DOJ joins suit against Georgia Tech over cybersecurity failures with Defense Department

The Justice Department said it joined a whistleblower lawsuit over claims that the Georgia Institute of Technology shirked its cybersecurity obligations in contracts with the U.S. Department of Defense.

The original lawsuit was filed by current and former members of Georgia Tech’s cybersecurity team and is now backed by the federal government as part of the the Justice Department’s Civil Cyber-Fraud Initiative. 

Announced in October 2021, the initiative is designed to punish government contractors who violate cybersecurity regulations. 

U.S. prosecutors tore into Georgia Tech’s allegedly flagrant disregard for federal cybersecurity rules that came as part of billions of dollars worth of Department of Defense and Air Force contracts. 

A Georgia Tech spokesperson told Recorded Future News that they are “extremely disappointed” in the Justice Department filing.

“Their complaint is entirely off base, and we will vigorously dispute it in court. This case has nothing to do with confidential information or protected government secrets,” a spokesperson said. 

“The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech’s groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked.”

They added that while the lawsuit was “misguided” they hoped to continue their “collaborative relationship with the Department of Defense and other federal agencies.”

Dr. Antonakakis and Astrolavos Lab

The lawsuit is centered around Astrolavos Lab — a company under the umbrella of the school’s Georgia Tech Research Corp. which it uses to sign lucrative research contracts with the federal government. 

Ironically, Astrolavos Lab’s research is focused on cybersecurity. The company’s co-director, Manos Antonakakis, leads their work on cyberattack attribution and other research. 

According to the Justice Department, since 2016 Antonakakis was hired as a contractor with both the Air Force and the Defense Department’s Defense Advanced Research Projects Agency (DARPA). One project is focused on developing “enhanced attribution technology to permit the Air Force to identify parties behind cyberattacks” and the other — which the DOJ says is ongoing — is to “develop tools to automate the planning and deployment of threat emulated, attribution-aware cyber infrastructure.”

A major stipulation of each contract signed was that Antonakakis would be given classified information that could not be used on public computers. Georgia Tech itself admitted that it did not implement a system cybersecurity plan at the Astrolavos Lab until nearly four years after the first contract was signed. 

The lawsuit focuses primarily on Antonakakis’s refusal to install basic anti-virus software on the computers he used. 

The Justice Department quoted a 2019 email where Antonakakis said “Endpoint [antivirus] agent is a nonstarter.” Another witness said Antonakakis was the only opposition to antivirus software. Antonakakis, an associate professor at Georgia Tech, did not respond to requests for comment. 

The school also violated federal law by allegedly lying about a cybersecurity assessment score required by federal contracts, according to the suit. 

“Defendants, as large, sophisticated government contractors with billions of dollars in DoD contracts over the years, knew the federal cybersecurity requirements at issue here. Defendants knew what those regulations required and that they were not compliant with them,” U.S. prosecutors said. 

The Justice Department said it was filing the lawsuit on behalf of the Defense Department, Air Force and DARPA.

Darrin Jones, who serves as Special Agent in Charge within the Defense Department’s Office of Inspector General, said the actions taken by Georgia Tech “pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services who risk their lives daily.” 

“As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve,” Jones said. 

Principal Deputy Assistant Attorney General Brian Boynton added government contractors that fail to fully implement required cybersecurity controls “jeopardize the confidentiality of sensitive government information,” noting that the larger Civil Cyber-Fraud Initiative is “designed to identify such contractors and to hold them accountable.”

The lawsuit notes that Georgia Tech suffered a data breach in 2019 that exposed the records of 1.3 million people. 

“Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors,” said U.S. Attorney Ryan Buchanan for the Northern District of Georgia. 

“For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved.”