Whistleblower Matthew Decker, the former chief information officer for the university's Applied Research Laboratory, is to receive $250,000 from the settlement, the Justice Department wrote Tuesday in a press release.
In a written statement, Decker thanked his attorneys for their help in what he described as "likely a precedent-setting case."
"I filed because there was nothing else I could do internally, and I had reached my limits of frustration and increasing personal risk in trying to resolve matters from within," Decker said. "After decades of loyalty to national defense, and with my understanding of the consequences of having our adversaries obtaining sensitive defense research information, it is unacceptable to me for any organization to falsely attest or even fabricate data asserting security and compliance with such sensitive information, which is produced on tax-payers dollars. It is also unethical for any organization to illegitimately knock others out of fair competition."
Penn State did not admit any wrongdoing and there was no determination of liability.
The university wished to avoid costly litigation and address "any concerns our government sponsors may have related to this matter," Penn State wrote Wednesday in an email to the Centre Daily Times.
"As a world-class academic research institution, Penn State values its relationships with its research sponsors and takes seriously its cybersecurity obligations. The University has devoted significant resources to complying with its obligations — and to continuously improving and enhancing its cybersecurity measures," the university wrote. "Most recently, Penn State proactively adopted additional cybersecurity policies and systems to meet anticipated future obligations across the global research landscape.
"There is no suggestion by our research sponsors that any of the non-classified information that has been the subject of this matter was ever compromised. Rather, the government's concerns — following its thorough investigation — primarily focus on the documentation related to implementing specific controls for handling data and information."
The university was accused of violating the False Claims Act by failing to comply with 15 contracts or subcontracts that involved the Defense Department or NASA.
Between 2018 and 2023, the Justice Department said Penn State did not implement cybersecurity controls that were contractually required and did not adequately develop plans to correct deficiencies it identified.
One of Decker's attorneys, Julie Bracker, wrote Wednesday afternoon in an email to the CDT that the case "illustrates the cavalier attitude to cybersecurity that unfortunately is all too common and that can no longer be tolerated in today's volatile atmosphere of cyber attacks, hacks, and breaches."
"We are proud to have represented Matthew Decker, who was willing to step forward and bring this to the government's attention, to his own detriment," Bracker wrote. "As one of the first cyber-whistleblowers, his expertise was critical to the case. We hope this settlement sends a message to other research institutions that the government takes these protections seriously and that cybersecurity is material to government contracts."
Decker's lawsuit claimed Penn State did not appear to be working toward compliance even after he alerted key university officials multiple times. Some reports the university submitted were template documents entered merely to "check the box," his filing alleged.
The Justice Department also wrote that Penn State did not use an external cloud service provider that met the Defense Department's security requirements for protected information.
"Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors," Robert Steinau, NASA's assistant inspector general for investigations, said in a statement. "The University's inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government's cybersecurity efforts."
Decker was the chief information officer for the ARL from November 2015 through March 2023, according to his LinkedIn. He was appointed as the chief data and information officer at NASA's Jet Propulsion Laboratory a month after leaving Penn State.
"I filed with the understanding that there was a high probability of receiving nothing in return," Decker said. "The sacrifice my family and I have made to get this noticed and corrected is immeasurable, but it was the right thing to do."
©2024 the Centre Daily Times, Distributed by Tribune Content Agency, LLC.