American universities are breeding grounds for innovation and research for students from across the globe. They are also a primary target of IP theft and cyber-attacks by some of these very students and their governments. America’s universities, supported by industry and by the U.S. federal and state governments, must be ready to protect the billions of U.S. dollars invested by the U.S. government and corporations to develop new technologies.
University research is an integral part of the United States position as a world leader in science. According to the Science Coalition, a nonprofit group of more than 50 of the United States’ leading research universities, universities conducted 53 percent of basic scientific research in the United States in 2009. Out of the funding raised for these projects, the federal government was the primary source for funding, making up just less than 60 percent of total financial resources. Government funded projects have been responsible for advancements in everyday life including the MRI, modern communication devices and the internet. In addition, today’s leading companies, including Google, Cisco Systems and CREE, originated from government funded research.
Because of the importance of government-funded university research, universities are often targeted by foreign nations attempting to short cut their own scientific development efforts. In March 2019, the Wall Street Journal reported China targeted more than two dozen U.S. universities, including the University of Washington and Massachusetts Institute of Technology, to steal military maritime technology. In March 2018, Science Mag reported out of the 320 worldwide universities, governments, and companies hacked by an Iranian force, 144 were United States research universities.
In December 2018, Cyberscoop reported North Korea used malicious Google Chrome extensions to gain access to American research University computers, many of them in the Biomedical field. Universities are not just being attacked over the internet; they are also being hacked on their own campuses. In October 2018, Business Insider reported accused Russian spy Maria Butina worked on a sensitive cybersecurity project as a grad student at American University. She allegedly conducted interviews to collect information that would be of interest to the Russian government.
As universities continue to be the target of cyberwarfare, industries must protect this vibrant community for science research. To be adequately defended in today’s environment, universities must possess true end-to-end security for user access and protection of data at rest, in motion, and in process. Solutions must allow for universities to issue security tokens while devices (university issued and bring-your-own) are “in the field” instead of being returned to IT and providing secured remote access, whether a device is on a campus network or coffee shop WiFi.
I am excited to see a few leading universities like those within the Texas A&M University System taking security matters into their own hands, working with industry and the Federal government to develop secure enclaves that could be leveraged across a broad network of universities to protect sensitive information and IP from hostile nations. Dr. Kevin R. Gamache, the university system’s chief research security officer, is integrating vendor solutions to protect the System’s authentication, encryption keys and algorithms to assure that all university research is adequately protected.
Further, The Texas A&M University System is deploying a model solution that will allow researchers in higher education to meet all of the requirements for Protecting Controlled Unclassified Information in Non-federal Systems and Organizations, which is stipulated by the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 in accordance with NIST SP 800-171.
Just as our corporations have taken security threats seriously, our universities must do so as well, and Dr. Gamache’s approach could be a model for others to emulate.