Top US university sued by government because classified data is not secure
The US government is suing the Georgia Institute of Technology (GIT) for allegedly failing to comply with cybersecurity standards set by the US Department of Defense (DoD) for contractors and lying about them.
According to the U.S. Civil Cyber-Fraud Initiative (CCFI), a government agency charged with tracking organizations that fail to adhere to cybersecurity standards, the non-compliance has been going on for several years and likely began sometime in 2018 or 2019.
Interestingly, the case was brought forward by two whistleblowers: Christopher Craig and Kyle Koza. Craig is reportedly still the associate director of cybersecurity at Georgia Tech, while Koza is a graduate and former principal infosec engineer at GIT.
Whistleblowers
The CCFI is now suing the institute and the laboratory under the False Claims Act (FCA), in what is believed to be the first case of its kind.
The CCFI says GIT’s Astrolavos Lab, which focuses on cybersecurity issues affecting national security, failed to develop or implement a DoD-compliant cybersecurity plan in a timely manner. It wasn’t introduced until 2020, and even then it was poorly executed, as not all endpoints were included. Additionally, the institute and the lab failed to install antivirus solutions on all of their endpoints, and when it came time to submit an assessment score in December 2020, both organizations gave themselves a score of 98.
“Deficiencies in cybersecurity controls pose a serious threat not only to our national security, but also to the safety of the men and women of our armed forces who risk their lives every day,” said Darrin K. Jones, Special Agent-in-Charge of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office.
“As force multipliers, we place great trust in our contractors and expect them to meet the exacting standards our military deserves.”
“Government contractors that fail to follow and fully implement required cybersecurity controls jeopardize the security of sensitive government information and information systems and create unnecessary risks to national security,” said Bryan Boynton, assistant attorney general for the Civil Division. “We will continue to address cybersecurity-related violations under the Department’s Civil Cyber-Fraud Initiative.”
Via The register