Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Posted by BeauHD from the first-of-its-kind dept.
The Register’s Connor Jones reports: The U.S. is suing one of its leading research universities over a litany of alleged failures to meet cybersecurity standards set by the Department of Defense (DoD) for contract awardees. Georgia Institute of Technology (GIT), commonly referred to as Georgia Tech, and its contracting entity, Georgia Tech Research Corporation (GTRC), are being investigated following whistleblower reports from insiders Christopher Craig and Kyle Koza about alleged (PDF) failures to protect controlled unclassified information (CUI). The series of allegations date back to 2019 and continued for years after, although Koza was said to have identified the issues as early as 2018.
Among the allegations is the suggestion that between May 2019 and February 2020, Georgia Tech’s Astrolavos Lab — ironically a group that focuses on cybersecurity issues affecting national security — failed to develop and implement a cybersecurity plan that complied with DoD standards (NIST 800-171). When the plan was implemented in February 2020, the lawsuit alleges that it wasn’t properly scoped — not all the necessary endpoints were included — and that for years afterward, Georgia Tech failed to maintain that plan in line with regulations. Additionally, the Astrolavos Lab was accused of failing to implement anti-malware solutions across devices and the lab’s network. The lawsuit alleges that the university approved the lab’s refusal to deploy the anti-malware software “to satisfy the demands of the professor that headed the lab,” the DoJ said. This is claimed to have occurred between May 2019 and December 2021. Refusing to install anti-malware solutions at a contractor like this is not allowed. In fact, it violates federal requirements and Georgia Tech’s own policies, but allegedly happened anyway.
The university and the GTRC also, it is claimed, submitted a false cybersecurity assessment score in December 2020 — a requirement for all DoD contractors to demonstrate they’re meeting compliance standards. The two organizations are accused of issuing themselves a score of 98, which was later deemed to be fraudulent based on various factors. To summarize, the issue centers around the claim that the assessment was carried out on a “fictitious” environment, so on that basis the score wasn’t given to a system related to the DoD contract, the US alleges. The claims are being made under the False Claims Act (FCA), which is being utilized by the Civil Cyber-Fraud Initiative (CCFI), which was introduced in 2021 to punish entities that knowingly risk the safety of United States IT systems. It’s a first-of-its-kind case being pursued as part of the CCFI. All previous cases brought under the CCFI were settled before they reached the litigation stage.
When someone says “I want a programming language in which I need only say what I wish done,” give him a lollipop.
Working…
