The Department of Justice announced that a government defense contractor, Georgia Tech Research Corporation (GTRC), agreed to pay the United States $875,000 to resolve allegations that it failed to meet cybersecurity requirements under its research contracts. GTRC allegedly violated the False Claims Act (FCA) for research performed at the affiliated Georgia Institute of Technology (Georgia Tech). GTRC contracts include the U.S. Department of Defense (DoD), Air Force, and Defense Advanced Research Projects Agency (DARPA).
The settlement stems from a lawsuit filed by Christopher Craig and Kyle Koza, former members of Georgia Tech’s Cybersecurity Team, under the qui tam or whistleblower provisions of the FCA. The qui tam provision permits private persons to bring a lawsuit on behalf of the government and to share in any recovery. It also allows the government to intervene and take over the lawsuit, as it did in this case. The settlement in this case provides for Craig and Koza to receive $201,250 as their share of the recovery.
“Failure to follow required cybersecurity requirements puts all of us at risk,” said Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity, Office of the Chief Information Officer. “Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritize DoD cybersecurity compliance.”
The settlement resolves allegations that GTRC and Georgia Tech failed to maintain anti-virus or anti-malware tools on computer equipment at Georgia Tech’s Astrolavos Lab while it conducted sensitive cyber-defense research for DoD. The United States also alleged that, despite the requirements in GTRC’s contracts, there was no system security plan in place for the Astrolavos Lab to specify the cybersecurity controls. The final allegation resolved was that GTRC and Georgia Tech submitted a supposedly campus-wide false summary-level cybersecurity assessment score to DoD.
“When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division. “Together with DoD and other agency partners, the Department of Justice will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable when they violate their cybersecurity commitments.”
The claims resolved by the settlement are allegations only, and no liability has been determined.