The Justice Department has initiated legal action against Georgia Tech University and an associated company, claiming non-compliance with cybersecurity standards required for Pentagon contracts. This comes on the heels of a whistleblower suit filed by current and former members of Georgia Tech’s cybersecurity team. The lawsuit, which involves the Defense Department, the Air Force, and the Defense Advanced Research Projects Agency, alleges that the university failed to implement necessary security protocols, potentially compromising sensitive information.
In earlier reports on Georgia Tech’s cybersecurity practices, the university had been previously accused of insufficient measures but had not faced such a rigorous legal challenge. The latest motion by the DOJ utilizes the False Claims Act, a law dating back to the Civil War, which has been increasingly applied to cybersecurity cases since 2022 under the Civil Cyber-Fraud Initiative. This marks a significant escalation in the government’s approach to enforcing cybersecurity standards.
Allegations Against Georgia Tech
The lawsuit specifically targets the Astrolavos Lab at Georgia Tech, accusing it of failing to develop and implement a comprehensive system security plan as mandated by the Department of Defense’s cybersecurity regulations. The DOJ claims that even when a security plan was eventually put in place in February 2020, it did not adequately cover all necessary devices, such as laptops, desktops, and servers. Additionally, the lab allegedly did not install anti-malware software on its devices.
A statement from Georgia Tech refuted the allegations, asserting,
“The complaint misrepresented Georgia Tech’s culture of innovation and integrity,”
and expressed disappointment in the DOJ’s actions. Georgia Tech spokesperson Blair Meeks argued that the research in question did not necessitate cybersecurity restrictions and emphasized that
“there was no breach of information, and no data leaked.”
Whistleblowers’ Claims
The two whistleblowers, Kyle Koza and Christopher Craig, initiated their lawsuit in 2022, claiming that Georgia Tech had not enforced cybersecurity regulations for years. They alleged that the university prioritized financial gain over compliance. Their actions have prompted further scrutiny and interviews, adding weight to the DOJ’s case.
U.S. Attorney Ryan K. Buchanan underscored the importance of cybersecurity compliance, stating,
“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors.”
He emphasized that all contractors, regardless of their size or the number of contracts, are expected to adhere to these requirements.
The DOJ’s lawsuit against Georgia Tech underscores the increasing importance of cybersecurity in government contracts. The use of the False Claims Act for cyber cases reflects a broader strategy to ensure that contractors meet stringent security standards. This legal action is a clear signal to all contractors about the consequences of neglecting cybersecurity protocols.
