Universities Urged to Defend Sensitive Research From HackersAdversaries Want to Interfere With Research at US Schools. How Can They Be Stopped?
Cyberattacks against universities have forced academia to implement new rules and processes to safeguard sensitive research from adversaries such as China, Russia and Iran.
See Also: 2022 Unit 42 Incident Response Report
Texas A&M established an office in 2016 to oversee security around scholarly activity, and the office quickly mandated disclosure of all foreign collaboration and approval of foreign travel, says Chief Research Security Officer Kevin Gamache. The office implemented continuous network monitoring to identify malicious foreign actors and established a process for reviewing and approving collaborations.
Gamache helped Texas A&M establish a secure, systemwide computing enclave to protect federally funded research and a robust due diligence process for reviewing visiting scholars and postdoctoral researchers. And should any issues arise, Gamache says Texas A&M has developed strong relationships with the FBI, DCSA and members of the intelligence community to ensure they're addressed promptly (see: Universities: Prime Breach Targets).
"Understanding our collaborators and their funders is the most critical aspect of our research security program," Gamache told the U.S. Senate Intelligence Committee on Wednesday. "It is equally important to know if a foreign government nexus exists and the risk it poses to the institution. We must also understand whether these risks can be mitigated or must be eliminated."
The hearing focused on protecting American innovation across industry, government and the National Counterintelligence and Security Center. "Higher education should be looked at as part of the national security defense program," said former NCSC Director William Evanina. "I do think that it's worthy of putting it in a bucket with other entities we spend money to protect."
Setting a Security Standard for Universities
Lawmakers should set a minimum standard around what constitutes acceptable security for any research institutions that are either federally funded or receive federal subsidies, Evanina told the committee.
Much of government doesn't have a real understanding of the academic culture and has therefore taken a "search and replace" approach to regulation, in which nonprofit universities and for-profit businesses are expected to follow the same rules, Gamache said. Poorly designed federal mandates attempting to fix cybersecurity in higher education could actually cause harm, he warned.
But over the past five years, Gamache says, a number of federal agencies have really tried to understand what the academic community is all about. The FBI has led the way in this effort by going all-in on initiatives such as the Academic Security and Counter Exploitation Program, and the Department of Commerce has also become more engaged, according to Gamache (see: FBI: Russian Forums Sell Higher Education Credentials).
"The collaborative effort between academia and the federal government down at the grassroots level is really paying dividends in terms of awareness," Gamache says.
Gamache urged Congress to form a center of excellence that coordinates the flow of counterintelligence between academia, law enforcement and the intelligence community. Foreign adversaries would be less effective in infiltrating or tampering with sensitive research if faculty and students were compensated better through enhanced federal research funding, he said.
"International scholars in our universities enhance innovation and knowledge but also present risks," he said. "Partnering with federal agencies to mitigate existing and emerging threats, educate our researchers, and provide clear avenues to address security concerns is crucial."