The Justice Department has joined a whistleblower lawsuit accusing the Georgia Institute of Technology of failing to meet its cybersecurity responsibilities in contracts with the US Department of Defense.
The original lawsuit, filed by current and former members of Georgia Tech’s cybersecurity team, centers on Astrolavos Lab, a company under Georgia Tech’s Research Corp. that signs research contracts with the federal government, including those focused on cybersecurity.
Despite contract requirements for classified information protection, Georgia Tech admitted it didn’t implement a cybersecurity plan at Astrolavos Lab until nearly 4 years after signing the first contract. The suit also highlights a refusal to install basic antivirus software, citing a 2019 email where the company’s co-director, Manos Antonakakis dismissed the use of antivirus on the computers he used as a “nonstarter.”
“Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab,” the DOJ explained in the announcement.
“Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers,” the DOJ added in a statement.
“Their complaint is entirely off base, and we will vigorously dispute it in court. This case has nothing to do with confidential information or protected government secrets,” a Georgia Tech spokesperson said in response to the DOJ’s move, adding they’re “extremely disappointed” in the Justice Department’s decision.
“The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked,” the statement from the spokesperson continued.