Dr. Emmanouil “Manos” Antonakakis runs a cybersecurity lab at the Georgia Institute of Technology and has raised millions of dollars from the U.S. government in recent years for Department of Defense research projects such as “Rhamnousia: Attributing Cyber ​​Actors Through Tensor Decomposition and Novel Data Acquisition.”

The government sued Georgia Tech in federal court yesterday, naming Antonakakis alone, and alleging that neither he nor Georgia Tech followed basic (and required) safety protocols for years, knew they weren’t following those protocols, and then submitted invoices for their DoD projects anyway. (Read the lawsuit.) The government claims this is fraud:

Essentially, the Department of Defense paid for military technology that the defendants kept in an environment that was not protected from unauthorized disclosure, and the defendants failed to even look for security vulnerabilities so that they and the Department of Defense could be notified if information was compromised. What the Department of Defense received for its funds was of diminished or no value and not the benefit of its business.

AV hate

Because of the nature of his work for the U.S. Department of Defense, Antonakakis and his laboratory must adhere to numerous security regulations, including those described in NIST Special Publication 800–171, “Protecting Controlled, Unclassified Information in Nonfederal Information Systems and Organizations.”

One of the rules states that computers that store or access such “controlled, unclassified information” must have endpoint anti-virus software installed. But according to the US government, Antonakakis actually Really does not like to install AV detection software on his lab computers.

Georgia Tech administrators asked him to comply with this request, but according to an internal email from 2019, Antonakakis was “not receptive to such a suggestion.” In a follow-up email, Antonakakis himself said that “an endpoint (antivirus) agent is a no-go.”

According to the government, “nothing prevented the laboratory from using anti-virus protection other than Dr. Antonakakis’s opposition. Dr. Antonakakis simply did not want to use it.”

The IT director of Antonakakis’ lab was instead allowed to take other “mitigating measures,” such as using the school’s firewall for additional security. The IT director said he believed Georgia Tech was running anti-virus scans from its network. However, this “assumption” turned out to be completely false; the school’s network “never” offered anti-virus protection, and even if it had, the lab used laptops that were regularly taken outside of the network perimeter.

After some time, the school realized that the lab was not complying with Department of Defense contracting rules, so an administrator decided to suspend billing for the lab’s contracts so the school would not be charged with making false statements.

According to the government, “within days of suspending billing for his contracts, Dr. Antonakakis retracted his years-long opposition to the installation of anti-virus software in the Astrolavos lab. Georgia Tech’s standard anti-virus software was installed throughout the lab.”

But the school never admitted that it had been out of compliance for some time and submitted numerous invoices despite non-compliance, says the government. According to the government, this is fraud.