DoJ’s Georgia Tech lawsuit a ‘warning’ to contractors on cyber compliance

The Georgia Tech case centers on the university’s alleged failure to follow NIST cybersecurity controls required by DoD contracts.

Lawyers say the Justice Department’s intervention in a fraud case involving Georgia Tech could serve as a key warning to contractors about the risks of ignoring federal cybersecurity requirements.

In a landmark case for its “cyber civil fraud initiative,” DoJ last week filed suit against Georgia Tech, alleging that the university knowingly failed to meet contractual cybersecurity requirements. The agency joined a False Claims Act whistleblower lawsuit brought forward by current and former members of Georgia Tech’s cybersecurity team in 2022.

The complaint alleges Georgia Tech’s Astrolavos Lab neglected to implement several cybersecurity controls required as part of its contracts with the Defense Department.

DoJ alleges the lab specifically failed to implement a system security plan until at least February 2020. The complaint alleges the university didn’t have required antivirus software installed on the lab’s computers and devices until December 2021.

And the suit additionally alleges that in December 2020, Georgia Tech submitted a false cybersecurity assessment score to DoD, even after an employee warned the university that the score was misleading.

In a statement, a Georgia Tech spokeswoman said DoJ’s filing “misrepresents Georgia Tech’s culture of innovation and integrity.”

“Their complaint is entirely off base, and we will vigorously dispute it in court,” the spokeswoman said. “This case has nothing to do with confidential information or protected government secrets.”

While DoJ has announced several settlements under the cyber civil fraud initiative, legal experts said the Georgia Tech case appears to be the first in which DoJ has intervened. Bob Metzger, head of the Washington office for law firm Rogers Joseph O’Donnell, noted how much work went into the DoJ complaint.

“Perhaps this case, in its density, is intended to combat anyone who might hold the misapprehension that DoJ is not serious about using the False Claims Act as a means not only to punish companies that it decides to pursue, but also to warn any other companies of the importance that they thoroughly understand their obligations and thoroughly perform those cyber obligations without acts that are indifferent, misleading or fraudulent,” Metzger said.

The complaint focuses on Georgia Tech’s alleged failure to heed warnings from employees that the university was not meeting National Institute of Standards and Technology (NIST) cybersecurity controls required by DoD contracting rules.

DoJ’s lawsuit highlights the importance of “having a way for employees to raise concerns about compliance concerns around cybersecurity and then making sure you have mechanisms in place to address those,” Kate Seikaly, managing partner at law firm Reed Smith, said in an interview.

Previous False Claims Act settlements involving federal cyber requirements have focused on issues like breaches of patient data. But Seikaly noted that the Georgia Tech case is squarely focused on contractual cybersecurity requirements and their importance to national security.

“The Georgia Tech case, when I compare it to some of the settlements, strikes me as a very quintessential cybersecurity case,” Seikaly said.

Lawyers at Shepard Mullin Richter & Hampton wrote in a blog post that the Georgia Tech case is poised to “have significant implications for entities that contract with the federal government and outlines areas of focus for agencies when it comes to cybersecurity.”

“Contractors should focus on having adequate documentation to support security assessments and plans, understanding where data is housed or transmitted within information systems in order to properly scope assessments, and ensuring any reports to the government are accurate and complete in order to limit False Claims Act risk,” they wrote.

Meanwhile, the university spokeswoman claimed that Georgia Tech was told it would not be subject to “cybersecurity restrictions.”

“The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings,” the Georgia Tech spokeswoman said in the university’s statement. “In fact, in this case, there was no breach of information, and no data leaked. Despite the misguided action by the Department of Justice, Georgia Tech remains committed to strong cybersecurity and continuing its collaborative relationship with the Department of Defense and other federal agencies.”

DoJ’s lawsuit does not point to any specific cyber breach or data loss due to Georgia Tech’s actions. But the complaint argues that more than $19 million in contracts awarded to Georgia Tech amount to false invoices due to the lack of cyber compliance.

While DoJ may be pushing the limits of its civil cyber fraud initiative by claiming damages without a breach or loss of data, Metzger noted that the complaint brings forward strong evidence that Georgia Tech failed to implement several specific cybersecurity requirements.

“Even supposing one questions the intervention complaint as ‘overkill,’ and even though large damages and penalties claimed are claimed in the absence of any alleged injury-in-fact, without doubt this action should be received as an important warning to all federal suppliers that contractual cybersecurity requirements can be ignored only at your peril,” Metzger said.

The intervention in the Georgia Tech case comes as DoD finalizes rules for the Cybersecurity Maturity Model Certification (CMMC) program. CMMC will require many contractors to receive a third-party audit of their cybersecurity compliance as a condition of contract award.

Metzger said while the timing of DoJ’s intervention in the case is “more coincidental than coordinated,” it could help bolster CMMC’s rollout.

“CMMC says, ‘We’re going to assess whether you do all 110 of these things and if you don’t, you’re not going to be eligible to get a contract,’” Metzger said. “And that’s pretty powerful stuff by itself. If you put an overlay of the Georgia Tech intervention complaint, it’s saying, ‘Not only are you exposed to loss of contract opportunity, you’re exposed to very sizable damages for any contract that you might get and perform if you misled the government as to your compliance.’”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Networkcybersecurity

    Maintaining compliance in government agencies with rich text editors

    Read more
    Getty Images/iStockphoto/spainter_vfxPadlock icon

    The second shoe is about to drop on a big DoD cybersecurity program

    Read more
    Getty Images/iStockphoto/UrupongNetwork Security,Security,Security System,Technology,Internet,Safety,BIG Data,Encryption,Digitally Generated Image,Protection,Privacy, Blockchain, Computer,Connection,Lock,Coding,Network Security,Technology,Security,Security System,

    2024 review: ‘Typhoons’ bookend busy year in cyber

    Read more