The Georgia Institute of Technology will pay the U.S. government $875,000 to settle allegations that the school’s research company violated cybersecurity requirements in its contracts with the Air Force and Defense Department.

Last August, the Justice Department joined a whistleblower lawsuit filed by current and former members of Georgia Tech’s cybersecurity team, with U.S. prosecutors accusing the institution of flagrant disregard for federal cybersecurity rules as it worked contracts for the Defense Advanced Research Projects Agency (DARPA) and Air Force. 

Christopher Craig and Kyle Koza, former members of Georgia Tech’s Cybersecurity Team that filed the initial lawsuit, will get $201,250 as their share of the settlement.

A spokesperson for Georgia Tech told Recorded Future News that from the outset, they have “denied the government’s allegations that mischaracterized our commitment to cybersecurity.” 

“We worked hard to educate the government about the strong compliance efforts of our researchers and are pleased to avoid the distraction of litigation by resolving this matter without any admission of liability,” the spokesperson said.  

“Georgia Tech looks forward to continued collaboration with the Department of Defense and other federal partners in conducting ground-breaking research in a secure manner.”

The lawsuit was centered around Astrolavos Lab — a company under the umbrella of the school’s Georgia Tech Research Corporation (GTRC) which it uses to sign research contracts with the federal government.

The lawsuit accused the GTRC of failing to install, update or run anti-virus and anti-malware tools on devices used by Astrolavos Lab — which had won multiple contracts to conduct sensitive cyberdefense research for the Defense Department. 

The company’s co-director, Manos Antonakakis, leads their work on cyberattack attribution and other research. Antonakakis did not respond to requests for comment. 

Antonakakis was hired as a contractor with both the Air Force and the DARPA in 2016.

A major stipulation of each contract signed was that Antonakakis would be given classified information that could not be used on public computers. Georgia Tech itself admitted that it did not implement a system cybersecurity plan at the Astrolavos Lab until nearly four years after the first contract was signed.

The Justice Department quoted a 2019 email where Antonakakis said “Endpoint [antivirus] agent is a nonstarter.” Another witness said Antonakakis was the only opposition to antivirus software. 

U.S. Attorney Theodore Hertzberg said defense contractors’ adherence to cyber regulations is “essential to safeguarding sensitive government information from malicious actors.” 

“Contractors who fail to implement required cybersecurity controls, provide false information to the government, and otherwise fail to fulfill their cybersecurity obligations will be held accountable,” he said. 

The lawsuit noted that Georgia Tech suffered a data breach in 2019 that exposed the records of 1.3 million people. 

The original lawsuit was filed under the False Claims Act as part of the Justice Department’s Civil Cyber-Fraud Initiative. 

Announced in October 2021, the initiative is designed to punish government contractors who violate cybersecurity regulations. 

“Failure to follow required cybersecurity requirements puts all of us at risk,” said senior Defense Department official Stacy Bostjanick.  

“Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritize DoD cybersecurity compliance.”