Georgia Tech, a world leader in cybersecurity research and education, is now in the news for not complying with federal cybersecurity contractual obligations. This sounds funny and embarrassing until you look deeper into the story and understand what this case is really about. It’s not about security. It’s about compliance.
Disclaimer: although IGP’s home is Georgia Tech, we are not implicated in this litigation in any way. We are not DoD contractors, we are in a different college, and are not connected to Prof Antonakakis’s research lab. The outcome of this case will not affect us.
Here in a nutshell is what this case is about:
- GT researcher Manos Antonakakis, a renowned researcher on botnets, domain name system security, and other critical topics in cybersecurity, refused to install endpoint security software for his lab, which was funded by the Department of Defense. Prof Antonakakis (like many other cybersecurity researchers) doesn’t like endpoint protection tools, for reasons we will go into below.
- Installation and use of this tool, along with 100 additional “cybersecurity controls,” was required by the DoD. The foundational requirement is the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which mandates that contractors implement adequate security measures to safeguard covered defense information (CDI) and report cyber incidents. Complementing DFARS is the National Institute of Standards and Technology (NIST) Special Publication 800-171, a 120 page document that describes a comprehensive set of security requirements for protecting controlled unclassified information (CUI) in non-federal systems and organizations. Defense contractors have been required to comply with the NIST 800-171 standard since December 31, 2017.
- After successfully blowing off organizational attempts to make him comply with some of these standards, certain compliance officers at GT revolted against Antonakakis. Eventually the Institute shut Professor Antonakakis’s money off. Then – surprise! – he complied and the required endpoint tools were installed. This happened way back in 2021.
- During the period the lab functioned without endpoint protection, as far as we know from the filing, the lab suffered no security incidents or data breaches. The Federal government’s case, however, does not depend on demonstrating undue risks to the cybersecurity of the lab; instead, its case rests on GT’s failure to comply with the prescribed set of regulations and procedures. In other words, the Federal government is not suing GT for an actual cybersecurity failing; it is suing GT for a compliance failing. The complaint is all about following specified regulations, not about whether those regulations did any good, or whether their absence did any harm.
- The Feds are so concerned about enforcing compliance with DFARS that they are coming down hard on Georgia Tech and its researcher. See the complaint here. Georgia Tech Research Corporation is being accused of fraud because it submitted reports to the government saying that its systems were secure, and the government wants its money back. This is punitive, not a security remedy.
Some basic cybersecurity economics
I don’t know how this case will work out, but there are two important lessons about cybersecurity economics here. The first lesson is that compliance should not be confused with security, and security must not be confused with compliance. The second lesson is that governmental attempts to create security through prescriptive regulation have gotten out of hand. It is imposing huge costs on the Defense Industrial Base (DIB) and can be counterproductive.
This incident needs to be looked at through that lens of security economics. For every Professor Antonakakis who had the clout to avoid the regulations for a while, there are 1000 small businesses that simply give up on getting federal contracts, and hundreds of others who spend more time understanding and applying the complex requirements than they spend on doing their jobs.
Checklists
Increasingly, cybersecurity practice is being bureaucratized, and the federal government is largely to blame for it. The process is understandable. The Federal government Defense Industrial Base (DIB) involves thousands of private contractors. The data and access shared with the contractors is sensitive and can affect national security. The Feds have every right to be concerned about the cybersecurity practices of its contractors. The problem is that it chooses to address this problem in a manner that governments inevitably do: through the promulgation of lengthy, arcane, and uniform prescriptive regulations. The implicit message the Feds were sending to Professor Antonakakis was: “we know how to secure your information systems better than you do.”
Yet these regulations are not based on a rational weighing of cost-benefit ratios, they are not based on a specific threat model or risk calculus, and generally not based on empirical knowledge of what net contribution their regulations make to the security of a research lab. Instead, they are blanket requirements blindly enforced regardless of cost and situational particulars. And this puts a premium on compliance, not secure practices. It’s form over substance. We’ve forgotten the goal.
If you Google for the “NIST SP 800-17” document, your top results will overflow with ads like this: “Are DFARS, NIST SP 800-171, and CMMC Compliance Giving You Sleepless Nights?” Hire us, your friendly neighborhood compliance consultants, to help you through it. The system is optimized for compliance, not for security.
Compliance with checklists can divert our eyes from the prize. The focus becomes checking boxes that demonstrate conformity to an externally imposed rule rather than preparing for and responding to the real threats an organization faces. It creates the illusion that compliance makes an organization secure. Yet security and compliance are not the same.
We had the same experience with the Federal Information Security Management Act (FISMA) of 2002. Remember FISMA? It was a law that defined a framework of guidelines and security standards to protect government information and operations. Yet federal agencies leaked data like sieves and were beset by breaches over the next dozen years. (See this paper by Silvers, 2006)
The Costs of Over-regulation
In the five years since DFARS made NIST 800-17 its cybersecurity recipe, 17,045 companies have left the Defense Industrial Base. According to one of DoD’s own reports, the number of small businesses participating in the defense industrial base has declined by over 40 percent in the past decade, due to “Regulations and business practices [that are] difficult to understand or otherwise create barriers or increase the cost of doing business with DoD.” One of our MS Cybersecurity student’s capstone projects (Iten, 2024) noted that “barriers arising from stringent cybersecurity requirements limit the number of businesses who can supply to the defense industry and increase the costs of defense acquisition through limited competition and passing on the cybersecurity costs to the government.”
When compliance costs are out of whack with capabilities and benefits, contractors don’t comply. Quoting Iten (2024) again, “A statistical study of 300 DIB members found over 70% of respondents lacked required cybersecurity controls including vulnerability management solutions, multi-factor authentication (MFA), endpoint detection and response (EDR), and security information and event management (SIEM). The study also found that the government cybersecurity requirements were reported to be difficult to understand by 82% of the contractors (Burgess, 2022). The threat posed to national security by the continued compromise of sensitive unclassified information resulted in creation of the CMMC because the existing measures were ineffective (Hernandez, Anderson, & Takanti, 2023).”
Inflexible, prescriptive security standards may make companies more vulnerable to attacks by restricting adoption of innovative security solutions. Homogenizing security implementations across the DIB may provide attackers broad access when exploits are discovered.
The Recalcitrant Professor
With this important context, now let’s take a look at Professor Antonakakis. He did not install endpoint security for a reason. He believes, not without cause, that it can interfere with software processes, undermine interoperability, support disproportionate amounts of end user surveillance, and become a vector of systemic compromise. The massive Microsoft outage of early August, let’s recall, was attributed to an update of a particular company’s endpoint security product. If anything, the events of the past weeks have vindicated the Professor’s resistance. This interesting article about the Crowdstrike update’s impact on banks highlights the role of checklist compliance in that disaster. (We do need to acknowledge, however, that if you dance to the Defense Department’s music, you’ve got to pay its piper.)
Damages?
The Justice Department asserts that “The United States has suffered damages because of Defendants’ failure to comply with applicable federal cybersecurity rules and regulations, and their false representations of compliance.” What are those damages? There is a big gap in the government’s case here. It offers convincing proof that Astrolavos/GTRC didn’t comply with the “adequate security” standards of DFARS and posted a cooked up score for its System Security Plan. It doesn’t show that this led to any real damage.
The complaint tries to make it sound like military secrets were lost: “DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised.” But did they get the military technology they paid for, or not? It seems they did. Was that technology disclosed to U.S. adversaries or not? There is no evidence that it was. Did the alleged failure to monitor for breaches result in any actual breaches? There is no evidence that it did. So what, exactly, are the damages?
The US is asking for treble damages; i.e., three times the value of the tens of millions of dollars it paid to the GT lab. That would be reasonable if the technology was lost or stolen due to the GT lab’s inadequate security. But as far as we know, it wasn’t and there is no assertion in the complaint that it was. Are they just dissatisfied with Prof Antonakakis’s work, did they find it useless? Or is this a punitive overreaction to a failure to comply with some not always so reasonable requirements?
In this Georgia Tech lawsuit, the government is trying to make a point. A very heavy-handed one. By calling attention to the incredible amount of friction they are introducing into the problem of securing information systems, however, the conclusion the public draws from this incident may not be the point they are trying to make.
[Iten, 2024] Martine G. J. Iten, “OVERCOMING DEFENSE INDUSTRIAL BASE BARRIERS TO ENTRY DUE TO CYBERSECURITY REQUIREMENTS”
PUBP 6727: Cyber Security Practicum Project Proposal, Georgia Institute of Technology
Professor , you did mention about this in the last Policy class but this explanation was very much needed to get a complete grip of the situation . The article was to the point and very insightful . Thanks
Ironically, the Crowdstrike outage also has a link to compliance:
https://www.bitsaboutmoney.com/archive/crowdstrike-bug-hit-banks-hard/
By enforcing an ex-ante cybersecurity framework with an almost antipathy towards deviation, we’re essentially planting a garden where only one type of flower is allowed to bloom, chosen before the seeds even meet the soil. This preemptive rigidity not only chokes the life out of potential innovations but also breeds an environment where the natural evolution of security practices is viewed with suspicion rather than welcomed as a necessary progression. In this climate, the academic pursuit of better, more adaptive security measures is not just hindered; it’s actively discouraged, leaving us with a monochrome landscape where the vibrant hues of progress should be. It might potentially fence off the federal marketplace from all but the most conformist of enterprises.