Georgia Tech Lawsuit: A Wake-Up Call for Research Universities

In the halls of Georgia Tech, where groundbreaking research and technological innovation are daily pursuits, a different kind of breakthrough is making waves. The U.S. Department of Justice has stepped into the ring, backing a whistleblower lawsuit that pits the renowned institution against its own cybersecurity practices.

At stake is not just Georgia Tech's reputation, but potentially the future of how research universities will gain federal contracts and tackle cybersecurity compliance.

The Allegations: A Pattern of Non-Compliance

The lawsuit, initially filed by two former senior members of Georgia Tech's cybersecurity compliance team, Christopher Craig and Kyle Koza, paints a troubling picture of systemic failures in meeting Department of Defense (DoD) cybersecurity requirements. Here are the key allegations:

1. Failure to Implement Security Plans: Since at least 2019, Georgia Tech allegedly failed to develop and implement a required system security plan for its Astrolavos Lab, which handles DoD contracts.
2. Inadequate Coverage: Even when a plan was implemented in 2020, it reportedly fell short of including all covered systems and was never updated as required.
3. Lack of Basic Security Measures: Between May 2019 and December 2021, the Astrolavos Lab allegedly operated without essential security applications on its systems and networks, violating both federal requirements and internal policies.
4. False Reporting: In December 2020, Georgia Tech and GTRC were accused of submitting a fraudulent cybersecurity assessment score of 98 to the DoD, misrepresenting their compliance status.
5. Prioritizing Research over Security: The complaint suggests that Georgia Tech routinely gave in to demands from "star researchers," prioritizing large government contracts over cybersecurity compliance.

The Bigger Picture: A Federal Crackdown on Cybersecurity

This lawsuit is part of a broader effort by the U.S. Department of Justice to ensure that government contractors and subcontractors are honest about their cybersecurity efforts. It reflects the growing prioritization of cybersecurity at the federal level, as evidenced by recent executive orders, publicized security strategies, and tightened security requirements like CMMC 2.0, which builds upon NIST SP 800-171.

One thing’s for certain: Even the most prestigious institutions are not immune to scrutiny and potential legal action. The government is getting serious about cyber, shown by the litany of memos and demands on tightened cybersecurity by the White House, Pentagon, and even congress. 

For research universities, the implications of non-compliance extend far beyond potential legal penalties. At stake are their reputation and credibility in the academic and research communities; the ability to even secure future government contracts and funding; and more pragmatically, the protection of valuable research data and intellectual property. 

The Georgia Tech case, not unlike the case made against Penn State University last year, is further proof of the federal government's commitment to enforcing cybersecurity standards in academia.

Lessons Learned: Compliance Requirements for Research Universities

As we learned with the Penn State debacle of similar proportions last year, the Georgia Tech case offers several crucial lessons for other research institutions:

1. Compliance is Non-Negotiable: Even prestigious institutions are not exempt from federal cybersecurity requirements — especially when those requirements are related to handling controlled unclassified information, or CUI data.
2. Comprehensive Coverage is Crucial: Security plans must cover all relevant systems and be regularly updated.
3. Balance Research and Security: While securing research contracts is important for a research university, it should never come at the expense of cybersecurity.
4. Accurate Reporting is Vital: Misrepresenting compliance status can lead to severe legal consequences.
5. Whistleblower Risk: Internal cybersecurity teams can become whistleblowers if they observe persistent non-compliance.

What’s Next for University Cyber Leaders

As the Georgia Tech case demonstrates, a robust, data-centric approach to cybersecurity is no longer optional for research universities. Solutions like Virtru email encryption and Virtru Secure Share offer highly secure ways for research universities to share information — encrypting data at the object level, governing data access, and ensuring compliance with federal standards.

By implementing strong data protection measures, universities can safeguard their research, maintain compliance, and continue to drive innovation without compromising security.

The message is clear: compliance is as crucial to a university's mission as its research output. It's time for all research institutions to take note and act accordingly. 

If you’re a cyber leader wanting to make quick, effective progress toward demonstrating data security in compliance with regulations like CMMC and ITAR, contact our team. We’d love to work with you to bolster data protection and strengthen compliance in your research programs.