DOJ Sues Georgia Tech Over Alleged Cybersecurity Violations in Defense Contracts
The US Department of Justice has filed a lawsuit against the Georgia Institute of Technology and its contracting entity, Georgia Tech Research Corporation (GTRC), for allegedly failing to meet cybersecurity requirements set by the Department of Defense for contract awardees. The legal action, initiated under the False Claims Act, marks the first case of its kind to reach the litigation stage.
The lawsuit stems from a whistleblower complaint filed in July 2022 by Christopher Craig and Kyle Koza, former senior members of Georgia Tech’s cybersecurity compliance team. The US government has since joined this suit and filed an additional complaint on behalf of the Defense Department, Air Force, and Defense Advanced Research Projects Agency.
According to the allegations, Georgia Tech’s Astrolavos Lab, responsible for cybersecurity issues affecting national security, failed to create and implement a security plan meeting DoD requirements between May 2019 and February 2020. Even after developing a plan, it reportedly fell short of Pentagon regulations. The lab is also accused of failing to install anti-malware solutions on devices between May 2019 and December 2021, allegedly to accommodate the demands of the lab’s head professor.
Furthermore, both the university and GTRC are alleged to have submitted false cybersecurity assessment scores of 98 to the DoD in December 2020. The lawsuit claims this score was for a “fictitious” environment and did not apply to any actual covered contracting system at Georgia Tech.
The case is being pursued under the Civil Cyber-Fraud Initiative, launched by the DoJ to hold accountable entities that put US information or systems at risk through inadequate cybersecurity practices.
Georgia Tech spokesperson Blair Meeks expressed disappointment with the DoJ’s decision and said that the university will challenge the lawsuit. Meeks claimed that the government had initially indicated the research didn’t require special restrictions and that no data breaches have occurred.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.