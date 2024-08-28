The U.S. Department of Justice is suing the Georgia Institute of Technology and Georgia Tech Research Corporation for allegedly lying about their cybersecurity posture to preserve lucrative Department of Defense contracts.

The DOJ announced on Friday that it joined a whistleblower lawsuit filed by current and former members of Georgia Tech cybersecurity team. Defendants also include GTRC, an affiliate of Georgia Tech that contracts with government agencies such as the DOD for classified work conducted at the institution.

Allegations include false cybersecurity risk assessment score submissions, insufficient system security plans and Georgia Tech refusing to install, update or run antivirus tools. Additionally, it stated that a lack of antivirus tools violates federal cybersecurity requirements as well as Georgia Tech own policies.

The DOJ also blamed Dr. Emmanouil Antonakakis, a professor at the school's Astrolavos Lab, for aiding in the alleged security shortcomings.

"Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information. The department's Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable," said Brian M. Boynton, principal deputy assistant attorney general at the DOJ's Civil Division, in the press release.

The original whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, former senior members of Georgia Tech's cybersecurity compliance team, according to the DOJ. One major allegation highlighted in the lawsuit was the failure to develop and implement a system security plan as required by DOD regulations. Georgia Tech was hired in 2016 for work by the U.S. Air Force and the Defense Advanced Research Projects Agency, which involves developing emerging technologies for military use.

"Even when Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops and servers," the press release read.

The complaint noted that government contracts over the years added up to billions of dollars for Georgia Tech. It also expanded on several allegations against the university. For example, the DOJ accused GTRC of "knowingly" presenting false materials to the U.S. government for payment or approval. GTRC employees allegedly falsified documents to ensure payments, even though the security posture was insufficient by U.S. standards.

The lawsuit also alleged that Georgia Tech did not follow required National Institute of Standards and Technology (NIST) controls for all contracted systems. NIST SP 800-171 sets standards for protecting sensitive data on defense contractor networks.

More alarmingly, the DOJ accused Georgia Tech and GTRC for intentionally submitting a false cybersecurity assessment score of 98 out of 110. According to the whistleblowers, Georgia Tech officials knowingly provided a score for a "fictitious" or "virtual" environment to maintain its contracts with the DOD.

"Instead of calculating and providing to DoD an accurate score for the Astrolavos Lab, Georgia Tech and GTRC provided DoD with a score for a 'campus-wide' IT system at Georgia Tech when no such campus-wide IT system existed," the complaint read. "At the time that Georgia Tech and GTRC submitted the false score to the United States, they were warned by their own employee, Rebecca Caravati, that providing the false score to the DoD would 'mislead' their government, be 'less than forthright', or constitute an outright 'misrepresentation' to the government."