The Department of Defense (DoD) has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC), asserting that they failed to “develop and implement a system security plan” as required by their contracts with the DoD.
The U.S. has filed an additional motion to sue on the behalf of the DoD, the Air Force, and the Defense Advanced Research Projects Agency after joining a whistleblower suit brought by current and former members of Georgia Tech’s cybersecurity team. The lawsuit claims that the institution’s Astrolavos Lab plan that was eventually implemented in February 2020 failed to provide security across all laptops, desktops, and servers.
“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” said Brian M. Boynton, the principal deputy assistant attorney general and head of the Justice Department’s Civil Division. “The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable.”
The government has filed its action under the False Claims Act – a statute from 1863 that serves as the main tool for the government to hold individuals and companies accountable for defrauding the government.
Christopher Craig and Kyle Koza, former senior members of Georgia Tech’s cybersecurity compliance team, filed the initial lawsuit in 2022 before the Department of Justice joined in early 2024.
Allegations include that until December 2021, the Astrolavos lab didn’t use anti-virus or anti-malware tools, despite Georgia Tech’s policies and requirements. The security lapse was allowed to meet the demands of the lab’s professor, the suit said.
The suit also claims that Georgia Tech and GTRC submitted a false and inaccurate cybersecurity assessment score to the DoD that was based on a non-existent system that didn’t manage any actual defense information.
In a written statement responding to the suit, Georgia Tech said that the lawsuit is “entirely off base,” that they are “extremely disappointed” with DoJ action, and that the suit misrepresents Georgia Tech’s “culture of innovation and integrity.”
“This case has nothing to do with confidential information or protected government secrets,” the statement reads. “The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings.”
The lawsuit is the first piece of litigation in the DoJ’s Civil Cyber-Fraud Initiative, announced in 2021, which aims to hold entities accountable for deficient cybersecurity practices or misrepresentations.
“We expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia.
Investigative support is being provided by the DoD Office of Inspector General, Defense Criminal Investigative Service, Air Force Office of Special Investigations and Air Force Material Command.
