Georgia Tech, affiliate GTRC hit with federal whistleblower cybersecurity lawsuit

The Georgia Institute of Technology and the Georgia Tech Research Corporation are now subject of a federal whistleblower lawsuit filed the Department of Justice claiming the institutions failed to meet cybersecurity requirements in connection with U.S. Department of Defense contracts. The lawsuit raises claims under the False Claims Act and federal common law.  

GTRC, an affiliate of Georgia Tech, is responsible for contracting with government agencies for work performed at Georgia Tech and its related entities. The United States' complaint, filed on Feb. 20, is part of a whistleblower suit initiated by current and former members of Georgia Tech’s cybersecurity team. 

"Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors," said U.S. Attorney Ryan K. Buchanan. "For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules." 

Principal Deputy Assistant Attorney General Bryan Boynton of the Civil Division echoed Buchanan's sentiment, emphasizing the risks posed by non-compliance. "Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security," Boynton said. "We will continue to pursue knowing cybersecurity-related violations under the Department’s Civil Cyber-Fraud Initiative." 

The lawsuit alleges that Georgia Tech has exhibited a pattern of non-compliance with federal cybersecurity regulations dating back to at least 2019. The complaint claims that Georgia Tech fostered a culture in which cybersecurity policies were routinely ignored, with researchers pushing back against compliance measures. 

One of the focal points of the lawsuit is the Astrolavos Lab at Georgia Tech. The lawsuit asserts that the lab failed to develop and implement a required system security plan from May 2019 to February 2020, and when a plan was eventually put in place, it was improperly scoped and inadequately monitored. 

Additionally, the lawsuit claims that from May 2019 until December 2021, the Astrolavos Lab did not install, update, or operate antivirus or anti-malware tools on its computers and networks, allegedly with Georgia Tech's approval, in violation of both federal requirements and the institution's own policies. 

The lawsuit also asserts that Georgia Tech and GTRC submitted a fraudulent cybersecurity assessment score of 98 to the DoD in December 2020. The score was reportedly based on a fictitious or virtual environment, not tied to any actual research activities or contracting systems at Georgia Tech. 

This case marks the first litigation under the Department of Justice's Civil Cyber-Fraud Initiative, which was launched on Oct. 6, 2021, to hold accountable those who knowingly violate cybersecurity obligations. 

The whistleblower suit was filed by Christopher Craig and Kyle Koza, former senior members of Georgia Tech’s cybersecurity compliance team. Under the False Claims Act's qui tam provisions, they may be entitled to a portion of any recovered funds. The act also allows the government to intervene and assume responsibility for the case, as it has done in this instance. 

Georgia Tech issues a statement in response to the lawsuit writing: 

"We are extremely disappointed by the Department of Justice’s filing, which misrepresents Georgia Tech’s culture of innovation and integrity. Their complaint is entirely off base, and we will vigorously dispute it in court. This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked. Despite the misguided action by the Department of Justice, Georgia Tech remains committed to strong cybersecurity and continuing its collaborative relationship with the Department of Defense and other federal agencies." 

The lawsuit, titled United States ex rel. Craig v. Georgia Tech Research Corp, et al., is being handled by the Justice Department’s Civil Division and the U.S. Attorney’s Office for the Northern District of Georgia. 

Georgia TechData BreachesTechnologyNews