The U.S. Department of Justice (DOJ) has intervened in a False Claims Act (FCA) lawsuit against Georgia Tech and its contracting arm, Georgia Tech Research Corporation (GTRC). Filed in August 2024, the DOJ’s complaint alleges cybersecurity failures in two Department of Defense (DoD) contracts, citing negligence in regulatory compliance and misrepresentation of security protocols at Georgia Tech’s Astrolavos Lab. This action is part of the DOJ’s Civil Cyber-Fraud Initiative, which aims to hold contractors accountable for cybersecurity practices.
The suit revolves around two specific DoD research contracts with the lab. The “EA” project, an Air Force initiative, aimed to create technology identifying cyberattack perpetrators, while the “Smoke” project, sponsored by DARPA, focused on automating cybersecurity infrastructure. The DOJ claims Georgia Tech, under the leadership of Dr. Emmanouil Antonakakis, failed to meet cybersecurity standards, including system security planning, antivirus software use, and accurate compliance reporting, jeopardizing “controlled unclassified information” (CUI).
Allegedly, the Astrolavos Lab delayed implementing a system security plan and resisted antivirus installation, opting instead for inadequate measures. The DOJ also states that Georgia Tech inaccurately reported compliance through an “enterprise level” score instead of specific scores for the lab’s systems, presenting a misleading view of security practices. These alleged shortcomings rendered the university’s DoD invoices materially false, with potential penalties totaling up to $30 million.
The DOJ’s involvement in this case underlines a heightened government stance on cybersecurity compliance in federal contracts, signaling willingness to litigate if contractors fail to uphold standards. This case is a notable step in the Civil Cyber-Fraud Initiative, cautioning contractors that regulatory compliance in cybersecurity will be rigorously enforced to safeguard sensitive information.
Reference:
