Top US university sued by the government for failing to keep classified data secure

The US government is suing the Georgia Institute of Technology (GIT) for allegedly not complying with cybersecurity standards that the US Department of Defense (DoD) sets for contract awardees - and then lying about it.

The US Civil Cyber-Fraud Initiative (CCFI), a government organization tasked with hunting down organizations that don’t comply with cybersecurity standards, says the failure to comply lasted several years, and most likely started around 2018 or 2019.

Interestingly, the case was brought forward by two whistleblowers - Christopher Craig and Kyle Koza. Craig is allegedly still the associate director of cybersecurity at Georgia Tech, while Koza is a grad and former principal infosec engineer at GIT.

Whistleblowers

Now, the CCFI is suing the institute and the lab under the False Claims Act (FCA) in what is thought to be the first case of its kind.

The CCFI says GIT's Astrolavos Lab, which works on cybersecurity issues affecting national security, did not develop, or implement, a cybersecurity plan compliant with DoD standards, on time. It was only introduced in 2020, and even then it was poorly executed, since not all endpoints were included. Furthermore, the institute, and the lab, failed to install antivirus solutions on all its endpoints, and when it was time to submit an assessment score in December 2020 - both organizations gave themselves a score of 98.

"Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services that risk their lives daily," said special agent-in-charge Darrin K Jones, Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office.

"As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve."

"Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security," said principal deputy assistant attorney general Bryan Boynton of the Civil Division. "We will continue to pursue knowing cybersecurity-related violations under the Department's Civil Cyber-Fraud Initiative."

Via The Register

More from TechRadar Pro

• Despite hack and senate complaints, Pentagon says it will continue Microsoft usage
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now