Dr. Emmanouil “Manos” Antonakakis runs a cybersecurity lab at Georgia Tech and has attracted millions of dollars from the U.S. government in recent years for Department of Defense research projects such as “Rhamnousia: Attributing Cyber Actors Through Tensor Decomposition and Novel Data Acquisition.”
The government filed a lawsuit against Georgia Tech in federal court yesterday, with Antonakakis being the first to be charged. According to the government, neither he nor Georgia Tech followed basic security protocols (and required protocols) for years, knew they were not following those protocols, and then submitted invoices for their DoD projects anyway. (Read the complaint.) The government alleges this is fraud:
Ultimately, DoD paid for military technology that defendants stored in an environment that was not secured against unauthorized disclosure, and defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised. What DoD received for its funds was of diminished or no value, not the benefit of its agreement.
AV hate
Given the nature of his work for the DoD, Antonakakis and his lab must adhere to many security regulations, including those set forth in NIST Special Publication 800–171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
One of the rules states that machines that store or access such “controlled unclassified information” must have endpoint antivirus software installed. But according to the U.S. government, Antonakakis really, Real doesn't like installing AV detection software on his lab's machines.
Georgia Tech administrators asked him to comply with the requirement, but according to an internal email from 2019, Antonakakis was “not open to such a suggestion.” In a follow-up email, Antonakakis himself said that “endpoint [antivirus] agent is a non-starter.”
According to the government, “Other than Dr. Antonakakis' opposition, there was nothing stopping the lab from using anti-virus protection. Dr. Antonakakis simply did not want to use it.”
Antonakakis' lab's IT director was instead allowed to use other “mitigating measures,” such as relying on the school's firewall for added security. The IT director said he believed Georgia Tech was running antivirus scans from its network. However, this “assumption” turned out to be completely false; the school's network “never” offered antivirus protection, and even if it did, the lab used laptops that were regularly taken outside the network perimeter.
After some time, the school realized that the lab was not adhering to the Department of Defense contract rules. As a result, an administrator decided to suspend billing under the lab's contracts so that the school would not be sued for filing false claims.
According to the government, “Within days of the suspension of billing for his contracts, Dr. Antonakakis relented in his longstanding resistance to the installation of anti-virus software in the Astrolavos Lab. Georgia Tech's standard anti-virus software was installed throughout the lab.”
But, the government says, the school never acknowledged that it had been out of compliance for some time and that it had submitted numerous invoices while not complying with the rules. According to the government, this is fraud.