United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations

ATLANTA - The United States has filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corporation (GTRC) raising claims under the False Claims Act and federal common law alleging that those defendants failed to meet cybersecurity requirements in connection with U.S. Department of Defense (DoD) contracts.

GTRC is an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech and its related entities. On February 20, 2024, the United States intervened in a whistleblower suit brought by current and former members of Georgia Tech's cybersecurity team against Georgia Tech and GTRC.

"Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors," said U.S. Attorney Ryan K. Buchanan. "For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules."

"Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security," said Principal Deputy Assistant Attorney General Bryan Boynton of the Civil Division. "We will continue to pursue knowing cybersecurity related violations under the Department's Civil Cyber-Fraud Initiative."

"Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services that risk their lives daily," said Special Agent-in-Charge Darrin K. Jones, Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office. "As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve."

The United States' complaint alleges that, from at least as early as 2019 and extending for multiple years, Georgia Tech essentially had "no enforcement" of federal cybersecurity regulations in connection with DoD contracts and fostered a "culture of somebody up the line is going to overturn me . . . [so] I might as well go ahead and ignore the policy" with respect to cybersecurity compliance. Georgia Tech, the suit alleges, routinely acquiesced to the demands of "star researchers"-who were treated like "star quarterbacks" because they secured large government contracts-when those researchers "pushed back" on cybersecurity compliance because the researchers found it troublesome.

Specifically, the lawsuit alleges that from at least May 2019 until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a required system security plan that set out the cybersecurity controls that were put in place in the lab to comply with applicable DoD cybersecurity requirements. Nor, until August 2019 at the earliest, did Georgia Tech undertake to implement the required DoD cybersecurity controls at the lab the suit alleges. Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers, and then in the ensuing years failed to monitor and update that plan as required by applicable cybersecurity rules and regulations.

Additionally, the lawsuit alleges that from at least as early as May 2019 until December 2021, the Astrolavos lab failed to install, update, or operate anti-virus or anti-malware tools on desktops, laptops, servers, and networks at the lab. Georgia Tech allegedly approved the lab's refusal to install antivirus software-in violation of both federal cybersecurity requirements and Georgia Tech's own policies-to satisfy the demands of the professor who headed the lab. In connection with contracts that DoD entered into with GTRC on behalf of Georgia Tech, defendants were obligated to implement these and other cybersecurity controls at the Astrolavos Lab.

The lawsuit further alleges that in December 2020, Georgia Tech and GTRC submitted a false and fraudulent cybersecurity assessment score to DoD for the Georgia Tech campus. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information. The submission of this score is a "condition of contract award" for most DoD contracts. The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false and fraudulent because: (1) Georgia Tech did not have, nor could it ever have, a campus-wide IT system; (2) the score was for a "fictitious" or "virtual" environment that was a "construct" since it was not "specifically associated to any active research at Georgia Tech" and was "not actually describing something that exists;" and (3) the score was not for any covered contracting system at Georgia Tech that could or would ever process, store, or transmit covered defense information.

On October 6, 2021, the Deputy Attorney General announced the Department's Civil Cyber-Fraud Initiative to hold accountable entities or individuals that put United States information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here. This lawsuit is the first matter the United States has litigated as part of the Civil Cyber-Fraud Initiative.

The whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, who were previously senior members of Georgia Tech's cybersecurity compliance team, under the qui tam or whistleblower provisions of the False Claims Act. The act allows private parties to file suit on behalf of the United States for false claims and to receive a share of any recovery. The act also permits the United States to intervene and assume responsibility for litigating these cases, as it has done here. A defendant who violates the act is subject to liability for three times the government's losses, plus applicable penalties.

This case is being handled by the Justice Department's Civil Division and the United States Attorney's Office for the Northern District of Georgia. The case is captioned United States ex rel. Craig v. Georgia Tech Research Corp, et al., No. 1:22-cv-02698 (N.D. Ga.). Investigative support is being provided by the DoD Office of Inspector General, Defense Criminal Investigative Service, Air Force Office of Special Investigations, and Air Force Material Command.

This matter is being handled by Senior Trial Counsel Jake M. Shields and Assistant U.S. Attorneys Adam D. Nugent and Melanie D. Hendry.

The claims in which the United States has intervened are allegations only, and there has been no determination of liability.

For further information please contact the U.S. Attorney's Public Affairs Office at [email protected] or (404) 581-6016. The Internet address for the U.S. Attorney's Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.