US Government Accuses Georgia Tech of Cybersecurity Negligence
Federal Complaint Alleges Lack of Enforcement of Cybersecurity Regulations
US Files Complaint-in-Intervention in Whistleblower Suit Against Georgia Tech
The United States has filed a complaint-in-intervention against the Georgia Institute of Technology (Georgia Tech) and an affiliated research organization, alleging that they "knowingly violated" federal cybersecurity regulations in connection with their work for the Department of Defense (DoD).
The complaint, which was filed in federal court in Atlanta, alleges that Georgia Tech "failed to take reasonable steps to protect sensitive government information" and "failed to comply with mandatory cybersecurity requirements imposed by federal law and regulations." The federal government alleges this resulted in "numerous cybersecurity incidents."
The complaint also alleges that Georgia Tech and the research organization, the Georgia Tech Research Corporation (GTRC), "knowingly submitted false claims to the government" by failing to disclose the cybersecurity incidents. The claims amount to "tens of millions of dollars," according to the complaint.
Georgia Tech has denied the allegations. In a statement released Monday, the university says it "takes cybersecurity seriously." It further claims the allegations "misrepresent Georgia Tech's culture of innovation and integrity" and that the university "is disappointed in the government's decision to intervene in this case."
The federal government's complaint is based on a whistleblower lawsuit filed in 2019 by Richard Thompson, a former Georgia Tech employee. Thompson alleges that he was fired from his job after he raised concerns about cybersecurity vulnerabilities at the university.
Background on NIST Standards
The cybersecurity regulations in question are part of the National Institute of Standards and Technology's (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework is a set of voluntary guidelines that organizations can use to improve their cybersecurity posture. NIST 800-171, a related standard, provides specific guidance for organizations that handle controlled unclassified information, which is a type of sensitive government data.
The complaint alleges that Georgia Tech failed to comply with several key NIST requirements such as:
- Failing to implement basic cybersecurity controls, such as firewalls and intrusion detection systems;
- Failing to adequately train employees on cybersecurity risks;
- Failing to conduct regular security audits; and
- Failing to develop incident response plan.
The complaint also alleges that Georgia Tech failed to disclose these cybersecurity deficiencies to the government, which allowed the university to continue receiving federal contracts for cybersecurity work.
Expert Commentary
"This case is a significant development in the government's efforts to hold contractors accountable for cybersecurity breaches," said [Expert name], a cybersecurity expert at [University name]. "The complaint alleges that Georgia Tech violated multiple NIST cybersecurity standards, which are the baseline for protecting sensitive government information.
"If the allegations are true, this case could have a major impact on the way that the government awards cybersecurity contracts," [Expert name] added. "It could also lead to increased scrutiny of other contractors who handle sensitive government data."
Next Steps in the Case
The federal government's complaint is a civil action. This means that the government is seeking monetary damages from Georgia Tech and GTRC. The complaint also asks the court to require the university to take steps to improve its cybersecurity posture.
The case is expected to be a lengthy and complex one. A trial date has not yet been set.
Komentar