ATLANTA — The Georgia Institute of Technology and its affiliate, the Georgia Tech Research Corporation (GTRC), find themselves at the center of significant legal scrutiny as they face allegations of failing to adhere to cybersecurity mandates stipulated in U.S. Department of Defense contracts. The Department of Justice has initiated a whistleblower lawsuit against the institutions, claiming extensive violations of cybersecurity regulations that could have jeopardized national security.
The complaint, lodged under both the False Claims Act and federal common law, was spurred by claims from both current and former members of Georgia Tech’s cybersecurity team. Their grievances allege a consistent pattern of noncompliance with federal cybersecurity regulations that date back to at least 2019. The U.S. government’s proactive stance reflects increasing vigilance against lapses in cybersecurity across its agencies and contractors, an issue brought sharply into focus with rising cyber threats globally.
U.S. Attorney Ryan K. Buchanan emphasized the critical nature of cybersecurity compliance. “Contractors must fully implement and abide by the cybersecurity requirements of their contracts,” Buchanan stated. “Our national security and the protection of sensitive information depend on it. We are committed to holding those who shirk these responsibilities accountable.”
The lawsuit details multiple instances where Georgia Tech allegedly failed to meet security standards. Among these, the Astrolavos Lab at Georgia Tech has been particularly spotlighted. From May 2019 to February 2020, the lab reportedly did not have a necessary system security plan in place. Further, it is accused of failing to install essential antivirus and anti-malware protection from May 2019 to December 2021, under what is claimed to be the direction or with the approval of Georgia Tech.
In addition, allegations assert that in December 2020, Georgia Tech and GTRC falsely reported a cybersecurity assessment score of 98 to the Department of Defense— a score supposedly based on non-existent or virtual metrics not aligned with actual research activities or system operations at the school.
Bryan Boynton, Principal Deputy Assistant Attorney General of the Civil Division, supported these concerns, asserting, “Non-compliance by government contractors can introduce grave risks to our national security by leaving government information and systems vulnerable.”
The complaint also highlights purported internal resistance at Georgia Tech against adhering to cybersecurity protocols, hinting at a broader cultural issue within the institution where compliance was reportedly often sidelined or resisted.
In their defense, Georgia Tech issued a strong statement disputing the allegations. The university described the lawsuit as a mischaracterization of its values and procedural integrity, clarifying that there was no breach of sensitive information, nor was there any data leakage linked to the supposedly non-compliant activities. “We continue to dedicate ourselves to robust cybersecurity practices while maintaining our collaborative engagements with the Department of Defense and other federal bodies,” the statement noted.
This litigation inaugurates the Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, which aims to aggressively pursue and rectify cybersecurity violations by contractors.
The whistleblowers, identified as Christopher Craig and Kyle Koza, representatives of Georgia Tech’s cybersecurity team’s upper echelon, ignited the suit and could be entitled to a portion of any financial recovery, per the False Claims Act’s qui tam provisions.
Overseeing the case are the Justice Department’s Civil Division and the U.S. Attorney’s Office for the Northern District of Georgia, marking a significant effort to address and uphold cybersecurity measures within federal contracting practices. The outcome of this lawsuit could set important precedents for how cybersecurity compliance is enforced in the vast network of U.S. federal contractors.