The United States has filed a lawsuit against Georgia Tech and its research affiliate, Georgia Tech Research Corporation, accusing them of failing to comply with cybersecurity requirements tied to Department of Defense contracts.
The lawsuit, brought under the False Claims Act, marks the first of its kind under the Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021.
The Details: The lawsuit centers on allegations that Georgia Tech and Georgia Tech Research Corporation neglected to enforce federal cybersecurity regulations, particularly in contracts involving the Department of Defense. According to the complaint, this lack of compliance was pervasive and extended over several years, beginning as early as 2019.
Key issues include claims that the Astrolavos Lab at Georgia Tech failed to develop and implement a required system security plan and disregarded essential cybersecurity protocols, such as installing antivirus software. The suit also alleges that Georgia Tech and Georgia Tech Research Corporation submitted a fraudulent cybersecurity assessment score to the Department of Defense in December 2020, falsely representing the security status of the campus.
In Context: The whistleblower lawsuit was initiated by Christopher Craig and Kyle Koza, former senior members of Georgia Tech’s cybersecurity compliance team. The False Claims Act allows individuals to sue on behalf of the government and potentially share in any recovery. The United States intervened in this case, reflecting the seriousness of the allegations.
The Department of Justice’s Civil Cyber-Fraud Initiative aims to hold contractors accountable for cybersecurity failures that could endanger national security. The initiative targets entities that misrepresent their cybersecurity practices or fail to monitor and report incidents as required by federal law.
Why It Matters: Cybersecurity is a critical component of national defense, especially for government contractors handling sensitive information. The alleged failures at Georgia Tech raise concerns about the security of United States defense information and the potential risks posed by non-compliance. This lawsuit could set a precedent for how cybersecurity obligations are enforced across all government contractors.
What’s Next: The case, United States ex rel. Craig v. Georgia Tech Research Corporation, et al., is currently being handled by the Justice Department’s Civil Division and the United States Attorney’s Office for the Northern District of Georgia. As the litigation proceeds, it will likely draw attention to the broader issue of cybersecurity enforcement in federal contracts. The allegations remain unproven, and no liability has been determined yet.