Legislation & Litigation , Standards, Regulations & Compliance
DOJ Lawsuit Accuses Georgia Tech of Cybersecurity Failures
New Lawsuit Alleges Georgia Tech Submitted 'False' Cybersecurity Score to DODThe United States intervened in a whistleblower lawsuit filed by current and former members of Georgia Tech's digital security team, accusing the institution and an affiliated research corporation of putting sensitive defense information into jeopardy by systemically ignoring cybersecurity regulations.
See Also: Five Ways to Reduce Your IT Audit Tax
The lawsuit alleges that Astrolavos Lab at the Georgia Institute of Technology failed to properly implement a system security plan as mandated by the Department of Defense for handling sensitive data.
Among the accusations: Astrolavos lab failed to install or run antivirus or anti-malware tools on its networks and submitted a knowingly false cybersecurity assessment score for its Atlanta campus.
"Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information," Principal Deputy Assistant Attorney General Brian Boynton, who leads the Justice Department's civil division, said. Justice announced Thursday it was intervening to take over the case from whistleblowers Christopher Craig and Kyle Koza, who previously served as senior members of Georgia Tech's cybersecurity compliance team.
Federal contractors such as Georgia Tech are required to comply with well-defined cybersecurity requirements. Georgia Tech allegedly claimed it scored 98 out of 110 on a self-assessed cybersecurity evaluation despite not having a campuswide information technology system. Prosecutors called the score "false" and said the campus created a "fictitious" environment that "did not apply to any covered contracting system at Georgia Tech" responsible for handling government data.
"In fact, according to these employees, the score was 'not actually describing something that exists,'" the lawsuit says.
Georgia Tech said in a statement it was "extremely disappointed" by the Justice Department's intervention in the case, saying the lawsuit "has nothing to do with confidential information or protected government secrets."
"The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government publicized Georgia Tech's groundbreaking research findings," the statement says, adding that "there was no breach of information, and no data was leaked."
The government's intervention in the lawsuit comes amid a Justice Department push to hold entities responsible for jeopardizing U.S. information or systems by failing to provide adequate cybersecurity protections. The department launched the Civil Cyber-Fraud Initiative in 2021 to hold accountable organizations that misrepresent their cybersecurity operations and knowingly violate federal cybersecurity requirements.