The US is suing one of its leading research universities over a litany of alleged failures to meet cybersecurity standards set by the Department of Defense (DoD) for contract awardees.

Georgia Institute of Technology (GIT), commonly referred to as Georgia Tech, and its contracting entity, Georgia Tech Research Corporation (GTRC), are being investigated following whistleblower reports from insiders Christopher Craig and Kyle Koza about alleged failures to protect controlled unclassified information (CUI).

The series of allegations date back to 2019 and continued for years after, although Koza was said to have identified the issues as early as 2018.

Among the allegations is the suggestion that between May 2019 and February 2020, Georgia Tech's Astrolavos Lab - ironically a group that focuses on cybersecurity issues affecting national security - failed to develop and implement a cybersecurity plan that complied with DoD standards (NIST 800-171).

When the plan was implemented in February 2020, the lawsuit alleges that it wasn't properly scoped - not all the necessary endpoints were included - and that for years afterward, Georgia Tech failed to maintain that plan in line with regulations.

Additionally, the Astrolavos Lab was accused of failing to implement anti-malware solutions across devices and the lab's network. The lawsuit alleges that the university approved the lab's refusal to deploy the anti-malware software "to satisfy the demands of the professor that headed the lab," the DoJ said. This is claimed to have occurred between May 2019 and December 2021.

Refusing to install anti-malware solutions at a contractor like this is not allowed. In fact, it violates federal requirements and Georgia Tech's own policies, but allegedly happened anyway.

The university and the GTRC also, it is claimed, submitted a false cybersecurity assessment score in December 2020 - a requirement for all DoD contractors to demonstrate they're meeting compliance standards.

The two organizations are accused of issuing themselves a score of 98, which was later deemed to be fraudulent based on various factors. 

To summarize, the issue centers around the claim that the assessment was carried out on a "fictitious" environment, so on that basis the score wasn't given to a system related to the DoD contract, the US alleges.

The claims are being made under the False Claims Act (FCA), which is being utilized by the Civil Cyber-Fraud Initiative (CCFI), which was introduced in 2021 to punish entities that knowingly risk the safety of United States IT systems.

It's a first-of-its-kind case being pursued as part of the CCFI. All previous cases brought under the CCFI were settled before they reached the litigation stage.

"Because the allegations suggest Georgia Tech falsely certified it was compliant with DoD contractual and regulatory requirements, they present a textbook case of potential FCA liability predicated on alleged non-compliance with NIST standards," states an assessment of the case from legal experts at O'Melveny.

"The complaint contends personnel across teams at Georgia Tech interpreted NIST controls in a way that allowed them to designate whatever actions they were already taking to be 'compliant' and implement interpretations that effectively rendered security controls meaningless."

The case was originally brought in July 2022 by Craig, who is still affiliated with Georgia Tech as the associate director of cybersecurity, and Koza, a Georgia Tech grad and former principal infosec engineer at GIT.

The US filed and was swiftly granted a complaint-in-intervention in June 2024 after announcing its intent to join the lawsuit against Georgia Tech and GTRC in April.

US officials expressed their displeasure with the defendants, saying they put national security and defense personnel at risk.

"Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services that risk their lives daily," said special agent-in-charge Darrin K Jones, Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office.

"As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve."

"Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security," said principal deputy assistant attorney general Bryan Boynton of the Civil Division. "We will continue to pursue knowing cybersecurity-related violations under the Department's Civil Cyber-Fraud Initiative."

Separately, Georgia Tech is also the subject of a Congressional probe into its potentially problematic relationship with China.

Since 2013, the institution has partnered with Tianjin University, which is believed to have "significant ties" to the Chinese military and was previously blacklisted for stealing American military technology, and received "millions of dollars" from China to support this partnership.

The partnership has borne fruit such as the first-ever graphene-based semiconductor. Announced earlier this year, it's thought that with some additional work, the material could surpass the performance of silicon.

The investigation carried out by the House Select Committee on the Chinese Communist Party was only announced in May this year, so it will take some time before we hear anything regarding its conclusion.

The Reg approached Georgia Tech and GTRC for a response. We will update the article if either responds. ®

https://www.theregister.com//2024/08/23/us_georgia_tech_lawsuit/