The US government on 22 August 2024 announced the filing of a complaint against the Georgia Institute of Technology (Georgia Tech) and the Georgia Tech Research Corporation. 

The complaint alleges serious failings in compliance with cyber security requirements mandated by the institutions’ work on research contracts for the US Department of Defense. 

Georgia Tech has stated that it is “disappointed” by the filing and that it will “vigorously dispute it in court.” 

The US DoJ action emerged from a whistleblower suit filed by two members of Georgia Tech’s cyber security compliance team. The case is being pursued under the False Claims Act, which has been used in previous cases involving cyber security enforcement and research security at US universities, in line with the DoJ’s Civil Cyber Fraud Initiative. 

Complaint alleges that researchers drove culture of deliberate non-compliance

The DoJ complaint alleges that from 2019 through 2021, Georgia Tech “essentially had ‘no enforcement’ of federal cybersecurity regulations in connection with DoD contacts”. 

The complaint refers to researchers who were treated as “star quarterbacks” whose power enabled them to “push back against compliance with federal cybersecurity rules.” 

The complaint identifies a specific laboratory engaged in cyber security research at Georgia Tech and sets out a series of alleged compliance failings:

• failing to develop and implement a NIST-compliant security plan, as mandated by DoD cyber security requirements including NIST SP 800-171;

• when developing a plan, doing so using a deliberately narrow scope that did not reflect the reality of IT usage and access to sensitive information within the laboratory;

• failing to operate anti-virus and anti-malware, allegedly at the behest of the head of the lab; 

• submitting a “false and fraudulent” assessment of the lab’s cyber security compliance to the government. 

Assessment

We assess with a high degree of confidence that this case will be closely watched by research institutions working on government contracts in the US, the UK, and beyond. The attention that the case will attract raises the likelihood of further similar whistleblower claims. 

This case raises the prospect of contracting organisations demanding increasingly stringent application of NIST standards by research organisations. We note that NIST standards are used by governments and other contracting organisations in many other countries than the US, indicating that this development will have wider ramifications.

The case also highlights the importance of organisational security culture. The goal of shifting from a security culture of compliance to one of concordance - in which personnel actively work towards a shared goal of security - is regularly attested. However, for some organisations, it may be challenging even to achieve a culture of compliance, given the values, interests, and incentives of different parts of the organisation. Building secure research environments will therefore require a combination of technical measures (including appropriate scoping and controls on networks used for high-risk research) along with social transformation.

We will provide further updates on this case as it progresses. To register your interest in receiving these updates, or to discuss how Secured can help your organisation develop a more secure research environment, please contact us at hello@secured-research.com.