The United States has filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corporation (GTRC), alleging violations under the False Claims Act and federal common law. The lawsuit claims that these entities failed to meet cybersecurity requirements related to U.S. Department of Defense (DoD) contracts.
GTRC, an affiliate of Georgia Tech, engages in contracts with government agencies for work performed at Georgia Tech and its associated entities. On February 20, 2024, the United States intervened in a whistleblower suit initiated by current and former members of Georgia Tech’s cybersecurity team against both institutions.
“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” said U.S. Attorney Ryan K. Buchanan. “For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules.”
Principal Deputy Assistant Attorney General Bryan Boynton emphasized the risks associated with non-compliance: “Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security.”
Special Agent-in-Charge Darrin K. Jones from the Department of Defense Office of Inspector General stated, “Deficiencies in cybersecurity controls pose a significant threat not only to our national security but also to the safety of the men and women of our armed services that risk their lives daily.”
The complaint alleges that from at least 2019 onward, Georgia Tech had "no enforcement" of federal cybersecurity regulations related to DoD contracts, fostering a culture where policies were routinely ignored due to internal pressures from high-profile researchers.
Specifically, it is alleged that from May 2019 until February 2020, the Astrolavos Lab at Georgia Tech did not develop or implement a required system security plan compliant with DoD cybersecurity requirements. When finally implemented in February 2020, it was reportedly incomplete and inadequately maintained.
Further allegations state that between May 2019 and December 2021, anti-virus or anti-malware tools were neither installed nor updated on lab equipment as required. This non-compliance was allegedly approved by Georgia Tech officials under pressure from a leading professor.
In December 2020, Georgia Tech and GTRC allegedly submitted a fraudulent cybersecurity assessment score to DoD for campus-wide IT systems which did not exist as described.
The Civil Cyber-Fraud Initiative was announced on October 6, 2021, aimed at holding accountable those providing deficient cybersecurity services or misrepresenting their practices. This case marks the first litigation under this initiative.
Whistleblowers Christopher Craig and Kyle Koza filed this lawsuit under qui tam provisions of the False Claims Act which allows private parties to sue on behalf of the U.S., potentially receiving a share of any recovery.
This case is being managed by Senior Trial Counsel Jake M. Shields along with Assistant U.S. Attorneys Adam D. Nugent and Melanie D. Hendry from the Justice Department’s Civil Division and Northern District of Georgia's U.S Attorney’s Office.
These allegations are currently unproven pending further legal proceedings.
For additional details contact USAGAN.PressEmails@usdoj.gov or call (404) 581-6016.