Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Georgia Tech Sued Over Alleged False Cybersecurity Reports to Win DoD Contracts

Complaint alleges that defendants submitted a false and fraudulent cybersecurity assessment score.

The US has intervened in a whistleblower suit brought against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corporation (GTRC) over alleged failure to meet cybersecurity requirements imposed on Department of Defense (DoD) contractors.

In 2022, two whistleblowers, Christopher Craig and Kyle Koza, previously senior members of the defendants’ cybersecurity compliance team, sued Georgia Tech under the False Claims Act, for submitting false summary level scores to help win DoD contracts.

As DoD contractors, Georgia Tech and its affiliate GTRC are required to adhere to certain cybersecurity standards promulgated by the National Institute of Standards and Technology (NIST), but the complaint filed by the two whistleblowers alleges that the defendants failed to implement those controls and lied about such failures to the DoD.

According to the complaint filed against Georgia Tech and GTRC, since at least 2019, the two entities did not enforce federal cybersecurity regulations regarding DoD contracts, and gave in to the demands of researchers who secured large government contracts.

The complaint also alleges that even the system security plan implemented in 2020 to comply with applicable DoD cybersecurity requirements did not include all applicable systems and was never updated as required by existing regulation.

Between May 2019 and December 2021, the complaint alleges, no security applications were installed or maintained on the systems and networks of the Astrolavos Lab at Georgia Tech, in violation of federal requirements and internal policies.

“In connection with contracts that DoD entered into with GTRC on behalf of Georgia Tech, defendants were obligated to implement these and other cybersecurity controls at the Astrolavos Lab,” the Department of Justice notes.

Additionally, the complaint alleges that in December 2020, the defendants submitted a false and fraudulent cybersecurity assessment score for the Georgia Tech campus, which did not reflect the status of compliance with cybersecurity requirements applicable to systems used to store or access covered defense information.

Advertisement. Scroll to continue reading.

The defendants submitted a summary level score of 98, which the lawsuit alleges was fraudulent, because it was for a fictitious environment not specifically associated with research at Georgia Tech, and was not for covered contracting systems.

The whistleblower lawsuit was filed under the qui tam provision of the False Claims Act, and the US has intervened and is assuming responsibility for litigating the case. Entities that violate the act are liable to three times the government’s losses, plus penalties.

Related: Justice Department Sues TikTok, Accusing the Company of Illegally Collecting Children’s Data

Related: Ex-CIA Worked Gets 40 Years in Prison for Giving Spy Agency Hacking Secrets to WikiLeaks

Related: Industry Reactions to EU-US Data Privacy Framework: Feedback Friday

Related: NGO Files Hundreds of Complaints Over ‘Cookie Banner Terror’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights