Georgia Tech
Dr. Emmanouil “Manos” Antonakakis runs a Georgia Tech cybersecurity lab and has attracted hundreds of thousands of {dollars} in the previous couple of years from the US authorities for Division of Protection analysis tasks like “Rhamnousia: Attributing Cyber Actors By way of Tensor Decomposition and Novel Information Acquisition.”
The federal government yesterday sued Georgia Tech in federal court docket, singling out Antonakakis and claiming that neither he nor Georgia Tech adopted fundamental (and required) safety protocols for years, knew they weren’t in compliance with such protocols, after which submitted invoices for his or her DoD tasks anyway. (Learn the criticism.) The federal government claims that is fraud:
At backside, DoD paid for navy know-how that Defendants saved in an setting that was not safe from unauthorized disclosure, and Defendants did not even monitor for breaches in order that they and DoD could possibly be alerted if data was compromised. What DoD acquired for its funds was of diminished or no worth, not the good thing about its cut price.
AV hate
Given the character of his work for DoD, Antonakakis and his lab are required to abide by many units of safety guidelines, together with these outlined in NIST Particular Publication 800–171, “Defending Managed Unclassified Data in Nonfederal Data Methods and Organizations.”
One of many guidelines says that machines storing or accessing such “managed unclassified data” have to have endpoint antivirus software program put in. However in response to the US authorities, Antonakakis actually, actually does not like placing AV detection software program on his lab’s machines.
Georgia Tech admins requested him to adjust to the requirement, however in response to an inner 2019 electronic mail, Antonakakis “wasn’t receptive to such a suggestion.” In a follow-up electronic mail, Antonakakis himself stated that “endpoint [antivirus] agent is a nonstarter.”
In keeping with the federal government, “Aside from Dr. Antonakakis’s opposition, there was nothing stopping the lab from working antivirus safety. Dr. Antonakakis merely didn’t need to run it.”
The IT director for Antonakakis’ lab was allowed to make use of different “mitigating measures” as an alternative, similar to counting on the varsity’s firewall for added safety. The IT director stated that he thought Georgia Tech ran antivirus scans from its community. Nevertheless, this “assumption” turned out to be fully incorrect; the varsity’s community “has by no means supplied” antivirus safety and, even when it had, the lab used laptops that had been commonly taken outdoors the community perimeter.
The varsity realized after a while that the lab was not in compliance with the DoD contract guidelines, so an administrator determined to “droop invoicing” on the lab’s contracts in order that the varsity wouldn’t be charged with submitting false claims.
In keeping with the federal government, “Inside just a few days of the invoicing for his contracts being suspended, Dr. Antonakakis relented on his years-long opposition to the set up of antivirus software program within the Astrolavos Lab. Georgia Tech’s commonplace antivirus software program was put in all through the lab.”
However, says the federal government, the varsity by no means acknowledged that it had been out of compliance for a while and that it had filed quite a few invoices whereas noncompliant. Within the authorities’s telling, that is fraud.