Lawsuit: Georgia Tech Didn’t Enforce Cybersecurity Rules

(TNS) — The federal government is alleging Georgia Tech and its research arm didn’t follow enforcement of cybersecurity rules for U.S. Department of Defense contracts.

The U.S. Attorney’s Office for the Northern District of Georgia filed a 99-page “complaint-in-intervention” Thursday in U.S. District Court in Atlanta. The filing lays out the reasons the federal government joined a whistleblower lawsuit filed in 2022 by one former employee and one current employee of Georgia Tech’s cybersecurity team.

The complaint alleges Georgia Tech, through its Georgia Tech Research Corp., entered numerous contracts over the years and that, according to a former employee, “there was, for years, ‘no enforcement’ of cybersecurity regulations.”

The filing alleges that the issue stemmed from Georgia Tech’s desire to accommodate researchers who found the cybersecurity rules to be “burdensome” and that school administrators gave into researcher demands because of the money generated from government contracts.

“Put simply, according to these former employees, the researchers who brought in significant government contracting money were considered the equivalent of ‘star quarterbacks’ and thus could use their ‘power on campus’ to push back against compliance with federal cybersecurity rules,” the complaint states.

Georgia Tech said it is “extremely disappointed by the Department of Justice’s filing, which misrepresents Georgia Tech’s culture of innovation and integrity.”

“Their complaint is entirely off base, and we will vigorously dispute it in court,” the Atlanta school said, in a Thursday statement.

Georgia Tech also said: “This case has nothing to do with confidential information or protected government secrets. The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked.”

The case was initially brought more than two years ago by Christopher Craig, identified in Thursday’s court filing as an enterprise security architect who has worked at Georgia Tech since 2003. The other whistleblower plaintiff, Kyle Koza, worked at Georgia Tech from 2011 to 2022, the complaint states.

The complaint asks for civil penalties, damages and other costs.

“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” said U.S. Attorney Ryan K. Buchanan, in a written statement. “For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved.”

© 2024 The Atlanta Journal-Constitution. Distributed by Tribune Content Agency, LLC.