Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations
justice.gov ^ | August 22, 2024 | justice.gov

Posted on 08/23/2024 2:58:16 PM PDT by ransomnote

The United States joined a whistleblower suit and filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC) asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with the Department of Defense (DoD) contracts. GTRC is an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech. The whistleblower suit was initiated by current and former members of Georgia Tech’s Cybersecurity team.

“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable.”

Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab. Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers.

Additionally, the lawsuit alleges until December 2021, the Astrolavos lab failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at the lab. Instead, Georgia Tech approved the lab’s refusal to install antivirus software — in violation of both federal cybersecurity requirements and Georgia Tech’s own policies — to satisfy the demands of the professor who headed the lab.

The lawsuit further alleges that in December 2020 Georgia Tech and GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information. The submission of this score was a “condition of contract award” for Georgia Tech’s DoD contracts. The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false because (1) Georgia Tech did not actually have a campus-wide IT system and (2) the score was for a “fictitious” or “virtual” environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process, store or transmit covered defense information.

“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia. “For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules.”

“Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services who risk their lives daily,” said Special Agent in Charge Darrin K. Jones of the DoD's Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office. “As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve.”

The whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, who were previously senior members of Georgia Tech’s cybersecurity compliance team, under the qui tam or whistleblower provisions of the False Claims Act, which allow private parties to file suit on behalf of the United States for false claims and to receive a share of any recovery. The act permits the United States to intervene and take over responsibility for litigating these cases, as it has done here. A defendant who violates the act is subject to liability for three times the government’s losses, plus applicable penalties.   

On Oct. 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here.

Senior Trial Counsel Jake M. Shields of the Justice Department's Civil Division and Assistant U.S. Attorneys Adam D. Nugent and Melanie D. Hendry for the Northern District of Georgia are handling the matter.

The case is captioned United States ex rel. Craig v. Georgia Tech Research Corp, et al., No. 1:22-cv-02698 (N.D. Ga.). Investigative support is being provided by the DoD Office of Inspector General, Defense Criminal Investigative Service, Air Force Office of Special Investigations and Air Force Material Command.

The claims alleged by the United States are allegations only. There has been no determination of liability.

Updated August 23, 2024

Topic
False Claims Act
Components

Press Release Number: 24-1044



TOPICS: Miscellaneous
KEYWORDS:

1 posted on 08/23/2024 2:58:16 PM PDT by ransomnote
[ Post Reply | Private Reply | View Replies]

To: sauropod

Review


2 posted on 08/23/2024 3:03:09 PM PDT by sauropod ("This is a time when people reveal themselves for who they are." James O'Keefe Ne supra crepidam)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ransomnote

Interesting. If the lab was setup with Linux machines then the professor is correct that the anti-virus software would be worthless vs a proper security scheme.

That said, they cheated the government.


3 posted on 08/23/2024 3:07:23 PM PDT by Skywise
[ Post Reply | Private Reply | To 1 | View Replies]

To: ransomnote

Isn’t GTRI an FFRD?


4 posted on 08/23/2024 3:50:02 PM PDT by Theophilus (covfefe)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Theophilus

I worked for GTRI for nearly 30 years after 8 years in the AF and getting my degree from GIT. This suit is NOT against GTRI as I read it. It is for the Georgia Institute of Technology as a whole. The laboratory in question and contracts were to the university, not GTRI. BTW, GTRI is not an FFRD; it operates more as an FCRC (Federally Contracted Research Center).

The contracts for GIT and GTRI go through two different contracting organizations. GTRC (Georgia Tech Research Corporation) for the university and GTARC (Georgia Tech Applied Research Corporation) for GTRI. They are used to bypass the normal state entity contracting organization, DOAS (Department of Administrative Services), because it is so SLOW.

Together, GTRI and GIT pull in nearly a billion dollars in research contracting, roughly half and half when I retired. So we’re talking hundreds of millions that GIT is on the hook for with this. It is likely the DOJ will win, at least on those contracts specifically awarded to ASTROLAVOS Laboratory. All because the director didn’t want to deal with the hassle of the security requirements. He’s in deep, deep do-do right now, I’d imagine. And those two cyber security whistleblowers stand to get a very hefty reward on the funds ‘recovered/disallowed.’


5 posted on 08/24/2024 12:20:59 AM PDT by Gaffer
[ Post Reply | Private Reply | To 4 | View Replies]

To: Gaffer

They are probably using this to make an example. CMMC is hard and getting harder.


6 posted on 08/24/2024 1:52:17 PM PDT by Theophilus (covfefe)
[ Post Reply | Private Reply | To 5 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson