After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud

Photo of Georgia Tech
Georgia Tech

Dr. Emmanouil “Manos” Antonakakis runs a Georgia Tech cybersecurity lab and has attracted millions of dollars in the last few years from the US government for Department of Defense research projects like “Rhamnousia: Attributing Cyber Actors Through Tensor Decomposition and Novel Data Acquisition.”

The government yesterday sued Georgia Tech in federal court, singling out Antonakakis and claiming that neither he nor Georgia Tech followed basic (and required) security protocols for years, knew they were not in compliance with such protocols, and then submitted invoices for their DoD projects anyway. (Read the complaint.) The government claims this is fraud:

At bottom, DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised. What DoD received for its funds was of diminished or no value, not the benefit of its bargain.

AV hate

Given the nature of his work for DoD, Antonakakis and his lab are required to abide by many sets of security rules, including those outlined in NIST Special Publication 800–171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

One of the rules says that machines storing or accessing such “controlled unclassified information” need to have endpoint antivirus software installed. But according to the US government, Antonakakis really, really doesn’t like putting AV detection software on his lab’s machines.

Georgia Tech admins asked him to comply with the requirement, but according to an internal 2019 email, Antonakakis “wasn’t receptive to such a suggestion.” In a follow-up email, Antonakakis himself said that “endpoint [antivirus] agent is a nonstarter.”

According to the government, “Other than Dr. Antonakakis’s opposition, there was nothing preventing the lab from running antivirus protection. Dr. Antonakakis simply did not want to run it.”

The IT director for Antonakakis’ lab was allowed to use other “mitigating measures” instead, such as relying on the school’s firewall for additional security. The IT director said that he thought Georgia Tech ran antivirus scans from its network. However, this “assumption” turned out to be completely wrong; the school’s network “has never provided” antivirus protection and, even if it had, the lab used laptops that were regularly taken outside the network perimeter.

The school realized after some time that the lab was not in compliance with the DoD contract rules, so an administrator decided to “suspend invoicing” on the lab’s contracts so that the school would not be charged with filing false claims.

According to the government, “Within a few days of the invoicing for his contracts being suspended, Dr. Antonakakis relented on his years-long opposition to the installation of antivirus software in the Astrolavos Lab. Georgia Tech’s standard antivirus software was installed throughout the lab.”

But, says the government, the school never acknowledged that it had been out of compliance for some time and that it had filed numerous invoices while noncompliant. In the government’s telling, this is fraud.

https://arstechnica.com/?p=2045111