A good lawyer knows the law. A great lawyer knows the judge.
We’ve all heard that before. But when it comes to in-house or strategic advisory practices (like mine) it’s really that: A good lawyer knows if it's legal. A great lawyer knows whether it's a good idea.
Whether or not Georgia Tech Research Corporation and the Board of Regents of the University System of Georgia (“GTRC”) has good or great lawyers is an interesting question. I’ll let you decide for yourself, noting that here is what I learned from their response to the DOJ regarding alleged false claims and fraud relating to their cybersecurity practices.
Brings Back Memories
The GTRC response to allegations of false claims under its DoD contracts brought back fond memories – back when I was a baby lawyer who read contract clauses with strict interpretation and looked for nice little legal “loopholes” that would get my client out from a requirement that they likely had never fulfilled or intended to fulfill. I even remember having discussions back in 2016 about the authority under which the DoD could implement DFARS impacting information systems that were not used to process DoD information, let alone CDI, CUI, or CTI, and how this would operationally impact cloud services providers who required the ability to run multiple tenants within hardware layers in order to make the economies of scale work for cloud transformation.[1]
These were essentially the arguments that GTRC makes in its response to the DOJ.
The contract clauses regarding cybersecurity controls (NIST 800-171) did not apply because at least one contract pre-dated the DFARS requiring 800-171.
Even if the contract rightfully included the DFARS requiring 800-171, it was inapplicable because the clause was inoperative on the type of data GTRC held.
Cybersecurity is immaterial to what the government paid for, which was research.
Happy Halloween, because these arguments are vaguely terrifying when it comes to protecting GTRC from things other than False Claims Act liability.
Contracts Are Shit for Cybersecurity Controls
Yeah, that’s right I said it.[2]
Contracts are absolutely terrible vehicles by which to enforce cybersecurity controls requirements. Contract clauses are often set-in-time obligations that are negotiated based on what parties are willing to do in exchange for the deal. They are not risk-based and create artificial barriers relating to contract negotiations in order to modify or modernize. That’s before considering the extreme false sense of security they provide clients in thinking that cybersecurity risk has been mitigated because “legal took care of it in the contract.”
Contract fraud also requires materiality for legal damages. And here, GTRC argues that cybersecurity is immaterial. Despite the fact that the contract was for fundamental research in the field of cybersecurity, GTRC basically argues that the actual security posture of the information systems used for the research does not matter. Wha????
Cybersecurity Doesn’t Matter to GTRC
GTRC’s response indicates they have or had no cybersecurity protocols in place and, quite frankly, don’t really care who knows it. Bold decision in publicizing this while also publicizing that you do DoD-funded research ON CYBERSECURITY. Why doesn’t cybersecurity matter to GTRC? Because fundamental research funded by the government is not subject to distribution controls. In short, the lack of confidentiality of the final results of research means that cybersecurity is irrelevant.
Yes, you read that right. A research institution – doing research ON CYBERSECURITY – is only concerned about confidentiality. Integrity? Availability? Doesn't matter to GTRC because the research is not restricted from publication. Apparently, because the DFARS allow for distribution, it does not matter if the information is reliable or appropriately available, and network protection is not required. And if it’s not required, then we do not do it (see above).
Integrity is Not Material to Cybersecurity Researchers at GTRC
The idea that confidentiality is the only pillar of cybersecurity necessary for research in cybersecurity is fundamentally absurd. GTRC’s research was for “methods of revealing malicious actors” and “signature management for operational knowledge and environments”. Imagine for a moment that a malicious group got into that research and manipulated the data within it. Maybe they could change the data so that it looked like a detection method was effective when it was not. Or introduced new data that would make a signature appear valid when it actually originated from a bad actor.
When that research is published – as GTRC notes it has the right to do without restriction! – it can be incorporated in a variety commercial cybersecurity offerings or threat intel models. Models that are wrong because of the lack of information integrity in the research.
The fact that GTRC does not contest any of the facts in the DOJ complaint – or even reserve the right to do so – also strikes me as a bold decision. One must assume that GTRC is still in the business of doing cybersecurity research. Yet, they never make or specifically reserve the right to make arguments that their cybersecurity controls were sufficient to protect information and information systems processing data, even if the scoring was incorrect. Instead, they argue that cybersecurity requirements do not apply to them.[3]
Setting a Target on Their Back
While it remains to be seen how the courts decide on the merits of GTCR’s arguments that cybersecurity requirements are not effective or operational for the DFARS as applied to this contract, the argument does one thing pretty well: puts a target on Georgia Tech’s IT systems. Under a 12(b)(6) motion, the courts (and those of us reading the response) assume that the facts alleged by the DOJ are true. As alleged, GTRC had a downright awful cybersecurity program.
If true, the GTRC IT systems are an easy target for those seeking to disrupt research in this area. Facts pled by the DOJ include: no endpoint protection, no incident detection, and no structured system security plan. Without a structured SSP and system to regularly validate it, one can’t help but assume that a number of other security controls – like MFA, privileged access management controls, or even strong password requirements – may also not be in place. By taking no steps to even imply that GTRC did, in fact, have some form of cybersecurity controls on the endpoints and IT infrastructure on which they did cybersecurity research, this response may create even more headaches for Georgia Tech than just the DOJ action.
Not Even a Great Legal Argument
"Surely," you think, "this must be a great defense if they would put the client at risk like that, right? Right?" Maybe not (and don't call me Shirley). GTRC admits that "legal fraud" will exist when a contractor falsely certifies to be compliant with a regulatory requirement, per Universal Health Servs., Inc. v. U.S. ex rel. Escobar, 579 U.S. 176 (2016). Then, however, they oddly claim that the government forgot to plead certification - despite the fact that the DOJ complaint clearly does so - relying, perhaps (?) on the fact that the certification was through a mechanism other than the invoice. See Count II specifics in the DOJ complaint if you don't believe me.
Does this mean GTRC will lose the motion to dismiss? Heck if I know - the current state of the courts is far too random for me to place bets right now. Win or lose, though, my real concern as a practitioner is whether the cybersecurity risk was worth it for the client, particularly given that the case might take years to be adjudicated and, even then, is not guaranteed to win - fines, debarment, and consent decrees may all still follow.
The Best Lawyers Protect Their Clients
To be a great lawyer, you must protect all your clients’ interests. Not just by advising on what is legally required, but also by helping them understand how their legal position will impact their business and operational interests. “Is it legal?” and “Is it a good idea?” Is it better to settle for $1.25 million without disclosing your specific inadequacies or to pay $1.5 million (the average paid in 2023) after suffering a ransomware attack due to discovery of your inadequate security? And that’s before considering the reputational damage that might be done if an institute researching cybersecurity is the target of such a breach.
I know I certainly would have thought long and hard about the unintended consequences of broadly discoverable statements regarding a lack of foundational cybersecurity controls at a client. Not to mention the in-depth conversations I would have had about specific risks if the client is storing or processing any kind of valuable or sensitive information. I can only hope the lawyers for GTRC did the same so that any increase in cybersecurity risks arising from this legal document could be mitigated before attackers could exploit the vulnerabilities disclosed in legal documents. Or maybe I should expect a call soon.
[1] Much like I later argued the ridiculous implications of GDPR meant that a random number that happens to be attributed to a real person in one context must be protected as personal information in all contexts. Given the current state of EU decisions on personal data, I have also had to cede this argument.
[2] Yes, there are better ways to do it than in the DFARS. Don’t @ me. I know that.
[3] They also reserve the right to re-argue the case based on a challenge to the constitutionality of qui tam suits generally. Haven’t read that underlying case yet, but I am assuming it is fallout from the fall of the Chevron Doctrine.
Comments