The United States joined a whistleblower suit and filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC) asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with the Department of Defense (DoD) contracts.
In May 2024 Congressional investigators criticized Georgia Tech’s use of its Department of Defense research institute to fund sensitive research with Tianjin University, which was placed on a U.S. government blacklist for stealing American technology with military applications. [12191]
The whistleblower suit was initiated by current and former members of Georgia Tech’s Cybersecurity team.
Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab. Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers.
Additionally, the lawsuit alleges until December 2021, the Astrolavos lab failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at the lab. Instead, Georgia Tech approved the lab’s refusal to install antivirus software — in violation of both federal cybersecurity requirements and Georgia Tech’s own policies — to satisfy the demands of the professor who headed the lab.
The lawsuit further alleges that in December 2020 Georgia Tech and GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information. The submission of this score was a “condition of contract award” for Georgia Tech’s DoD contracts. The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false because (1) Georgia Tech did not actually have a campus-wide IT system and (2) the score was for a “fictitious” or “virtual” environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process, store or transmit covered defense information.
The whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, who were previously senior members of Georgia Tech’s cybersecurity compliance team, under the qui tam or whistleblower provisions of the False Claims Act, which allow private parties to file suit on behalf of the United States for false claims and to receive a share of any recovery. The act permits the United States to intervene and take over responsibility for litigating these cases, as it has done here. A defendant who violates the act is subject to liability for three times the government’s losses, plus applicable penalties.
On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.
The case is captioned United States ex rel. Craig v. Georgia Tech Research Corp, et al., No. 1:22-cv-02698 (N.D. Ga.). Complaint
Comments
No comments on this item Please log in to comment by clicking here