The big picture: Georgia Tech is reportedly struggling to get its researchers to comply with stringent IT security requirements, a problem that has drawn the attention of the Department of Justice amid its crackdown on cybersecurity compliance among government contractors. Unfortunately, this scrutiny extends to research and development activities funded by federal agencies. The DoJ's Civil Cyber-Fraud Initiative, launched in 2021, aims to hold accountable those who misrepresent their cybersecurity practices or knowingly violate federal requirements. In a new lawsuit against the school, the DoJ alleges that Georgia Tech has engaged in such violations.
Amid growing concerns over cybersecurity compliance in research settings, the US government has filed a lawsuit against the Georgia Institute of Technology, specifically targeting Dr. Emmanouil "Manos" Antonakakis and his cybersecurity lab. The lawsuit alleges multiple failures to adhere to mandatory security protocols for Department of Defense research projects, raising serious questions about the protection of sensitive government data managed by the institution.
The core allegations focus on the lab's alleged non-compliance with the National Institute of Standards and Technology Special Publication 800-171, which outlines critical security protocols for handling controlled unclassified information.
One of the most significant oversights cited in the lawsuit is the failure to install endpoint antivirus software on devices that accessed or stored this sensitive information. The absence of such fundamental cybersecurity measures reportedly heightened the risk of unauthorized access and potential data breaches.
The government's complaint portrays a troubling picture of negligence, accusing Georgia Tech and Antonakakis of knowingly submitting invoices for DoD projects despite being aware of their non-compliance with security requirements. This, according to the lawsuit, amounts to fraud, as the Department of Defense was provided with technology that was inadequately protected against unauthorized disclosure.
The complaint states: "At bottom, DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised. What DoD received for its funds was of diminished or no value, not the benefit of its bargain."
Antonakakis, a key figure in the lawsuit, reportedly resisted the installation of antivirus software, calling it a "nonstarter." Despite repeated requests from Georgia Tech administrators, he opposed this basic security measure, opting instead to rely solely on the school's firewall.
Further complicating matters, Georgia Tech submitted a self-assessment score of 98 out of 110 for its security controls. However, this score was based on a theoretical model rather than an accurate reflection of its actual security compliance. Due to the lack of a unified campus-wide IT system, security assessments should have been conducted separately for different setups. The misleading overall score failed to account for varying levels of compliance across departments and labs, creating a false sense of security.
The lawsuit also highlights a broader cultural issue at Georgia Tech, where cybersecurity compliance was viewed as burdensome. Researchers, who were instrumental in securing substantial government contracts, wielded significant influence on campus. Their demands to bypass compliance were often met, as the financial benefits of these contracts were considerable.
The case came to light through whistleblowers within Georgia Tech's IT staff, who exposed the institution's failure to meet its cybersecurity obligations. According to the whistleblower lawsuit, there was a systemic lack of enforcement of cybersecurity regulations, driven by the institution's willingness to accommodate researchers who found these rules onerous.
By pursuing legal action against Georgia Tech, the government aims to send a clear message to other academic institutions: compliance with security obligations is non-negotiable when federal funding is involved.
Image credit: Wizzito