Getty Images/iStockphoto

Infosec experts applaud DOJ lawsuit against Georgia Tech

The Department of Justice joined a whistleblower lawsuit against Georgia Tech for allegedly misleading the Department of Defense about its cybersecurity posture.

The U.S. Department of Justice is suing the Georgia Institute of Technology and Georgia Tech Research Corporation for allegedly lying about their cybersecurity posture to preserve lucrative Department of Defense contracts.

The DOJ announced on Friday that it joined a whistleblower lawsuit filed by current and former members of Georgia Tech cybersecurity team. Defendants also include GTRC, an affiliate of Georgia Tech that contracts with government agencies such as the DOD for classified work conducted at the institution.

Allegations include false cybersecurity risk assessment score submissions, insufficient system security plans and Georgia Tech refusing to install, update or run antivirus tools. Additionally, it stated that a lack of antivirus tools violates federal cybersecurity requirements as well as Georgia Tech own policies.

The DOJ also blamed Dr. Emmanouil Antonakakis, a professor at the school's Astrolavos Lab, for aiding in the alleged security shortcomings.

"Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information. The department's Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable," said Brian M. Boynton, principal deputy assistant attorney general at the DOJ's Civil Division, in the press release.

The original whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, former senior members of Georgia Tech's cybersecurity compliance team, according to the DOJ. One major allegation highlighted in the lawsuit was the failure to develop and implement a system security plan as required by DOD regulations. Georgia Tech was hired in 2016 for work by the U.S. Air Force and the Defense Advanced Research Projects Agency, which involves developing emerging technologies for military use.

"Even when Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops and servers," the press release read.

The complaint noted that government contracts over the years added up to billions of dollars for Georgia Tech. It also expanded on several allegations against the university. For example, the DOJ accused GTRC of "knowingly" presenting false materials to the U.S. government for payment or approval. GTRC employees allegedly falsified documents to ensure payments, even though the security posture was insufficient by U.S. standards.

The lawsuit also alleged that Georgia Tech did not follow required National Institute of Standards and Technology (NIST) controls for all contracted systems. NIST SP 800-171 sets standards for protecting sensitive data on defense contractor networks.

More alarmingly, the DOJ accused Georgia Tech and GTRC for intentionally submitting a false cybersecurity assessment score of 98 out of 110. According to the whistleblowers, Georgia Tech officials knowingly provided a score for a "fictitious" or "virtual" environment to maintain its contracts with the DOD.

"Instead of calculating and providing to DoD an accurate score for the Astrolavos Lab, Georgia Tech and GTRC provided DoD with a score for a 'campus-wide' IT system at Georgia Tech when no such campus-wide IT system existed," the complaint read. "At the time that Georgia Tech and GTRC submitted the false score to the United States, they were warned by their own employee, Rebecca Caravati, that providing the false score to the DoD would 'mislead' their government, be 'less than forthright', or constitute an outright 'misrepresentation' to the government."

Infosec experts weigh in

The DOJ's legal action against Georgia Tech is part of the federal government's recent efforts to bolster its cybersecurity posture amid increased attacks, particularly from nation-state threat groups. Under the department's Civil Cyber-Fraud Initiative, launched in 2021, the DOJ has aimed to hold federal contractors more accountable for security shortcomings.

Jacob Olcott, vice president of government affairs at BitSight, told TechTarget Editorial that validating the security of an organization has never been more important, especially as organizations' third-party ecosystem rapidly expands.

"For years, organizations have checked the box when it comes to cybersecurity, claiming that they've taken the proper steps to secure their organization when, in reality, they were doing anything but," Olcott said. "Subjective responses to the question of whether an organization is meeting cybersecurity standards need to be validated."

Olcott said advancements in data collections now make it possible to validate claims and determine whether an organization's security program is adequate or contains gaps. BitSight has observed the public sector already using those tools. "Moving forward, I anticipate an increasing number of government entities turning to this objective data to validate cybersecurity performance and act accordingly," he said.

Tony Anscombe, chief security evangelist at ESET, said the case highlights how important whistleblowing is regarding misconduct. "The issue between Georgia Tech and their requirement to maintain a certain level of cybersecurity standards to secure Department of Defense contract is, if proved correct, an excellent example of security researchers doing the right thing and whistleblowing," he said. "What this issue, if proven, highlights is the need for transparency between parties that have contracts that require a certain level of cybersecurity implemented."

Anscombe echoed other infosec experts regarding the need for assessment validation by a third party. He also believes it's important to continue the assessment beyond the start of a contract since a company could implement the requirement and then fail to maintain it or follow through on responding to notification alerts, for example.

"The wider issue caused when a company makes fraudulent claims about cybersecurity is that it undermines the concept of being cybersecure," Anscombe said. "If the lack of cybersecurity that is claimed leads to a data breach or major cyber incident, then both businesses and consumers could question whether cybersecurity provides what is claimed rather than understanding it was never there. Distrust of this nature causes long-term damage to the trust model that should exist."

Gary Barlet, public sector CTO at Illumio, also applauded the DOJ for taking action against Georgia Tech. He warned that if companies aren't held accountable for something specifically called out in a contract, they will have no incentive to be responsible. "The only way we're going to solve this problem is to start holding people and companies accountable when they aren't treating this problem seriously," Barlet said.

Similarly, Sabeen Malik, vice president of global government affairs and public policy at Rapid7, told TechTarget Editorial that the lawsuit shows that DOJ is becoming more active with its Civil Cyber-Fraud Initiative as well as other federal efforts.

"This also aligns with DoD's activities in CMMC [Cybersecurity Maturity Model Certification], which propose more robust controls around contractor verification of cybersecurity control implementation. Contractors should carefully review any requests for verification or attestations related to cybersecurity compliance," Malik said.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Next Steps

Infosec industry calls for more public sector collaboration

Dig Deeper on Compliance