DOJ’s Intervention in Georgia Tech Cybersecurity Case: A Landmark Move in Civil Cyber-Fraud Enforcement

Late last week, the U.S. Department of Justice (DOJ) made headlines by filing a complaint-in-intervention in a qui tam lawsuit against the Georgia Institute of Technology (Georgia Tech). This significant legal action alleges that the university failed to meet critical cybersecurity requirements while executing contracts with the U.S. Department of Defense (DOD). This intervention marks a pivotal moment in the DOJ’s ongoing Civil Cyber-Fraud Initiative, which aims to combat emerging cyber threats and ensure compliance with federal cybersecurity regulations.

The Civil Cyber-Fraud Initiative: A Background

Launched in 2021, the DOJ’s Civil Cyber-Fraud Initiative is a proactive effort to address the increasing risks associated with cyber threats. The initiative seeks to hold contractors accountable for failing to adhere to cybersecurity standards, particularly those related to government contracts. While the DOJ has previously settled cases with contractors over alleged cybersecurity deficiencies, this is the first instance of the agency intervening in a case involving a university, underscoring the seriousness of the allegations against Georgia Tech.

Understanding the Allegations

The 99-page complaint alleges that Georgia Tech did not implement the necessary cybersecurity controls as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which pertains to safeguarding covered defense information and cyber incident reporting. The university is accused of failing to provide "adequate security" on information systems that process, store, or transmit controlled unclassified information (CUI) under contracts with the U.S. Air Force and the Defense Advanced Research Projects Agency (DARPA).

Key Regulatory Requirements

Under DFARS -7012, contractors are required to implement "adequate security" measures on all covered contractor information systems. This includes adherence to the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which provides guidelines for processing CUI in non-federal information systems. Additionally, DFARS -7019 mandates that contractors maintain a current NIST SP 800-171 DoD Assessment, which must be published in the DOD’s Supplier Performance Risk System (SPRS) to be eligible for contract awards.

The Whistleblower Complaint

The allegations against Georgia Tech originated from a qui tam lawsuit filed by two employees of the university. Qui tam lawsuits allow whistleblowers to report fraudulent activities against the government, and they may receive a portion of any recovery resulting from the case. The DOJ’s decision to intervene indicates its belief in the validity of the claims made by the whistleblowers, sending a strong message about the importance of compliance with cybersecurity regulations.

Specific Allegations of Non-Compliance

The DOJ’s complaint outlines several specific failures on the part of Georgia Tech:

1. Inadequate Security Measures: The university allegedly failed to develop, document, and periodically update system security plans and associated NIST SP 800-171 security controls. Additionally, it is accused of not installing, updating, and running necessary antivirus and incident detection software.

2. Lack of Action Plans: The complaint asserts that Georgia Tech did not implement plans of action for security controls that were not yet in place, violating the requirement to have a clear strategy for addressing security deficiencies.

3. Misleading Reporting: Perhaps most critically, the university is accused of submitting a misleading summary level score to the DOD, which inaccurately represented the cybersecurity posture of its information systems. Instead of providing a score relevant to the specific systems involved in DOD contracts, Georgia Tech allegedly submitted a campuswide score that did not correspond to any actual IT system.

The Implications of No Breach

Interestingly, the complaint does not allege that a cyber incident involving CUI occurred at Georgia Tech. The university has stated that there was no breach of information or data leakage. This raises an important question: if no breach occurred, why is this case significant?

The answer lies in the implications of the alleged false statements regarding cybersecurity compliance. Under the False Claims Act (FCA), any person who knowingly presents a false claim to the government can be held liable. The DOJ argues that Georgia Tech’s alleged misrepresentation of its cybersecurity compliance constitutes a violation of the FCA, as the university submitted invoices for government contracts while failing to disclose material violations of cybersecurity requirements.

The Broader Context: A Warning to Contractors

The DOJ’s intervention in the Georgia Tech case is not an isolated incident but part of a broader trend in government enforcement of cybersecurity compliance. The agency has been actively pursuing civil cyber-fraud cases, with several settlements reported in recent years. The timing of this intervention coincides with the DOD’s proposed rule to implement its Cybersecurity Maturity Model Certification (CMMC) program, which aims to enhance contractors’ compliance with federal cybersecurity controls.

This case serves as a stark reminder to universities, research institutions, and other government contractors that compliance with cybersecurity regulations is taken seriously. The government is prepared to use its enforcement tools to ensure that contractors uphold their obligations, particularly in an era where cyber threats are increasingly sophisticated and pervasive.

Conclusion

The DOJ’s complaint against Georgia Tech represents a significant moment in the enforcement of cybersecurity regulations within the realm of government contracting. As the landscape of cyber threats continues to evolve, the government is sending a clear message: compliance with cybersecurity requirements is not optional. For contractors, the stakes have never been higher, and the consequences of non-compliance could be severe. As this case unfolds, it will undoubtedly serve as a cautionary tale for institutions navigating the complex world of government contracts and cybersecurity obligations.