US files lawsuit against Georgia Tech over cybersecurity failures, lab admin opposed the use antivirus software

[Skye Jacobs]

The big picture: Georgia Tech is reportedly struggling to get its researchers to comply with stringent IT security requirements, a problem that has drawn the attention of the Department of Justice amid its crackdown on cybersecurity compliance among government contractors. Unfortunately, this scrutiny extends to research and development activities funded by federal agencies. The DoJ's Civil Cyber-Fraud Initiative, launched in 2021, aims to hold accountable those who misrepresent their cybersecurity practices or knowingly violate federal requirements. In a new lawsuit against the school, the DoJ alleges that Georgia Tech has engaged in such violations.

Amid growing concerns over cybersecurity compliance in research settings, the US government has filed a lawsuit against the Georgia Institute of Technology, specifically targeting Dr. Emmanouil "Manos" Antonakakis and his cybersecurity lab. The lawsuit alleges multiple failures to adhere to mandatory security protocols for Department of Defense research projects, raising serious questions about the protection of sensitive government data managed by the institution.

The core allegations focus on the lab's alleged non-compliance with the National Institute of Standards and Technology Special Publication 800-171, which outlines critical security protocols for handling controlled unclassified information.

One of the most significant oversights cited in the lawsuit is the failure to install endpoint antivirus software on devices that accessed or stored this sensitive information. The absence of such fundamental cybersecurity measures reportedly heightened the risk of unauthorized access and potential data breaches.

The government's complaint portrays a troubling picture of negligence, accusing Georgia Tech and Antonakakis of knowingly submitting invoices for DoD projects despite being aware of their non-compliance with security requirements. This, according to the lawsuit, amounts to fraud, as the Department of Defense was provided with technology that was inadequately protected against unauthorized disclosure.

The complaint states: "At bottom, DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised. What DoD received for its funds was of diminished or no value, not the benefit of its bargain."

Antonakakis, a key figure in the lawsuit, reportedly resisted the installation of antivirus software, calling it a "nonstarter." Despite repeated requests from Georgia Tech administrators, he opposed this basic security measure, opting instead to rely solely on the school's firewall.

Further complicating matters, Georgia Tech submitted a self-assessment score of 98 out of 110 for its security controls. However, this score was based on a theoretical model rather than an accurate reflection of its actual security compliance. Due to the lack of a unified campus-wide IT system, security assessments should have been conducted separately for different setups. The misleading overall score failed to account for varying levels of compliance across departments and labs, creating a false sense of security.

The lawsuit also highlights a broader cultural issue at Georgia Tech, where cybersecurity compliance was viewed as burdensome. Researchers, who were instrumental in securing substantial government contracts, wielded significant influence on campus. Their demands to bypass compliance were often met, as the financial benefits of these contracts were considerable.

The case came to light through whistleblowers within Georgia Tech's IT staff, who exposed the institution's failure to meet its cybersecurity obligations. According to the whistleblower lawsuit, there was a systemic lack of enforcement of cybersecurity regulations, driven by the institution's willingness to accommodate researchers who found these rules onerous.

By pursuing legal action against Georgia Tech, the government aims to send a clear message to other academic institutions: compliance with security obligations is non-negotiable when federal funding is involved.

Image credit: Wizzito

Permalink to story:

US files lawsuit against Georgia Tech over cybersecurity failures, lab admin opposed the use antivirus software

 

[brucek]

I mean, sure, "took the money to do a research study while not actually doing that study because you didn't establish the same baseline" is a no brainer. DoD is right to be angry.

That said I'm pretty sure the adversaries who are going after top military secrets aren't being thwarted by McAfee, so I really hope endpoint anti-virus is a lot less of the "fundamental" part of their defense strategy than this is making it out to be.

 

[wiyosaya]

As I see it, the answer is simple: Notify the employees during the interview process that compliance is required with ALL IT security policies and that if they don't comply with those security requirements at any time during their employment, there will be consequences that may include termination of employment. If their workers will not comply with the security requirements of the school and/or the lab after they start work, notify them once and warn them that if it happens again, they will be terminated. If they do not comply again, terminate them.

If any company lets people crap all over their policies, that's on the company to do something about it even if it means baring their teeth and taking a bite of the employee.

 

[ThomasTECH]

The concerns here are much deeper than using AV on endpoints or not. First, DoD is not very cutting edge; their idea of security is just the common strategy of low end security professionals which causes operations inefficiencies and vulnerabilities in all environments with no exceptions and it is a cruel lockdown of the systems which top security professionals know is very unnecessary and problematic to say the least.

Second; Endpoint 3rd party AV tools are a vulnerability in themselves, hence the low end security professionals thwarting themselves forcing it on teams.

Third; there was no mention of the specific damage caused by no endpoint AV in this article. Is this the DoD just throwing a fit because Georgia Tech is obviously smarter then them by being able to secure their environment without the need for excessive controls, making DoD IT look stupid?

Forth; lawsuit really? What a knife in the back to your production partner, what did this cost the US? Taxpayer/printed/borrowed money they did not earn? I am going to stop right here.

 

[NotYourITguy]

The concerns here are much deeper than using AV on endpoints or not. First, DoD is not very cutting edge; their idea of security is just the common strategy of low end security professionals which causes operations inefficiencies and vulnerabilities in all environments with no exceptions and it is a cruel lockdown of the systems which top security professionals know is very unnecessary and problematic to say the least.

Second; Endpoint 3rd party AV tools are a vulnerability in themselves, hence the low end security professionals thwarting themselves forcing it on teams.

Third; there was no mention of the specific damage caused by no endpoint AV in this article. Is this the DoD just throwing a fit because Georgia Tech is obviously smarter then them by being able to secure their environment without the need for excessive controls, making DoD IT look stupid?

Forth; lawsuit really? What a knife in the back to your production partner, what did this cost the US? Taxpayer/printed/borrowed money they did not earn? I am going to stop right here.

There's a lot to unpack here. DoD is not a monolith. Nuclear command and control systems under DoD purview have much different requirements from university researchers.

Endpoint protection is something every major organization on earth is using. Some are better than others, but comparing systems with endpoint vs. without will always show having endpoint protection is better than not.

Amount of damages are irrelevant to the federal government. Breach of contract and fraud may be criminal in nature, not just civil penalties. There is no remedy for leakage of information anyways, only possible punishment for the perpetrators.

First time? US Gov sues contractors on a literal daily basis Monday through Friday excluding government holidays. It's not about recovering anything, it's about sending a message that you shouldn't defraud the government because you will get screwed over if you try.

 

[ThomasTECH]

There's a lot to unpack here. DoD is not a monolith. Nuclear command and control systems under DoD purview have much different requirements from university researchers.

Endpoint protection is something every major organization on earth is using. Some are better than others, but comparing systems with endpoint vs. without will always show having endpoint protection is better than not.

Amount of damages are irrelevant to the federal government. Breach of contract and fraud may be criminal in nature, not just civil penalties. There is no remedy for leakage of information anyways, only possible punishment for the perpetrators.

First time? US Gov sues contractors on a literal daily basis Monday through Friday excluding government holidays. It's not about recovering anything, it's about sending a message that you shouldn't defraud the government because you will get screwed over if you try.

I think you make very valid points here.
1. I still don't like a service requestor to demand a provider environment rules. If a requestor is going to supply the environment and all resources then fine otherwise judge the final product stay out of the HOW. Government often has other motives, and is a very dangerous partner, any organization needs to keep them at a distance for their own viability and safety.

2. It is possible using advanced security techniques to secure endpoints without AV. This is just not done with common security practices and requires highly intelligent IT professionals. In most cases AV is used that is correct, it is built in on Windows OS and does not need a 3rd party.

3. Damages from lawsuits are less about money than about time, and if the agreement was setup properly from the beginning there would be no need to litigate. Probate is severely annoying. There should be no need for it. You should not have to punish your providers for anything except a lacky final product and just have them keep revising it until it works properly or don't pay the full amount for it.

4. If the government does not like the work of a provider just limit contracting them or report their misconduct to other offices or partners like the rest of us do. You need to understand that intelligent people create state of the art weapons, transports, architecture, energy systems etc. They don't usually work for the government and need to be free to create otherwise our defense advantage will go stale. Government gets, free money, equipment, everything, the purpose is to protect the people not to go after them with lawsuits, raids, etc.

 

[TheBigT42]

Something funny happened at work yesterday before I saw this article. A professor at our university called the help desk. He wanted to get Sophos removed from his MacBook because it was interfering with him providing videos to his students. After was told no and he would need to submit a ticket to get whatever he was doing approved, the professor started ranting how much easier it was to get anti-virus removed from his computer and get videos to his students…. at Georgia Tech!