The U.S. Department of Justice (“DOJ”) used the law to hack a Georgia Tech Research Corporation (GTRC) cybersecurity research lab for doing cybersecurity research for the Department of Defense[1] (DoD) for allegedly not having cybersecurity controls in place as required by its contracts and telling DoD it did.
Read to learn more about what happened.
The Settlement
GTRC, the entity Georgia Tech has in place for contracting with the U.S. Federal Government, settled with DOJ for $875,000 without admitting liability after DOJ alleged that it violated the False Claims Act (31 U.S.C. § 1379, et seq) because, ironically, it was conducting cutting-edge cybersecurity research for DoD while allegedly failing to implement basic cybersecurity protections in its own lab as required by its government contracts. CLICK HERE TO READ THE SETTLEMENT
The Regulatory Requirements
GTRC held contracts with the U.S. Air Force and DARPA for cyber-defense research that was conducted at the Astrolavos Lab a GTRC related entity. These contracts included Defense Federal Acquisition Regulation Supplement (DFARS) requiring contractors and subcontractors to have certain cybersecurity controls in place to protect sensitive DoD information. (DFARS 252.204-7020). These regulatory requirements are not new. In one form or another they have been in place for over a decade.
The Astrolavos Lab was required to, among other things:
- Implement NIST SP 800-171 cybersecurity controls
- Maintain a cybersecurity plan
- Install and run antivirus and anti-malware software on its computers and its IT systems
- Assess its cybersecurity and submit its score to DoD.
The Allegations
In an August 2024 civil complaint DOJ alleged that GTRC and Georgia Tech violated the False Claims Act because by signing DoD contracts that included the cybersecurity DFARS, they led DoD to believe that the Astrolavos lab complied with the cybersecurity regulations. DoD relied on the representations when it paid GTRC for the lab’s work. However, according to DOJ, the Astrolavos Lab was not meeting these requirements because it:
- Failed to install antivirus software on lab computers, servers, and networks.
- Did not create or maintain a cybersecurity plan for protecting sensitive defense information.
- Submitted a false cybersecurity assessment score to DoD based on a fictitious “campus-wide” IT system that didn’t exist.
- Ignored warnings from employees that its representations were misleading.
In its complaint against GTRC and Georgia Tech, DOJ said that the Astrolavos Lab did not want to “bother” with its cybersecurity obligations. Even though, as explained in the DOJ complaint, the Astrolavos Lab focused its research on cybersecurity, including cyberattack attribution. Additionally, the Lab possessed, as asserted by the whistleblowers which was pled in the DOJ complaint, a “s*#% ton of” Controlled Unclassified Information (CUI) and export-controlled information that by regulation requires certain cybersecurity controls.
The Whistleblowers
DOJ learned about the situation when two former Georgia Tech cybersecurity employees filed a False Claims Act suit as qui tam relators claiming George Tech and its related entities for making false statements to DoD about their cybersecurity controls. That is, they personally filed a False Claims Act suit against GTRC and Georgia Tech on behalf of the U.S. Government as permitted under the False Claims Act. The False Claims Act allows DOJ to join these types of lawsuits. In this case, DOJ joined the lawsuit and took up the fight.
According to the whistleblowers as detailed in the complaint, the Astrolavos Lab employees had advised leadership that the Lab was not complying with some of the required cybersecurity controls yet, the Lab did not remediate the lack of controls.
The Learning For Contractors
Cybersecurity isn’t just something your IT team should do. It is bigger than that for government contractors. It is a legal and contractual requirement that must be done and, done as required in regulations. Failing to implement cybersecurity when you are a government contractor can result in legal, financial and reputational damage, including False Claims Act investigations, monetary fines and possible suspension and debarment from government contracting.
Finally, as the defense industrial base faces the compliance demands of DoD’s Cybersecurity Maturity Model Certifications (CMMC) DFARS, you need to be sure your business:
- Makes sure to understand the cybersecurity requirements in Federal Government contracts – CMMC and all other cybersecurity requirements.
- Implements cybersecurity requirements based on the type of information your company possesses and the type of contracts you perform.
- Has methods to assure when making required certifications on your organization’s cybersecurity, you have documentation current, accurate and complete document backing up your certification.
- Appreciates that filing inaccurate certifications or inaccurate assessments, even if not intentional, can still be a False Claims Act violation.
- Works to get everyone in the organization from your board to your executive team and all staff to understand that DoD and DOJ really do expect contractors to meet regulatorily mandated cybersecurity controls.
- Knows that both DoD and DOJ are going to investigate and prosecute contractors who fail to implement required cybersecurity because a lack of controls is not only a legal and contractual violation but also a national security risk.
- Avoids derailing opportunities with DoD by failing to implement required cybersecurity controls.
QUOTE
Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity, DoD Office of the Chief Information Officer used the Georgia Tech case to issue a warning:
Failure to follow required cybersecurity requirements puts all of us at risk. Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritize DoD cybersecurity compliance.
[1] The Defense Salon will continue to call the agency that is headquartered in a pentagon shaped building on the Potomac Rive the Department of Defense until the law naming it changed its name to the Department of War. For the law to which we refer, check out 10 USC 111 et seq which Congress essentially passed as a law the National Security Act of 1947.
