While global media outlets have focused attention on election security, major U.S. healthcare facilities have been under direct cyberattacks in recent months. This follows disruptive cyberattacks on municipalities earlier this year. These attacks, and the often short news cycles around them, underscore the reactive attention to threats and the inability to foresee or prepare for emerging threats. Too often, industry verticals and their participants use the “not us, we’re too small” approach to security preparedness.
The next emerging threat—which in our view is already present—is to U.S. higher education, a big business due to its ability to generate new industries and technology from the ground up (e.g., social media). Like healthcare facilities and research organizations, higher education institutions and their electronic infrastructure are built for collaboration, which exposes a soft underside to threat actors. This presents serious security risks to the U.S. higher education sector and, in a larger sense, to U.S. national security interests.
As higher education budget pressures continue to grow, U.S. colleges and universities—like their counterparts in Europe, Australia, and New Zealand—have increasingly turned to foreign funding for ongoing operations. Some of that funding is public: China’s Ministry of Education has openly funded “Confucius Institutes” at more than 60 colleges and universities. In recent years, the public funding of educational institutions by foreign governments and enterprises has raised concern about the potential for propaganda and inappropriate influences over students at those institutions. Other influences can be hidden, or more malign—take the professor at a Boston-area institution indicted for misrepresenting his involvement with a foreign government as an example. Foreign funding is likely to increase, as U.S. educational institutions face a pandemic-induced loss of revenue from traditional sources. Consequently, educational institutions must be fully informed about the potential national security risks and impacts of accepting that funding and allowing access to their institutions.
Last month’s U.S. Department of Education General Counsel’s report on institutional compliance with twice-yearly reporting obligations to the department demonstrates the clear peril foreign funding can create. The report noted the importance of transparency and found that many U.S. colleges and universities have failed to comply with the requirements of Section 117 of the Higher Education Act of 1965 (20 U.S.C. § 1011f), which requires twice-yearly reporting of foreign gifts and contracts the value of which is $250,000 or more, together with the disclosure of any foreign ownership or control to the Secretary of Education. According to the report, transparency “promotes academic freedom, preserves academic integrity, and protects national security.” The report made clear that an integrated governmental approach is required to stem intellectual property theft, espionage, propaganda and sinister foreign influence on U.S. campuses, arising in part from the transfer of billions of undisclosed dollars.
In a global world, cross-border education collaboration is very important. Many legitimate reasons exist for a foreign state to fund U.S. higher education operations or opportunities, including to create mutual trust and understanding between U.S. and international citizens and for the prestige and economic benefits the sponsoring country can receive from having a well-respected U.S. university open a local campus. But because of the critical role U.S. universities play in technological research and development, those benefits come with a price and a responsibility: the potential for foreign state access to cutting-edge research and development, including both the technology and the talent. Indeed, the United States’ Defense Advanced Research Projects Agency—the agency that brought us the Internet—considers U.S. colleges and universities to be integral to the innovation ecosystem that DARPA and other agencies rely upon to ensure the United States’ national security and to fuel the nation’s economic engine. Many universities maintain specific offices to commercialize the results of university research. Ten years ago, $187 billion in U.S. economic growth from the mid-1990s through the mid-2000s was estimated to be attributable to university research efforts. That number must be only higher today.
Receiving institutions should be aware that accepting foreign-source funds both creates reporting obligations and can introduce privacy and data security risks.
First, due diligence is critical before receiving funding or opportunities for foreign collaboration. If the actual source of the funding is undisclosed (as the recent U.S. Department of Education report suggests it could be), it invites questions about whether the institution has established appropriate safeguards to protect the security of sensitive or proprietary information in its possession, or whether it has ensured that research avenues are not being directed by the interests of the foreign funders, rather than a professor’s own academic interests, U.S. national security interests, or the greater good. According to government filings, the professor indicted for allegedly misrepresenting his involvement with a foreign government was part of a programmatic effort by that government to convince U.S. academics to conduct their research in that country, presumably research that the foreign government considered useful. In another example, cited by the U.S. Department of Education’s report, an institution was reportedly granting a right of first refusal on the results of nuclear research to a particular foreign country.
University administrators need to be stewards of their enterprises. For example, administrators must understand the sources of foreign funds they receive and the funders’ likely motivations to ensure that sensitive data is subject to appropriate technical, administrative, and physical controls. This may require actual diligence into the funders, their sources of money, and their intentions. For example, heightened limitations on systems and network access, and increased behavioral monitoring, may be warranted for professors, postgrads, and graduate students working on critical research in connection with international institutions.
While those controls and limitations could inhibit research, those steps may be necessary to preserve the security and confidentiality of sensitive data, especially as it impacts U.S. national security. There is precedent for this: Some colleges already require security clearances for individuals working in certain positions. And in recent years, the CFIUS review process—which considers the impact of foreign investment in U.S. companies—has become more active and far-reaching.
Second, foreign funding, even if disclosed, can create a risk of economic espionage. In a recent example, a foreign state’s “sponsorship” program is alleged to have rewarded participants for stealing proprietary information. Even if the information is not stolen outright, a strategic relationship between a U.S. institution’s laboratory and a foreign university’s laboratory can permit economic influence by virtue of steering the research, through information sharing among individuals in the laboratory, or through relationships with or sponsorships by foreign companies that are obligated to cooperate and support a foreign government.
Moreover, just as big-dollar donors to major university athletic programs can obtain access to head coaches and senior members of the athletic department, large donors to university laboratories and academic departments may expect special access and attempt to use that access to engage in economic espionage or research theft. In this way, an academic researcher could become an unwitting insider threat. Given the valued relationship with the donor, an academic may be more willing to trust the donor and thereby be inclined to share the results of their research with the donor, open emails or attachments containing malware from the donor, or even permit the donor access to computers containing the data, through which the donor can engage in data theft while the academic’s back is turned. The Chinese network and communications infrastructure giant Huawei is alleged to have gotten its start from data and IP theft from U.S. companies. This is not to suggest that all (or even a majority) of donors have “mal-intent,” but the risks of innocent exploitation do exist.
Third, accepting foreign funding can consequentially impact student privacy. China has been alleged to use its on-campus influences to apply its law extraterritorially, reportedly causing students to protect themselves by submitting work anonymously. Depending on the foreign funder’s reach into a university’s campus, a U.S. university could be exposed to potential breaches of the Family Educational Rights and Privacy Act, especially if the foreign funder has access to student records and uses them for noneducational or otherwise unauthorized purposes. Those purposes might include extraterritorial prosecution or identifying potential HUMINT (i.e., human intelligence) sources. For example, a student whose parent is a high-ranking government official or serving in a sensitive role in a critical-infrastructure-sector company could be a particular target, and their educational records may be a useful entry point. All of these factors may result in students not receiving the benefits and protections of U.S. privacy laws, creating potential legal and reputational liability for a U.S. college or university.
In short, foreign funding of, and access to, U.S. higher education presents risks to students and professors alike, including insider threats and the knowing or unwitting creation of foreign intelligence portals. Those threats run from overt acts of bribery to the theft of private information through cybersecurity attacks. Accordingly, U.S. colleges and universities need to be vigilant: They should know the specific sources of funding and ensure there is an established comprehensive security and compliance program that furthers the institution’s mission, promotes transparency, appropriately protects their data and research, and accounts for U.S. national security interests.