DoJ Files False Claims Act Suit Against University Based on Alleged Failure to Implement Adequate Cybersecurity Controls
On August 22, 2024, the Department of Justice (DoJ) filed a lengthy complaint againstGeorgia Tech alleging that the university had misrepresented its compliance with several important cybersecurity regulations that outline what contractors must to do to protect government information residing on, passing through, or accessible by contractor systems. Ironically, the complaint focuses on allegedly lax cybersecurity standards at the Astrolavos Lab, a research lab at Georgia Tech that focuses on cybersecurity and cyberattack attribution and that performs multiple defense contracts, including contracts with the U.S. Air Force and with the Defense Advanced Research Projects Agency (DARPA). The case is United States ex rel. Craig v. Georgia Tech Research Corp., No. 22-cv-02698-JPB (N.D. Ga.).
In the complaint, DOJ alleges (among other counts) that Georgia Tech submitted false claims for payment to the government and made/used false statements and records that were material to claims for payment submitted to the government. These counts are based on the Astrolavos Lab’s alleged failure to “develop or implement a system security plan outlining how it would protect from unauthorized disclosure covered defense information in its possession,” and the lab’s alleged failure to “install, update, and run antivirus software on servers, desktops, and laptops in the lab which had access to nonpublic DoD information.” These security controls are among the 110 controls that DoD contractors are required to implement by way of DFARS 252.204-7012; notably, contractors represent that they comply with these requirements by submitting offers in response to DoD solicitations. DFARS 252.204-7008.
The complaint also alleges that Georgia Tech violated the FCA by failing to properly self-assess the Astrolavos Lab’s compliance with required cybersecurity controls and instead provided DoD with a self-assessment score for a “fictitious” “campus-wide” IT system. The DFARS requires DoD contractors, at the time of contract award, to have on file in DoD’s Supplier Performance Risk System a recent summary level self-assessment of the contractor’s compliance with the required controls. DFARS 252.204-7019.
DOJ’s activity in the Georgia Tech case marks a significant landmark for the department’s Civil-Cyber Fraud Initiative, which was formed in late 2021 to ferret out cybersecurity fraud in government contracting. Based on the (alleged) amounts that Georgia Tech has billed to the Air Force and DARPA on the Astrolavos Lab contracts, the university is facing tens of millions of dollars in damages and civil penalties.
As for takeaways for other contractors, the complaint hints that DOJ filed suit because it believes that Georgia Tech’s alleged noncompliance with cybersecurity regulations is “systemic.” For example, the complaint makes a point of quoting a Georgia Tech employee who stated that the university would “only comply with applicable rules such as the cybersecurity regulations at issue here ‘after an event has happened’ – such as ‘getting in trouble with the government.’”
This complaint also highlights the task force’s focus on universities, which play a significant role in performing cutting-edge research projects for DoD, and so are prime targets for cyberattacks. There is also a pending FCA suit against Penn State University based on alleged cybersecurity failures in the District Court for the Eastern District of Pennsylvania, United States ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.), although the case has been stayed while DoJ considers whether it will intervene. In the Decker case, the qui tam whistleblower alleged that Penn State had knowingly failed to comply with numerous cybersecurity controls that are required for DoD contractors by DFARS 252.204-7012.