ATLANTA — When the government gives out defense contracts, they typically include cybersecurity requirements intended to keep information safe.
But a lawsuit filed by the U.S. Justice Department says Georgia Institute of Technology ignored those requirements "to satisfy the demands" of "star researchers" who the lawsuit says were treated like "star quarterbacks."
The lawsuit lists a number of alleged cybersecurity violations, ranging from a lab's computers not having anti-virus software and the university having essentially "no enforcement" of required cybersecurity regulations.
“Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security,” said Bryan Boynton, with the U.S. Justice Department's Civil Division.
Most complaints center on the Astrolavos Lab at Georgia Tech, described on their website as a computer security research group at Georgia Tech. However, the lawsuit says the lab did not follow the federal government's computer security requirements.
According to the biography of the professor in charge of the lab, "the Astrolavos Lab, [is] where students conduct research in the areas of Attack Attribution, Network Security and Privacy, Intrusion Detection, and Data Mining."
Along with violating the government's cybersecurity requirements, they also claim the university lied in government forms, reporting their cybersecurity situation was better than it actually was.
They say their cybersecurity reports were "not actually describing something that exists."
On numerous fronts, the U.S. Attorney's Office in Atlanta claims Georgia Tech did not do enough to secure its systems, which put government information at "unnecessary risks." In the release, they say their actions threatened "national security."
“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” U.S. Attorney Ryan Buchanan said in the release. “For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved."
In a statement, Georgia Tech said: "We are extremely disappointed by the Department of Justice’s filing, which misrepresents Georgia Tech’s culture of innovation and integrity. Their complaint is entirely off base, and we will vigorously dispute it in court."
In the lawsuit, the federal government lists numerous examples of Georgia Tech allegedly failing to follow the cybersecurity requirements required in their government contracts.
For instance, the Astrolavos Lab did not "install, update, or operate anit-virus or anti-malware software" on the lab's computers, servers and networks between May 2019 and December 2021, the lawsuit claims.
The university allegedly "approved the lab's refusal to install antivirus software.... to satisfy the demands of the professor who headed the lab," which violated both the government contract's requirements and Georgia Tech's own policies, the lawsuit said.
The lawsuit claims the university' "acquiesced" to researchers who "secured large government contracts" but found "cybersecurity compliance.... troublesome."
Despite the government's claim Georgia Tech's actions violated national security, the university claims no government secrets or confidential information were leaked, and there was no "breach of information," the statement says.
They also allege the government gave the university incorrect information about their cybersecurity requirements. You can read the full statement below.
Georgia Tech's full statement:
"We are extremely disappointed by the Department of Justice’s filing, which misrepresents Georgia Tech’s culture of innovation and integrity. Their complaint is entirely off base, and we will vigorously dispute it in court. This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked. Despite the misguided action by the Department of Justice, Georgia Tech remains committed to strong cybersecurity and continuing its collaborative relationship with the Department of Defense and other federal agencies."