The US has intervened in a whistleblower suit brought against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corporation (GTRC) over alleged failure to meet cybersecurity requirements imposed on Department of Defense (DoD) contractors.
In 2022, two whistleblowers, Christopher Craig and Kyle Koza, previously senior members of the defendants’ cybersecurity compliance team, sued Georgia Tech under the False Claims Act, for submitting false summary level scores to help win DoD contracts.
As DoD contractors, Georgia Tech and its affiliate GTRC are required to adhere to certain cybersecurity standards promulgated by the National Institute of Standards and Technology (NIST), but the complaint filed by the two whistleblowers alleges that the defendants failed to implement those controls and lied about such failures to the DoD.
According to the complaint filed against Georgia Tech and GTRC, since at least 2019, the two entities did not enforce federal cybersecurity regulations regarding DoD contracts, and gave in to the demands of researchers who secured large government contracts.
The complaint also alleges that even the system security plan implemented in 2020 to comply with applicable DoD cybersecurity requirements did not include all applicable systems and was never updated as required by existing regulation.
Between May 2019 and December 2021, the complaint alleges, no security applications were installed or maintained on the systems and networks of the Astrolavos Lab at Georgia Tech, in violation of federal requirements and internal policies.
“In connection with contracts that DoD entered into with GTRC on behalf of Georgia Tech, defendants were obligated to implement these and other cybersecurity controls at the Astrolavos Lab,” the Department of Justice notes.
Additionally, the complaint alleges that in December 2020, the defendants submitted a false and fraudulent cybersecurity assessment score for the Georgia Tech campus, which did not reflect the status of compliance with cybersecurity requirements applicable to systems used to store or access covered defense information.
The defendants submitted a summary level score of 98, which the lawsuit alleges was fraudulent, because it was for a fictitious environment not specifically associated with research at Georgia Tech, and was not for covered contracting systems.
The whistleblower lawsuit was filed under the qui tam provision of the False Claims Act, and the US has intervened and is assuming responsibility for litigating the case. Entities that violate the act are liable to three times the government’s losses, plus penalties.
Related: Justice Department Sues TikTok, Accusing the Company of Illegally Collecting Children’s Data
Related: Ex-CIA Worked Gets 40 Years in Prison for Giving Spy Agency Hacking Secrets to WikiLeaks
Related: Industry Reactions to EU-US Data Privacy Framework: Feedback Friday
Related: NGO Files Hundreds of Complaints Over ‘Cookie Banner Terror’
