity concerning actual DoD systems. Legal experts argue that Georgia Tech’s practices may result in FCA liability due to their alleged misinterpretation and misapplication of NIST standards.
Georgia Tech’s Response to the Lawsuit
Georgia Tech has denied the allegations, asserting that the DOJ’s claims misrepresent the university’s commitment to cybersecurity. Blair Meeks, a spokesperson for Georgia Tech, defended the institution, saying, “The complaint misrepresented Georgia Tech’s culture of innovation and integrity.” Meeks added that there was no breach of confidential information or government secrets, and emphasized that the research conducted was not subject to cybersecurity restrictions as per government guidance.
Significance of the Case
This lawsuit represents a pivotal moment in the enforcement of cybersecurity standards under the CCFI. Unlike previous cases that were settled out of court, this case is advancing through litigation, reflecting heightened scrutiny on cybersecurity compliance. The outcome could set a significant precedent for how cybersecurity requirements are enforced among organizations handling sensitive government information.
