The United States Department of Justice (DOJ) is now suing the Georgia Institute of Technology, along with its affiliated research organization for failing to meet the cybersecurity requirements of the Department of Defense (DoD). The U.S. government had previously joined a whistleblower suit brought by current and former members of the university’s cybersecurity team – and last week the DOJ filed an additional motion to sue on behalf of the Pentagon, the United States Air Force, and the Defense Advanced Research Projects Agency (DARPA).
According to a report from Cyberscoop, by advancing the suit, the DOJ has made use of the “False Claims Act” – a Civil War-era law that was aimed at combating “shady contractors.” It has been used more recently in cybersecurity cases since 2022 under the Civil Cyber-Fraud Initiative.
The lawsuit alleges that Astroslavos Lab failed to install anti-malware software on devices, while the school and affiliate company submitted a false cybersecurity assessment.
“Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab,” a release summarizing the complaint stated. “Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers.”
The university has responded that it believed the government was “conducting research that did not require cybersecurity restrictions,” while the complaint “misrepresented Georgia Tech’s culture of innovation and integrity.”
Robust Cybersecurity – There is No Alternative
The lawsuit also comes just as the DoD announced that its proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program would see its phased rollout become final next year.
Once the rule-making is finalized, all government contractors working on defense-based contracts for the DoD will be required to achieve a CMMC certificate at a specified level, as determined by the type of data with which the organization comes in contact.
Those firms that fail to meet the CMMC certification or have other required cybersecurity in place could find themselves in legal hot water.
“Government contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information,” Principal Deputy Assistant Attorney General Brian M. Boynton, who leads the DOJ’s Civil Division, said in a statement. “The department’s Civil Cyber-Fraud Initiative was designed to identify such contractors and to hold them accountable.”
It shouldn’t really come to lawsuits, as accountability should begin with a culture change.
“Protection for sensitive and classified data needs to be treated as an operational priority,” said Brett Hansen, chief growth officer at cybersecurity provider Cigent.
“There is an inconsistent implementation of encryption, authentication, and zero-trust access controls that can mitigate the risk of unauthorized data access,” Hansen told ClearanceJobs. “With the adoption of increasingly capable devices operating at the edge including AI-empowered PCs and Servers, Industrial Control Systems, and Unmanned Vehicles it is essential that expectations are not only established but diligently enforced to ensure the integrity of sensitive data.”
Long Overdue
This hardline approach from the DOJ may have been a long time in coming, due in no small part to the increased number of security breaches that have been seen in recent years.
“With cybersecurity, we are only as strong as our weakest link. Years ago when I worked at IBM in Internal Audit as a security expert, we created a site that we truly believed was invulnerable to external attack,” explained technology industry analyst Rob Enderle of the Enderle Group.
“We then hired an ex-CIA hacker to break into it, and he did so in a matter of hours, he didn’t even try to breach the site, he just looked for other companies that might have a connection to that site and breached them, using their connection to get unauthorized access,” Enderle told Clearancejobs.
There remains massive interdependency between the government and businesses, and it often doesn’t matter if the government sites are secure if the businesses that link to them digitally are not as those trusted links can be used to breach the government site.
“Thus, the lack of security in business, and remember we have suppliers for the companies that supply the government, that could be breached even if those initial suppliers are secure,” warned Enderle. “All these entities are interdependent and any one of them with inadequate security could result in a massive security exposure that flows through those links. This is a national security exposure and thus it makes sense for the DoJ and DoD to move to mitigate it.”
