Georgia Tech Research Corp. Settles Cybersecurity Violations and False Claims Case for $875,000
Published
- Settlement amount: GTRC has agreed to pay $875,000 to resolve allegations of failing to meet federal cybersecurity requirements.
- Core allegations: GTRC reportedly failed to implement the required cybersecurity controls on systems used for sensitive DoD research.
- Legal basis: The case was brought under the False Claims Act, highlighting the government's use of this statute to enforce cybersecurity compliance.
The Georgia Tech Research Corporation (GTRC) will pay $875,000 to settle a civil cyber-fraud lawsuit alleging significant cybersecurity violations related to contracts with the U.S. Air Force and the Defense Advanced Research Projects Agency (DARPA).
The U.S. Department of Justice (DoJ) alleged that GTRC failed to meet mandatory cybersecurity standards for research conducted at Georgia Tech's Astrolavos Lab, a facility engaged in sensitive cyber-defense research for the Department of Defense (DoD).
Details of the Cybersecurity Violations
While working on sensitive cyber-defense research for DoD, GTRC and Georgia Tech failed to install, update, or operate antivirus and anti-malware tools on desktops, laptops, servers, and networks at Georgia Tech’s Astrolavos Lab until December 2021, according to the complaint.
Furthermore, it was alleged that no system security plan, a key requirement for outlining cybersecurity controls under NIST SP 800-171, was in place for the lab until at least February 2020.
False Claims and Broader Implications
A central component of the lawsuit involved allegations under the False Claims Act. The government asserted that in December 2020, GTRC and Georgia Tech submitted a false campus-wide cybersecurity assessment score of 98 to the DoD.
This score was allegedly based on a "fictitious" or "virtual" environment and did not accurately represent the security posture of any actual system processing covered defense information. The submission of this score was a condition for receiving DoD contracts.
The government contended these failures left sensitive information vulnerable to cyber threats. “When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division.
Settlement Aftermath
This settlement highlights the federal government's growing emphasis on DoD cybersecurity compliance. Officials emphasized that defense contractors who misrepresent their security practices or fail to implement required controls will be held accountable for their actions.
“Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable,” said Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity, Office of the Chief Information Officer.
The case was initiated by a qui tam complaint filed by two former members of Georgia Tech’s cybersecurity team, who will receive a portion of the settlement.
In July, Illumina Inc. agreed to a $9.8 million settlement to address allegations under the False Claims Act related to cybersecurity shortcomings in its genomic sequencing systems. These allegations involved the California-based biotechnology company knowingly selling vulnerable systems to federal agencies.
One of the largest settlements this year may be the $693 million settlement between the Internet Archive and music labels in a copyright dispute.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular