ATLANTA – The United States has filed a complaint against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corporation (GTRC), asserting claims under the False Claims Act and federal common law. The defendants allege that the defendants failed to comply with cybersecurity requirements in connection with U.S. Department of Defense (DoD) contracts.

GTRC is a subsidiary of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech and its related entities. On February 20, 2024, the United States intervened in a whistleblower lawsuit filed by current and former members of Georgia Tech’s cybersecurity team against Georgia Tech and GTRC.

“Cybersecurity compliance by government contractors is critical to protecting U.S. information and systems from threats from malicious actors,” said U.S. Attorney Ryan K. Buchanan. “For this reason, we expect contractors to comply with the cybersecurity requirements in their contracts and grants, regardless of the size or type of organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules.”

“Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security,” said Principal Deputy Assistant Attorney General Bryan Boynton of the Civil Division. “We will continue to address cybersecurity-related violations under the Department’s Civil Cyber-Fraud Initiative.”

“Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but to the safety of the men and women of our armed forces who risk their lives every day,” said Special Agent-in-Charge Darrin K. Jones, Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office. “As force multipliers, we place great trust in our contractors and expect them to meet the exacting standards our service members deserve.”

The United States complaint alleges that, beginning at least in 2019 and for several years, Georgia Tech had essentially “no enforcement” of federal cybersecurity regulations related to DoD contracts and a “culture of someone higher up will overthrow me . . . (so) I might as well go ahead and ignore the policy” regarding cybersecurity compliance. Georgia Tech, the complaint alleges, routinely acquiesced to the demands of “star researchers” — who were treated as “star quarterbacks” because they won major government contracts — when those researchers “backed off” on cybersecurity compliance because the researchers found it burdensome.

The lawsuit specifically alleges that from at least May 2019 through at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a required systems security plan outlining the cybersecurity controls instituted at the lab to comply with applicable DoD cybersecurity requirements. Georgia Tech also did not implement required DoD cybersecurity controls at the lab until August 2019 at the earliest, the lawsuit alleges. Even when the Astrolavos Lab finally implemented a systems security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to encompass all covered laptops, desktops, and servers, and that it failed to monitor and update that plan in subsequent years as required by applicable cybersecurity rules and regulations.

Additionally, the lawsuit alleges that from at least May 2019 through December 2021, the Astrolavos lab failed to install, update, or use anti-virus or anti-malware tools on desktops, laptops, servers, and networks in the lab. Georgia Tech allegedly approved the lab’s refusal to install anti-virus software, in violation of both federal cybersecurity requirements and Georgia Tech’s own policies, in order to comply with the demands of the professor who led the lab. Under contracts that DoD entered into with GTRC on behalf of Georgia Tech, defendants were required to implement these and other cybersecurity controls in the Astrolavos lab.

The lawsuit further alleges that Georgia Tech and GTRC submitted a false and fraudulent cybersecurity assessment score for Georgia Tech’s campus to DoD in December 2020. DoD requires contractors to submit summary scores that reflect the status of their compliance with applicable cybersecurity requirements on covered contracting systems used to store or access covered defense information. Submitting this score is a “condition of contract award” for most DoD contracts. The lawsuit alleges that the summary score of 98 for Georgia Tech’s campus that Georgia Tech and GTRC reported to DoD in December 2020 was false and fraudulent because: (1) Georgia Tech did not and could never have a campus-wide IT system; (2) the score was for a “fictitious” or “virtual” environment that was a “construct” as it was not “specifically tied to any active research at Georgia Tech” and “did not actually describe anything that exists;” and (3) the score was not for any covered contract system at Georgia Tech that could or would ever process, store, or transmit covered defense information.

On October 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative to hold accountable entities or individuals who compromise United States information or systems by knowingly providing defective cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyberfraud can be found here . This lawsuit is the first case brought by the United States as part of the Civil Cyber-Fraud Initiative.

The whistleblower lawsuit was filed by Christopher Craig and Kyle Koza, who were previously senior members of Georgia Tech’s cybersecurity compliance team, under the who is that or whistleblower provisions of the False Claims Act. The law allows private parties to bring a lawsuit on behalf of the United States alleging false claims and receive a share of the damages. The law also allows the United States to intervene and take responsibility for litigating these cases, as happened here. A defendant who violates the law is liable for three times the government’s losses, plus applicable penalties.

This case is being handled by the Civil Division of the Department of Justice and the U.S. Attorney’s Office for the Northern District of Georgia. The case is titled United States ex rel. Craig v. Georgia Tech Research Corp, et al.No. 1:22-cv-02698 (ND Ga.). Investigative support is provided by the DoD Office of Inspector General, Defense Criminal Investigative Service, Air Force Office of Special Investigations, and Air Force Material Command.

This case is being handled by Senior Trial Counsel Jake M. Shields and Assistant U.S. Attorneys Adam D. Nugent and Melanie D. Hendry.

The claims in which the United States intervened are merely allegations. No determination of liability has been made.

For further information, contact the U.S. Attorney’s Office of Public Affairs at [email protected] or (404) 581-6016. The Internet address of the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.