5 September 2024. The United States Department of Justice intervened in a case against the Georgia Institute of Technology (Georgia Tech) and its affiliate, the Georgia Tech Research Corporation (GTRC). The lawsuit alleges that these entities knowingly failed to meet cybersecurity requirements under Department of Defense (DoD) contracts.

Overview of the Whistleblower Lawsuit

The whistleblower lawsuit, filed by Christopher Craig and Kyle Koza (former senior members of Georgia Tech’s cybersecurity compliance team), accuses Georgia Tech and GTRC of multiple violations of federal cybersecurity regulations. As qui tam whistleblowers, they may be entitled to 15-25% of the government’s recovery from these institutions.

Key Allegations

According to the complaint, Georgia Tech and GTRC had a culture and practice of “systematic noncompliance” with regard to the cybersecurity requirements of their DoD contracts. Until February 2020, the Astrolavos Lab at Georgia Tech did not have a system security plan, a requirement under DoD cybersecurity regulations. Furthermore, when they did implement a plan, it did not include all key hardware devices. Additionally, contrary to both contracting cybersecurity requirements and Georgia Tech’s policies, the lab did not install or maintain anti-virus or anti-malware software on its devices. Instead, the institution caved to the head of the lab’s demands regarding anti-virus or anti-malware software. Finally, the lab falsely claimed compliance with the DoD’s cybersecurity assessment, allegedly submitting a score for a fictitious environment that did not exist.

The Civil Cyber-Fraud Initiative

This case is one of the latest actions under the DOJ’s Civil Cyber-Fraud Initiative, announced by Deputy Attorney General Lisa Monaco on October 6, 2021. The initiative aims to hold entities or individuals contracting with the government accountable for:

• Providing inadequate cybersecurity products or services.
• Misrepresenting compliance with cybersecurity rules.
• Failing to report cybersecurity incidents and breaches.

Why Cybersecurity Compliance Matters for Government Contractors and Cybersecurity Professionals

The DOJ’s intervention in this case sends a clear message to government contractors and cybersecurity professionals about the importance of compliance with federal cybersecurity requirements. Insiders who have knowledge of individuals or institutions skirting compliance with federal cybersecurity regulations can step forward and report these issues under the qui tam provision of the False Claims Act.