The U.S. government’s recent complaint in a relator-filed case under the False Claims Act (FCA):
- Marks the first FCA suit in which the Department of Justice (DOJ) has intervened since launching its ongoing Civil Cyber-Fraud Initiative.
- Indicates that the U.S. government intends to litigate cybersecurity fraud claims.
- Demonstrates that contractors must carefully comply with all regulatory standards incorporated in their contracts in the presence of confidential government information.
The Contracts
On February 19, 2024, the DOJ intervened in a qui tam action filed against the Georgia Institute of Technology (Georgia Tech) and its contracting arm Georgia Tech Research Corporation (GTRC). The DOJ filed its complaint in intervention on August 22, 2024.
According to the allegations in the government’s complaint, through GTRC, Georgia Tech entered into contracts with the Department of Defense (DoD) for numerous research projects, including projects for cybersecurity research conducted through Georgia Tech’s Astrolavos Lab. The DOJ focused on two specific DoD contracts with the lab: the “EA” contract, an Air Force research project designed to develop attribution technology capable of identifying perpetrators of cyberattacks through tensor decomposition, and the “Smoke” contract, a Defense Advanced Research Projects Agency (DARPA) project researching automation of the planning and deployment of attribution-aware cybersecurity infrastructure. The principal researcher for both contracts was the head of the Astrolavos Lab, Dr. Emmanouil Antonakakis.
The government’s complaint alleges that Dr. Antonakakis, his lab’s staff and Georgia Tech personnel were all aware that Georgia Tech hosted extensive amounts of DoD “controlled unclassified information” (CUI) as a result of its participation in these and other DoD contracts, which required Georgia Tech to follow numerous regulatory cybersecurity requirements intended to prevent improper access to that CUI.
FCA Claims
The DOJ alleges that Georgia Tech failed to implement three cybersecurity measures required by regulations in its performance of the EA and Smoke contracts:
- Regulations require DoD contractors to maintain and periodically update a system security plan describing system boundaries, system environments of operation, connections with other systems and how security requirements are implemented across the system. The DOJ alleges that the Astrolavos Lab maintained no system security plan for four years of the EA contract, implementing its first plan in 2020. Even after that date, the DOJ alleges, the lab’s plan did not include most desktop and laptop devices in the lab, which the DOJ claims still rendered the plan noncompliant with regulatory requirements.
- Regulations require DoD contractors to install and update antivirus and incident detection software across their systems. The DOJ alleges that, for several years, Dr. Antonakakis actively resisted other staff’s requests to install endpoint antivirus software on devices in the Astrolavos Lab, and that Georgia Tech officials acquiesced to his demands. The government claims that the university attempted instead to engage in “mitigating measures,” such as a firewall system, which did not provide similar levels of security. According to the complaint, Dr. Antonakakis only permitted the university to install endpoint antivirus software on lab devices when a Georgia Tech official suspended payments under the EA contract out of concern for potential FCA implications of the lab’s failure to comply with antivirus requirements.
- Regulations require DoD contractors, as a condition of contracting with the government, to submit an accurate “summary level score” at the time of contracting that reports the contractors’ compliance with 110 specific regulatory controls. The DOJ alleges that Georgia Tech elected not to calculate any such score for the Astrolavos Lab in connection with either of the contracts involved in the case. Instead, the DOJ claims that Georgia Tech cybersecurity officers submitted an “enterprise level” score that purported to describe universitywide compliance measures. The government alleges that Georgia Tech in fact did not maintain any universitywide systems that this analysis could describe, and that this score was actually based on a “fictitious environment” in which standard practices across the university’s many different cybersecurity environments and systems were averaged into an abstract analysis. The government claims that this score did not accurately describe any university system, including the systems at the Astrolavos Lab.
The government argues that these alleged omissions and misstatements rendered Georgia Tech’s invoices to the government for its research under the EA and Smoke contracts materially false. The DOJ seeks damages and penalties for as much as $21 million in DoD payments to Georgia Tech and GTRC across 43 invoices under the EA contract, and $9 million in payments across 14 invoices under the Smoke contract.
Implications
Since October 2021, the DOJ’s Civil Cyber-Fraud Initiative has resulted in several settlements of civil cases premised on FCA claims regarding cybersecurity standards.1 These cases consistently demonstrate the government’s commitment to apply the FCA’s punitive remedies to ensure compliance with cybersecurity requirements.
This is the first such case in which the DOJ has intervened in a private relator’s suit. The government’s decision here signals that it is prepared to litigate such cases where it deems appropriate. A contractor under governmental scrutiny for its cybersecurity practices should not assume that the government will seek to avoid litigation in cybersecurity inquiries.
Even for contractors not subject to an ongoing investigation, this case suggests that companies must pay careful attention to all cybersecurity requirements incorporated in their federally funded contracts and associated bids. Regardless of the degree to which a regulatory requirement appears administrative or practically difficult to achieve, the government may insist on its implementation to protect sensitive government information.
_______________
1 For example, see our July 2, 2024, alert “Contractors Settle Cyber Fraud Claims Alleging Ignored Security Measures” and our October 30, 2023, alert “Cyber Fraud Alleged by Former CIO for Purported Noncompliance With DoD Cyber Requirements.”
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.