Georgia Tech Research Corporation (GTRC) has agreed to pay $875,000 to the United States government to settle allegations that it did not meet required cybersecurity standards while working on sensitive defense research projects.
The case focused on research contracts between Georgia Tech Research Corporation (GTRC) and agencies such as the Air Force and the Defense Advanced Research Projects Agency (DARPA). These contracts required strong protection of government information. However, investigators said that for several years GTRC failed to put proper security systems in place, leaving data at risk.
Assistant Attorney General Brett A. Shumate explained that when contractors do not follow required cybersecurity standards, they expose sensitive government information to cyber threats. U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia stressed that defense contractors must follow their obligations, and those who misrepresent their cybersecurity practices will be held accountable.
Allegations of False Cybersecurity Reports
The lawsuit stated that until late 2021, Georgia Tech’s Astrolavos Lab did not have adequate protections on its computers, laptops, servers, and networks. The lab was conducting sensitive cyber-defense research for the Department of Defense during this time. Basic requirements, such as having updated anti-virus or anti-malware software, were reportedly not in place.
⚖️ DOJ announces takedown of RapperBot botnet responsible for over 370,000 cyberattacks
It was also alleged that until at least February 2020, the lab lacked a system security plan. Such a plan is a required document that outlines how security rules are being followed. Without it, there was no official roadmap showing how GTRC was protecting defense information.
Inflated Cybersecurity Score at the Center of the Case
One of the most serious claims involved a false cybersecurity score submitted to the Department of Defense in December 2020. According to the allegations, GTRC and Georgia Tech reported a score of 98 out of 100, suggesting they had nearly full compliance with federal standards. The government later said this score was misleading. The reported number was based on a “virtual” or non-existent system and did not reflect the actual condition of Georgia Tech’s covered systems.
Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity at the Department of Defense, noted that failure to follow these cybersecurity requirements puts everyone at risk. She emphasized that contractors who knowingly provide false information or fail to report breaches must be held responsible.
Investigators such as Jason Sargenski, Special Agent in Charge of the Defense Criminal Investigative Service, and Derrell Freeman of the Air Force Office of Special Investigations, also highlighted that cybersecurity lapses threaten national security and trust in defense partners.
Submitting an inflated score was important because it was a requirement for receiving and keeping defense contracts. By reporting a high score that was not real, GTRC allegedly misled the government into thinking its systems were safer than they truly were.
Whistleblowers and Government Action
The settlement came after a lawsuit was filed under the False Claims Act, which allows private individuals to bring forward cases on behalf of the government if they believe fraud has occurred. In this case, two former members of Georgia Tech’s cybersecurity team, Christopher Craig and Kyle Koza, raised the alarm. They filed the initial complaint, and later the U.S. government decided to join parts of the lawsuit.
As part of the settlement, Craig and Koza will receive $201,250 as their share of the recovery. This reward is allowed under the law to encourage people to report wrongdoing.
The government stressed that contractors who do not follow cybersecurity rules put sensitive defense information at risk. Officials also pointed out that false reports of compliance cannot be ignored, especially when national security is involved.
The lawsuit was officially titled United States ex rel. Craig v. Georgia Tech Research Corporation et al., No. 1:22-cv-02698 (N.D. Ga.). The settlement resolved the allegations without a determination of liability, meaning Georgia Tech Research Corporation (GTRC) did not admit wrongdoing but agreed to pay the amount to settle the case.
The investigation and settlement were the result of work by multiple agencies, including the Department of Justice’s Civil Division, the U.S. Attorney’s Office for the Northern District of Georgia, the Defense Criminal Investigative Service, the Air Force Office of Special Investigations, and DARPA. The matter was handled by Trial Attorney Joanna Persio and Assistant U.S. Attorneys Melanie D. Hendry and Adam D. Nugent.