The haul from university computer systems by an Iranian hacking ring was mind-boggling: 31 terabytes — or trillion bytes — of data and intellectual property. It was valued at $3.4 billion and originated from more than 300 institutions, 144 of them in the United States.
Weeks after federal prosecutors brought indictments in the case, a congressional hearing on April 11 asked how universities might better protect intellectual property and national security data from theft by adversarial nations.
Universities need to beef up security and lock their laboratories to prevent losses of what is often publicly funded research, said members of subcommittees of the House Science, Space and Technology Committee.
“Many in academia have been unwilling to accept reality and take defensive measures,” said Rep. LaMar Smith, R-Texas, the chair of the science committee.
Yet security measures must not stifle international academic collaboration, said Rep. Eddie Bernice Johnson, D-Texas, ranking committee member. The six Americans awarded 2016 Nobel Prizes in chemistry, physics and economics were immigrants, and many arrived as international students, Johnson noted.
For the University of Wisconsin, with more than $1 billion annually in research revenue, steeped in a tradition of “sifting and winnowing” for the truth and dedicated to broadcasting its findings throughout the state and beyond, the challenge is to strike a balance between academic freedom and the realities of a connected but politically fractious world.
In academia, scientists don’t want to hide their research results, said Barton Miller, a professor of computer science at UW-Madison who is part of a center involved in cybersecurity for major National Science Foundation research.
“For most science data at universities, we’re almost frantic to publish it,” he said.
And calls for added scrutiny of international students also raises concerns among academics, including members of the American Association of University Professors.
“UW should ensure that policies and practices do not impinge upon international students’ and scholars’ ability to conduct their studies and research,” said Nick Fleisher, associate professor of linguistics at UW-Milwaukee and president of AAUP Wisconsin.
It’s not just federal authorities who are concerned about the security of data on university computer systems.
The Wisconsin Legislative Audit Bureau in February said that weaknesses in computer systems at University of Wisconsin System campuses increased the risks of cyberattacks and loss of data or intellectual property.
The findings of the audit were “too sensitive to communicate publicly,” and were transmitted to the institutions involved in confidential memoranda, the LAB report said.
“We have reported concerns related to information technology security policies, procedures and controls at UW System since the early 1990s,” auditors wrote.
The UW System has worked to address concerns related to IT security policies, procedures and controls in the past couple of years, but administrators have not taken significant steps to develop IT security policies and procedures to cover all critical areas and comply with Board of Regents policy, auditors said.
UW System administrators say they have made substantial progress on the audit recommendations to improve the security of university computer systems. They are due to be completed by June 30.
“The UW System is committed to protecting the privacy of all members of the university community, safeguarding our critical and sensitive information, maintaining critical infrastructure and operations, and guaranteeing the intellectual property of our faculty,” said UW System President Ray Cross.
To meet the recommendations of the state audit, the UW System spent $473,000 to hire global cybersecurity firm Stroz Friedberg to perform an assessment of campus systems and develop a security program and 24-month work plan.
The UW System also created a new position to work with all of its institutions to enhance security.
Katherine Mayer is the system's new associate vice president for information security. She has more than 30 years experience in that field with the U.S. Navy, most recently as a director of strategic initiatives on global information security activities.
“Our challenge is to provide a secure information environment against numerous persistent and agile threats as we continue to develop and educate students as well as discover and disseminate knowledge. Mission accomplishment is a top priority,” Mayer said. “It’s not unlike my 30 years in the Navy.”
The Iranian hacking ring that accessed so many university computer systems reportedly did so by “phishing,” sending emails that prompt a user to go to a fake website and enter credentials that can be diverted and stolen.
There is frequent training at UW-Madison to teach computer system users to recognize and resist such phishing lures, said Bob Turner, chief information security officer for the campus.
“Everyone on campus receives passive training via news stories, cybersecurity awareness presentations and other posts and broadcasts,” Turner said.
To test awareness, UW System administration phished the Madison campus in January and April in a realistic test, Turner said.
“UW–Madison’s response rate was approximately 5 percent, meaning that only about 5 percent of the recipients on campus clicked on a link within the email or engaged in some other type of inappropriate response. That’s very good,” he said.
More than 50 researchers at UW-Madison were phished as part of the recently publicized Iranian hacking campaign, Turner said.
“All of the accounts targeted for phishing attempts were flagged and reset. As far as we know, none of the accounts were compromised and no internal research data was taken,” he said.
Since 2015, some units on campus, such as the Division of Information Technology, the College of Letters and Sciences, and School of Medicine and Public Health have received regular training on social engineering techniques, or how hackers use psychological manipulation to trick computer users.
Use of social media, where sharing personal information is expected, raises the risk of people becoming victims of social engineering tactics that urge them to follow phishing lures or download malware that will disable or damage computers, Turner said.
The campus Office of Cybersecurity works with the colleges, schools and other divisions on campus to improve awareness and responses to the thousands of computer security events that occur daily. Most of the detected events are stopped by security tools and software, Turner said.
Headlines about a hack like that by the ring purportedly working for the Iranian government are sensational, but how potentially valuable the looted information was is another matter, said Miller, the computer science professor.
“Maybe the Iranians got a student’s Chemistry 100 homework – I hope they enjoy it – but they probably could not get that the student is a lab assistant,” Miller said. “They can’t get to that layer.”
The most sensitive information typically is stored on systems not connected to the internet. For everything else, it’s a matter of reasonable priorities, said Miller.
Well-managed systems use layered tools — two-factor authentication is a common strategy — to protect more sensitive data, he said.
“Computer security is an economic activity. You can’t afford to protect every asset at some extreme level,and not everything is worth the same level of protection,” he said.
“The truth is, if a highly funded, trained, nation-state group wants to go after a particular computer system, if they have the resources, the skills, the time and the patience, they are likely to be able to get in,” Miller said.
The goal of security is to keep breaches small, controlled and recoverable, and to protect the mission of the institution. In academia, absent the intellectual property rights that come into play for a small number of research projects, scientists are concerned most with the integrity of data.
“We’re not worried about someone stealing the result, we’re worried about someone tampering with the data,” Miller said.
Miller is the vulnerability assessment director for the NSF’s Center for Trustworthy Scientific Cyberinfrastructure, which works to protect such major research projects as the $279 million Ice Cube neutrino observatory at the South Pole.
He also is chief scientist of the Software Assurance Marketplace (SWAMP) research facility, a joint effort between the Morgridge Institute of Research, University of Wisconsin, Indiana University and the University of Illinois.
The center, funded by the Department of Homeland Security, provides tools to software developers to detect flaws so they can produce programs that are more difficult to hack. The process fosters the development of more secure computer programs for all kinds of uses.
Espionage by university scholars may sound like the stuff of spy novels, but it has a long and recent history.
The CIA-funded National Student Association was founded on the UW-Madison campus in 1947, in an era of emerging anti-Communism. Members of such organizations might be recruited to report on the political tendencies of foreign students they met at home and at conferences abroad.
And elite universities were a prime recruiting ground for American intelligence agencies after World War II, as Pulitzer Prize-winning journalist Daniel Golden wrote in his 2017 book “Spy Schools.”
Revelations about intelligence agencies’ activities, coupled with anti-Vietnam War fervor, in the 1960s and 1970s, dampened intelligence activity on campus. But the university community has been more receptive following the terrorist attacks of Sept. 11, 2001, said Golden.
“Globalization has transformed American universities into a front line for espionage,” Golden told members of the House science committee last month.
Most international students come to the U.S. simply to pursue their studies, he said.
“A small percentage come to recruit clandestine operatives, get insight into government plans and access sensitive military and civilian data,” Golden said.
U.S. intelligence agencies also have resumed recruiting contacts among international students and faculty, he said.
Some American universities ignore or condone domestic and foreign espionage on their campuses, Golden claimed during a Wisconsin Book Festival talk in Madison last November. International students, who pay the highest tuition of any students, are increasingly attractive as state funding to public universities has diminished, and research funding from U.S. intelligence agencies offers another potential revenue source, he argued.
A 2011 white paper by the FBI detailed some of the ways that foreign governments may recruit faculty or staff or infiltrate campus communities, taking advantage of a professor’s ideological bent, a student’s patriotism, or lax security systems in areas to which access is sought.
Cases outlined in that paper include Lidiya Gurveva, aka Cynthia Murphy, who was instructed to cultivate classmates and professors with access to secret information by Russian intelligence while an MBA student at Columbia University in 2009. She was arrested and deported.
The FBI produced “Game of Pawns,” a 28-minute video that tells the story of Glenn Duffie Shriver, a Michigan man who studied in China in college and returned after graduation, when he was coaxed into conspiring to provide national defense information to the Chinese government. Convicted in 2011 as part of a plea agreement, Shriver was sentenced to four years in prison.
Ruopeng Liu worked in a Duke University laboratory on a prototype “invisibility cloak” with potential applications for cell phones and antennas. Liu convinced renowned Duke researcher David Smith to open a “mirror” lab at a Chinese university. After publication of a joint paper by the two labs, federal funding agencies ordered Smith to sever ties to the Chinese laboratory. Liu received a doctorate in 2009 and in 2010 founded a billion dollar Chinese company with close ties to the Chinese government that uses technology similar to that under development at Smith’s lab. While the case attracted the attention of the FBI, Liu was not charged with any crimes.
These and other incidents of suspected or proven espionage have occurred as the number of international students on U.S. college campuses and collaboration with overseas institutions has skyrocketed.
At UW-Madison, the number of international students rose to 6,548 last fall, of a total enrollment of 43,820, or about 15 percent. Nationally the number of international students is estimated at 1.1 million.
In February, FBI director Christopher Wray warned a U.S. Senate panel that China, in particular, is using “nontraditional collectors” like students and professors, to gather information in the academic setting.
“And I think the level of naïveté on the part of the academic sector about this creates its own issues,” Wray said. “They’re exploiting the very open research and development environment that we have, which we all revere, but they’re taking advantage of it.”
Wray also said the FBI is watching Confucius Institutes, centers of Chinese language and culture education located on more than 100 American campuses, including UW-Platteville.
Gao Qing, the executive director of the Confucius Institute U.S. Center in Washington, questioned what the FBI had learned.
"To me, it sounds to me like they have been watching Confucius Institutes but have found nothing,” Qing told Inside Higher Ed.
Controversy over the influence of the Chinese government in the hiring, training and possible censorship of institute instructors has simmered for years. It was one reason the University of Chicago opted in 2014 to close its outpost. Texas A&M announced in April it would cut ties with the institute at the urging of two congressmen who described the centers as threats to national security.
Like other Confucius Institutes, the UW-Platteville center is funded and staffed in part with instructors screened by a Chinese government-affiliated entity known as Hanban.
The center in Platteville offers for-credit tai chi and Chinese language classes, outreach to K-12 schools and community events, said Paul Erickson, campus director of communications.
The classes “promote cultural understanding and cultural competency,” Erickson said. “This has been a very good opportunity Confucius Institute has offered.”
The curriculum is developed by institute director Kory Wein, an associate dean in the College of Liberal Arts and Education, and director Mei Reeder, Erickson said. But Hanban provides and pays for instructors and also gives UW-Platteville $130,000 annually, under a five-year renewal of its 2007 contract inked in January.
UW-Platteville officials have had a good relationship with partner institution South-Central University for Nationalities in Wuhan, China, Erickson said.
In 2016, Chancellor Dennis J. Shields received an award for outstanding work in promoting international education from the Confucius Institute in ceremonies in Yunnan Province, China.
A focus more generally on students from China as potential spies has raised concerns from such groups as the American Civil Liberties Union, which joined a civil rights lawsuit by a Chinese-American Temple University professor wrongly arrested for sharing technological secrets with the Chinese.
The AAUP maintains that the FBI exaggerates the risk posed by international students on U.S. campuses. The advocacy group for academics has opposed government efforts to exclude foreign scientists on questionable grounds as least as far back as the Cold War.
The Association of American Universities, an alliance of major research universities to which UW-Madison belongs, said its members are trying to balance concerns of national security and academic freedom.
“We want to work with the federal government to protect our national security interests while at the same time preserving the unique institutional culture of scientific openness that makes our leading public and private universities the destinations for the world’s best and brightest intellects, who help to advance U.S. science and drive the U.S. economy forward,” said AAU spokesman Pedro Ribeiro.
The AAU is among 15 national higher education advocacy groups that signed an April 24 letter to FBI director Wray, asking to discuss concerns about international students on U.S. college campuses. They also want to know why the agency abruptly disbanded the Security Higher Education Advisory Board earlier this year.
Since 2005, the board had been a forum for university leaders to discuss security concerns with such agencies as the FBI, CIA and Department of Defense, the letter noted.
“While we believe that international students and scholars contribute much to our country, we are anxious to do our part to ensure that America’s security is protected,” the letter read. It is more important than ever to allow for constructive dialogue on security issues, the groups argued.
At UW-Madison, a policy adopted in 2005 specifically prohibits research that excludes members of the university community from participation.
“In particular, foreign faculty, students or scholars should not be singled out for restriction in access to the university's educational and research activities,” the policy declares.
The campus is preparing, however, for a pilot program that will screen certain scholars arriving under “exchange visitor program” visas against a government list of parties for whom the export of equipment, research collaborations or access to university laboratories is restricted, according to the Office of the Vice Chancellor for Research and Graduate Education.
That will be in addition to the screening of incoming scientists and students seeking to work in certain critical fields that is done by U.S. authorities as part of the visa application process.
The additional screening was recommended by the UW-Madison Export Control Office, which works with researchers to ensure that products, technology and services that are shared with foreign persons or organizations – including those within the U.S. -- are transferred in compliance with U.S. law.
“Ensuring short-term international visitors seeking to participate in advanced research are not on restricted lists, or representatives of organizations on restricted lists, is becoming an industry standard because additional requirements in terms of access to technology in labs come into play,” said Ben Griffiths, senior university legal counsel.
Even if a visitor is on a restricted list, “that does not at all mean they are not welcome here, but it allows our export control office to work with the lab to make sure any needed licenses are obtained and that sort of thing,” Griffiths said.
Export control becomes aware of when its expertise may be needed through grants management software that flags projects where restrictions may apply, and when a researcher books foreign travel plans.
One handout from the Export Control Office urges traveling scholars to be aware of restrictions on where they are traveling and who they are meeting, consider why they are going, and limit data devices to what they absolutely need to take.
As Vietnam-era politics may have made U.S. college campuses a less hospitable place for intelligence agencies, they shut off the UW-Madison campus to classified military research for 45 years.
After the 1970 bombing of Sterling Hall, home to the Army Math Research Center, campus policy was changed to bar classified research. The policy was revised in 2015 to include an exception for classified research that furthered national security interests, protected the educational interests of participating students, and used available facilities and resources, if the research sponsors covered all additional security costs.
Currently, UW-Madison lacks the appropriate secure facilities and cleared administrative personnel that meet U.S. government security requirements to conduct such research, said Steve Ackerman, associate vice chancellor for research in the physical sciences.
UW researchers have long participated in such work, however, he said.
“Investigators typically conduct classified research at off-campus sites, such as the government labs that are funding the work,” Ackerman said.
The Wisconsin Security Research Consortium built a Sensitive Compartmented Information Facility, suitable for classified research, off-campus in a UW Research Park building with a grant from the U.S. Department of Commerce in 2013.
Originally under the administration of the Wisconsin Technology Council, in 2015, UW-Madison and Research Park assumed the administrative and management functions, Ackerman said.
While there are currently no projects utilizing the SCIF, the consortium maintains the facility as a classified research-ready asset, he said, and its availability is marketed to potential users.
Meanwhile, UW-Madison continues as a research powerhouse, with nearly $1.16 billion in research-related expenditures in 2016, when $30.8 million in projects were sponsored by the Department of Defense.