The United States’ complaint alleges that, from at least as early as 2019 and extending for multiple years, Georgia Tech essentially had “no enforcement” of federal cybersecurity regulations in connection with DoD contracts and fostered a “culture of somebody up the line is going to overturn me . . . [so] I might as well go ahead and ignore the policy” with respect to cybersecurity compliance. Georgia Tech, the suit alleges, routinely acquiesced to the demands of “star researchers”—who were treated like “star quarterbacks” because they secured large government contracts—when those researchers “pushed back” on cybersecurity compliance because the researchers found it troublesome.
Specifically, the lawsuit alleges that from at least May 2019 until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a required system security plan that set out the cybersecurity controls that were put in place in the lab to comply with applicable DoD cybersecurity requirements. Nor, until August 2019 at the earliest, did Georgia Tech undertake to implement the required DoD cybersecurity controls at the lab the suit alleges. Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers, and then in the ensuing years failed to monitor and update that plan as required by applicable cybersecurity rules and regulations.
Additionally, the lawsuit alleges that from at least as early as May 2019 until December 2021, the Astrolavos lab failed to install, update, or operate anti-virus or anti-malware tools on desktops, laptops, servers, and networks at the lab. Georgia Tech allegedly approved the lab’s refusal to install antivirus software—in violation of both federal cybersecurity requirements and Georgia Tech’s own policies—to satisfy the demands of the professor who headed the lab. In connection with contracts that DoD entered into with GTRC on behalf of Georgia Tech, defendants were obligated to implement these and other cybersecurity controls at the Astrolavos Lab.
The lawsuit further alleges that in December 2020, Georgia Tech and GTRC submitted a false and fraudulent cybersecurity assessment score to DoD for the Georgia Tech campus. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information. The submission of this score is a “condition of contract award” for most DoD contracts. The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false and fraudulent because: (1) Georgia Tech did not have, nor could it ever have, a campus-wide IT system; (2) the score was for a “fictitious” or “virtual” environment that was a “construct” since it was not “specifically associated to any active research at Georgia Tech” and was “not actually describing something that exists;” and (3) the score was not for any covered contracting system at Georgia Tech that could or would ever process, store, or transmit covered defense information.
This sounds weird. The obvious solution is to simply cancel contracts.