In late March, the U.S. Justice Department indicted nine Iranians and accused them of breaking into the computer systems of 144 U.S. universities and 176 foreign universities in 21 countries.
The hackers worked at the Mabna Institute, an Iranian government-sponsored body set up in 2013. Its purpose, prosecutors said, was to help Iranian universities, scientific organizations, and research groups steal access to non-Iranian scientific resources.
Between 2013 and 2017, the hackers waged a phishing campaign targeting more than 100,000 academic email accounts. They succeeded in compromising the accounts of about 8,000 professors, prosecutors said. The hackers then allegedly used the pilfered credentials to steal research and other academic data, such as journals, theses, dissertations, and electronic books.
The hackers’ shopping list included information in all fields of academic research. Prosecutors calculated the value of the pilfered research to U.S. universities at about $3.4 billion. In all, they said, the hackers stole 31.5 terabytes—about 35 billion pages—of academic data.
U.S. chemical and pharmaceutical companies have been victims of intellectual property theft multiple times. The Justice Department indictment against the Iranian institute—along with several cases involving researchers from China—suggests academia also has a problem keeping a lid on research that has yet to be patented or published. Yet even as experts acknowledge a problem, some see crackdowns on intellectual property theft as overreaching or an excuse for discrimination against foreign students.
Big companies have learned to be cautious through many bruising experiences: Among others, DuPont lost titanium dioxide technology, Dow Chemical lost insecticide technology, Lubrizol lost polyurethane technology, and GlaxoSmithKline lost drug research. Universities are only now learning that a system open to the free exchange of ideas also has its risks.
Recommendations for research security at universities include several also useful for personal information:
▸ Establish formal agreements governing partnerships.
▸ Avoid leaving lab notebooks—paper or electronic—unattended.
▸ Install software updates and security patches as soon as they are available.
▸ Use unique usernames and passwords for every account.
▸ Use two-factor password authentication.
Sources: Daniel Golden, ProPublica; University of Indiana
The vast majority of foreign acquisition of U.S. technology is open and lawful, as is the exchange of ideas in scientific and academic forums, says Michelle Van Cleave, a senior fellow at George Washington University who served as a counterintelligence expert in President George W. Bush’s administration.
However, in her April testimony at a House of Representatives subcommittee hearing on foreign spying at U.S. universities, Van Cleave noted that “U.S. academic institutions, with their great concentration of creative talent, cutting-edge research endeavors, and open engagement with the world of ideas, are an especially attractive environment for foreign collectors targeting America’s R&D wealth.”
When asked about the problem, most academics seem unconcerned or don’t want to comment; others see the brouhaha over security as a way to exclude foreign students from their classrooms. The Iranian hacker break-ins raised a few eyebrows but no unified response from academic targets.
When C&EN asked one information technology expert if his school lost any research data to Mabna Institute hackers, he said he “was not authorized to comment.”
An inquiry to a Columbia University chemical engineering professor about efforts to safeguard intellectual property at the school was passed on to Robert Hornsby, an assistant vice president for media relations. “We will politely decline to comment and have no information to share,” Hornsby replied.
Lesley Millar-Nicholson, director of the technology licensing office at Massachusetts Institute of Technology, tells C&EN, “In our research environment we have people responsible for export control, which deals in part with access to certain types of technology created with federal funding.” On the question of hacking, Millar-Nicholson adds, “I am not aware of any training on phishing issues or with MIT having dealt with such issues.”
Megan Donahue, a professor of physics and astronomy at Michigan State University and president of the American Astronomical Society, says phishing attempts must be taken seriously. Yet a more serious problem than spies on campus, she adds, is efforts to restrict student studies because of espionage concerns.
“I’m a NASA-funded researcher,” Donahue explains. “I need to sign a statement acknowledging that Chinese government employees are not involved in NASA research.” She follows the NASA restrictions and says she hasn’t encountered student spying.
The Chinese students in her classroom are there “to get good American university degrees, and they don’t have time to spy,” Donahue says. “I respect what they are accomplishing.” Meanwhile, Michigan State also benefits from the presence of foreign students who pay full tuition. If U.S. rules on Chinese students become too restrictive, “they might go to other countries, and we might be poorer for it,” Donahue says.
The American Chemical Society, C&EN’s publisher, is concerned that restrictions on students from China or other countries could “negatively impact free scientific exchange,” says Glenn Ruskin, senior director for external affairs and communications. While acknowledging that espionage can take place on campus, Ruskin says that “efforts to root out spying would have to be balanced in their approach so as not to unnecessarily impact legitimate scientific discourse.”
But others are suspicious of foreign students and campus groups such as the Chinese government-funded Confucius Institutes that underwrite Chinese culture studies and reach out to Chinese students on campus. Testifying before a U.S. Senate intelligence committee hearing in February, Federal Bureau of Investigation Director Christopher Wray said the institutes are “one of the many tools they take advantage of” to access U.S. technology. He warned that China is using Chinese students and academicians on campus as spies.
Intellectual property theft by Chinese academics is well documented. In 2013, the U.S. Justice Department charged three Chinese researchers working at New York University with taking bribes from a Chinese medical imaging company and a Chinese government-supported research institution. The researchers were working on a $4 million National Institutes of Health grant to improve magnetic resonance imaging technology. Prosecutors alleged the three were sending their research results to China.
One of the researchers, Yudong Zhu, pleaded guilty to a misdemeanor. In 2015, a federal judge imposed a sentence that included a $5,000 fine and home detention for five months. Prosecutors dismissed charges against the second researcher, while the third skipped off to China before prosecutors could indict him.
Daniel Golden, a senior editor at the media organization ProPublica, recounts another incident of espionage in his 2017 book “Spy Schools.” In 2006, Duke University electrical engineering professor David R. Smith welcomed Ruopeng Liu to his lab. Smith’s lab works on metamaterials that can bend microwave radiation around an object, making it hard to detect. Applications for the material include high-performance antennas and stealth aircraft.
According to Golden’s account, Liu succeeded in pilfering ideas from other graduate students in Smith’s lab and publishing their research as his own. Sometimes that research gave Smith credit without Smith’s knowledge.
Liu returned to China in 2010 and has since amassed a large number of Chinese patents on metamaterials. He heads Kuang-Chi Group, a Chinese government-supported firm with interests in areas including metamaterials, telecommunications, and artificial intelligence. A collaboration set up by Liu between Smith’s lab and Southeast University in Nanjing was the vector through which Liu transferred intellectual property from Duke to China, Golden recounts.
Speaking to C&EN, Golden says universities are far behind corporate America in the way they deal with outside collaborators. When businesses work with universities, they provide funds for research with an agreement governing patents and licensing terms for discoveries.
“Universities don’t have a lot of rules when they collaborate with other academic groups,” Golden says. “It’s all kind of loosey-goosey—no more than a gentlemen’s agreement.” As he sees it, academic collaborators need to have formal agreements governing their partnerships.
Additionally, security, particularly cybersecurity, on campuses “is worse than you think,” says Brad Wheeler, chief information officer of the newly established Omni Security Operations Center at Indiana University. Known as OmniSOC, the organization is a data security operation that pools resources from five universities—Indiana, Northwestern, Purdue, Rutgers, and the University of Nebraska, Lincoln—to quickly mitigate cyberthreats.
“The internet was never designed to be secure for the way we use it today,” Wheeler says. On top of that, “people do stupid things” and click on links and open files they shouldn’t, he says. OmniSOC is using the devices attached to its member university networks as a large sensor array to detect “bad traffic patterns and signatures that look nefarious,” Wheeler says.
University members support the 24-hour-a-day data detection operation, which can find threats in minutes and alert universities to secure accounts and the proprietary information they contain. “This is higher education taking care of higher education,” Wheeler says.
But academic personnel across the board still need to pay more attention to possible espionage on their campuses, says Golden, the “Spy Schools” author. He is not against foreign students. “A lot of foreign students stay here and help the U.S.,” he says.
Nevertheless, a few people with ill intentions can cause a lot of damage. Just as Willie Sutton robbed banks because that’s where the money is, spies go on campus, Golden says, because “that’s where the scientists are.”