Georgia Tech to Settle Lawsuit Over Cybersecurity Allegations for $875,000
Georgia Tech’s research division has agreed to pay $875,000 to the federal government to resolve a lawsuit alleging violations of cybersecurity regulations related to its contract work for the U.S. Department of Defense. This settlement, announced by the Justice Department, comes without any admission of liability from Georgia Tech.
In a statement, the institution emphasized its commitment to cybersecurity, asserting that it has consistently complied with relevant regulations. “From the outset, Georgia Tech denied the government’s allegations that mischaracterized our commitment to cybersecurity,” a spokesperson said. The university expressed relief at resolving the matter without further legal complications.
The legal dispute, which initiated in 2022, was fueled by claims from two whistleblowers, Christopher Craig and Kyle Koza, who alleged that their employer, the Georgia Tech Research Corporation, failed to adhere to established cybersecurity protocols. They characterized certain researchers as being akin to “star quarterbacks,” indicating that those involved in lucrative federal contracts were able to bypass security measures they deemed burdensome.
Amid these accusations, the federal government highlighted the critical importance of cybersecurity compliance in safeguarding U.S. sensitive information. The whistleblowers’ lawsuit was subsequently joined by the federal government, reinforcing the assertion that adherence to cybersecurity standards is essential.
Georgia Tech maintains that its cybersecurity practices are robust and that there have been no incidents of data leaks or breaches of sensitive information. “This case has nothing to do with confidential information or protected government secrets,” the institution stated. It pointed out that the Department of Defense had informed the university that the research it was conducting did not necessitate stringent cybersecurity measures.
In a release following the settlement, Brett A. Shumate, Assistant Attorney General of the Justice Department’s Civil Division, underscored the potential vulnerabilities that arise when contractors fail to follow cybersecurity laws. He reiterated the department’s commitment to prosecuting these violations and holding contractors accountable.
With the settlement funds, the government will allocate approximately $200,000 to the whistleblowers as a reward for their disclosures. This case serves as a reminder of the critical cybersecurity landscape facing research institutions and contractors working with the government.
In terms of the potential tactics and techniques related to this incident, the MITRE ATT&CK framework provides insight into possible adversary actions. Techniques such as initial access and privilege escalation could be relevant in contextualizing the cybersecurity landscape Georgia Tech navigated. As organizations increasingly rely on digital frameworks, the emphasis on comprehensive cybersecurity compliance remains a focal point for both institutional integrity and national security.
This development reflects the ongoing challenges within the realm of cybersecurity, emphasizing the need for a steadfast commitment to regulatory adherence among contractors handling sensitive governmental data.
