Home The Washington Diplomat May 2019 U.S. Universities Become Ground Zero for Cyber Influence from China and Others

U.S. Universities Become Ground Zero for Cyber Influence from China and Others

U.S. Universities Become Ground Zero for Cyber Influence from China and Others

The U.S. is steadily increasing pressure on China, and Chinese companies, in an effort to thwart what many see as aggressive attempts by Beijing to spy on, and exert influence over, U.S. policymakers and other governments.

For example, Secretary of State Mike Pompeo has warned European allies not to use hardware produced by China’s Huawei Technologies, the world’s largest telecom equipment company, arguing that it could be a high-tech Trojan horse for Chinese spying and cyber attacks.

Huawei is positioning itself to become a leader in manufacturing the equipment needed for the next generation of super-fast mobile networks known as 5G. China’s dominance of what could be a transformative market has led to fears among U.S. policymakers that Washington is falling behind in the global battle for digital supremacy.

The latest front in this geopolitical tug of war appears to be universities, which are increasingly seen as vulnerable to espionage and sabotage, not only from China, but from other foreign competitors as well.

c1.education.china.MIT.storyIn March, Rep. Jim Banks (R-Ind.) introduced the Protect Our Universities Act, which would create a task force within the Department of Education to coordinate universities’ research projects with the intelligence community.

The bill would initially ban technologies produced by Chinese companies Huawei and ZTE Corp., as well as Kaspersky Labs, a cybersecurity company linked to Russian intelligence, from being used in “sensitive” university research projects, as originally reported March 13 by Joseph Marks in The Washington Post.

It’s part of a growing effort to block foreign companies that might pose national cybersecurity risks from accessing U.S. computer networks, whether in government, business or, now, in academia.

The bill would also require students from China, North Korea, Russia and Iran who are working on projects that receive funding from the intelligence community, Pentagon or Energy Department to obtain approval from the head of the funding agency to participate in such a project.

This would be separate from the approval process for classified projects, “which are subject to numerous other security requirements,” as Marks reported.

But the bill, which was referred to the House Armed Services Committee, is likely “not going anywhere,” in the words of a former congressional staffer who spoke to us on the condition of anonymity to preserve working relationships.

It’s not hard to see why: House Democrats, who control the chamber, would likely prefer to put forward their own proposal rather than back one introduced by a second-term Republican.

Both the offices of Banks and Rep. Adam Smith (D-Wash.), who chairs the Armed Services Committee, failed to reply to repeated requests for comment.

Kevin Powers, founding director of Boston College’s Graduate Program in Cybersecurity Policy and Governance, questions whether there is even the need for such a bill.

Anyone working on sensitive projects as part of grants from the National Security Agency, Department of Defense or other government agencies must pass security clearances to view or access any of the research material, Powers told The Diplomat.

Another problem with Banks’s bill, according to the former congressional staffer, is that Democrats could view the singling-out of students from China, North Korea, Russia and Iran as a “bad precedent” that opens the door to blocking students from Muslim-majority countries from working on research projects. It could also keep away vital intellectual talent that benefits U.S. universities and America as a whole.

Powers agrees with this sentiment.

“That’s what universities are: the greatest minds in the world coming together,” he told us.

Security concerns that may exist can largely be resolved by using “protocols” like the required clearances, without “blocking people out of the process,” he added.

But Congress isn’t the only agency out to block suspicious actors. The FBI has launched a counterintelligence operation to prevent Chinese academics from coming to the U.S. if they are suspected to have links to Chinese intelligence, as reported by Jane Perlez in The New York Times on April 14.

“The Trump administration has sought to crack down on what it sees as intellectual property theft by Chinese scientists working at American research institutions,” Perlez wrote. “Last year, it began restricting visas for Chinese graduate students studying in sensitive research fields and warned biomedical researchers at American universities to beware of Chinese spies trying to steal information from their laboratories.”

The goal: to prevent China from usurping America’s global technological dominance. The downside: It could tarnish America’s reputation as a global education leader and deprive it of Chinese intellecutal allies.

Regardless of what happens on Capitol Hill or U.S. agencies, several major academic institutions are already taking matters into their own hands. In early April, the Massachusetts Institute of Technology (MIT) said it was terminating all research and funding connected with Huawei and ZTE in light of recent federal probes investigating security risks associated with both companies.

MIT joins the ranks of Stanford University, the University of California-Berkeley and the University of Minnesota in severing research collaboration with Huawei.

MIT also announced that it would review its relationships with countries such as China, Russia and Saudi Arabia to examine potential problem areas involving “intellectual property, export controls, data security and access, economic competitiveness, national security, and political, civil and human rights,” according to the institute.

c1.education.china.bush.storyClosing One Valve of Chinese Influence: Confucius Institutes

But tech giants such as Huawei and ZTE are not the only avenues China could use to infiltrate America’s higher institutes of learning. In recent years, universities have also grappled with the threat of foreign interference and influence on college campuses stemming from fellowships and study abroad programs funded by foreign governments, and — notably — Confucius Institutes.

These Chinese government-backed institutes are partnerships between Chinese and Western universities that typically offer Chinese language and cultural classes to Western students (they avoid more sensitive topics such as politics and history). U.S. campuses are currently home to about 90 Confucius Institutes, which are run by the Chinese Ministry of Education. Their presence initially attracted notice because of concerns that Beijing was essentially using them as a propaganda mouthpiece and a vehicle to censor and subvert academic freedom in the U.S.

Rachelle Peterson, author of “Outsourced to China: Confucius Institutes and Soft Power in American Higher Education,” conducted a two-year study of 12 Confucius Institutes in New York and New Jersey.

“I found that Confucius Institutes operate as central nodes in the deepening relationship between China and Western universities — many of which are dependent on full-tuition-paying Chinese students and desperate for funding for humanities programs,” she wrote in a May 9, 2017, article for Foreign Policy. “But Confucius Institutes also serve as a vehicle for Chinese propaganda, restricting what the teachers they supply from China can say, distorting what students learn, and pressuring American professors to censor themselves.”

More recently, the institutes have come under greater scrutiny as a potential national security threat.

“When national security professionals first sounded the alarm about Chinese partnerships in U.S. universities last year, the academic sector was skeptical and resistant,” wrote The Washington Post’s Josh Rogin in an April 4 article. “Now, through a mixture of external pressure and internal debate, more U.S. colleges and universities are taking a sober look at the Chinese government’s presence on their campuses — and are deciding to curtail it.”

The University of Massachusetts in Boston and the University of Rhode Island (URI) are two of the latest in a string of American, Canadian and European universities that have cut ties with the Confucius Institutes they had been hosting.

UMass-Boston ended its partnership with its Confucius Institute on Jan. 11, 2019. In a statement to the campus community, Interim Chancellor Katherine Newman and Provost Emily McDermott said that, “Following careful consideration, we have decided that a new model, a different arrangement, would better meet the academic needs of our university.”

UMass-Boston has continued its partnership with Renmin University in Beijing to continue offering Chinese language and history courses. But it has essentially cut out the Confucius Institute, which had been the intermediary between the two universities.

A spokesperson for UMass-Boston denied in an email to The Diplomat that the university’s decision was based on security concerns.

The decisions by UMass-Boston and URI closely followed that of the University of Michigan in December 2018.

The more recent closures are likely due to a provision in last year’s National Defense Authorization Act, which authorized millions of dollars in grants for universities seeking contracts to conduct research for the Pentagon.

Under the new law, universities are barred from using Pentagon grants for any program that is supported by a Confucius Institute, including Chinese language programs.

Indeed, in a statement, URI explained that it terminated its relationship with its Confucius Institute because it could have jeopardized federal funding for URI’s Chinese-language program, according to Linda Borg’s Jan. 10 report on URI’s decision in the Providence Journal.

‘Sharp Power’

To be fair, there is scant evidence that Confucius Institutes have threatened the academic integrity of the universities they partner with, or that they directly interfere or manipulate classroom curricula. Oftentimes, the activities they host are benign, such as Lunar Day cultural celebrations. In some cases, they are the only source of Mandarin language classes or other China-related subjects that are key to helping students understand a critical part of the world.

Moreover, Confucius Institutes are not monolithic. Their partnerships vary greatly and, in many cases, benefit both American students and university research projects by bringing in valuable know-how and offering today’s youth valuable insights into an emerging global power.

Nevertheless, the institutes have come under mounting pressure — driven largely by U.S. lawmakers — to address what some see as Beijing’s increasing attempts to influence Western policies toward China.

In December 2017, the National Endowment for Democracy (NED) coined the term “sharp power” to describe how authoritarian regimes, particularly China and Russia, insert themselves into other countries’ political and social institutions to exert influence in ways that are more coercive than “soft power” and ultimately shift those countries’ policies to benefit the authoritarian regimes.

While soft power, as conceived by political scientist Joseph Nye, uses a country’s culture such as music and movies to attract allies, sharp power “enables the authoritarians to cut, razor-like, into the fabric of a society, stoking and amplifying existing divisions,” Christopher Walker and Jessica Ludwig wrote in the introduction of the NED report “Sharp Power: Rising Authoritarian Influence.”

“Contrary to some prevailing analysis, the attempt by Beijing and Moscow to wield influence through initiatives in the spheres of media, culture, think tanks, and academia is neither a ‘charm offensive’ nor an effort to ‘win hearts and minds,’ the common frame of reference for ‘soft power’ efforts,” the report argues. “This authoritarian influence is not principally about attraction or even persuasion; instead, it centers on distraction and manipulation. These ambitious authoritarian regimes, which systematically suppress political pluralism and free expression at home, are increasingly seeking to apply similar principles internationally to secure their interests.”

There are examples around the world of Russia and China cultivating presences in other countries’ media, academia and policy communities. Both Beijing and Moscow, for example, offer exchange programs for journalists to counter the picture often painted of their countries by Western media. Meanwhile, China’s state-run media has been making inroads in Latin America, similar to the expansion of Russia’s state-owned RT in Western Europe and the U.S.

c1.education.china.huawei.storyOf course, this does not mean that all Russian and Chinese outreach has a sinister agenda. The two countries are hardly alone in trying to win over public opinion around the world. Every government, including the U.S., wants to create a positive impression of itself and shape policies to support its geopolitical interests.

But given the repressive climates in China and Russia — and the threats they pose to U.S. power — their outreach is viewed with suspicion by many American officials.

And the problem with Confucius Institutes in particular, according to Ludwig, is “the lack of transparency that has tended to accompany how they are established and governed.”

“Faculty and administrative staff at universities where Confucius Institutes have been established are usually not consulted prior to their establishment,” Ludwig told The Diplomat in an email.

“The charters under which the agreements are formed are often kept secured from view by the highest levels of university leadership,” Ludwig added, noting that contributions the university has accepted from the Chinese Ministry of Education’s Hanban Confucius Institute Headquarters are often not publicly disclosed.

In 2014, the American Association of University Professors called on U.S. universities to close the Confucius Institute on their campuses “unless they could get full control over its academic affairs and ensure that institute teachers have the same academic freedoms as their American peers,” according to Borg’s report.

Just months after that letter, the University of Chicago and then Penn State University shut down their Confucius Institutes.

Following these developments, Texas A&M closed its Confucius Institute in April 2018 after U.S. Reps. Henry Cuellar (D-Texas) and Michael McCaul (R-Texas) urged the chancellor to do so in an open letter.

Not everyone agreed with the decision. Marshall Sahlins, a professor of anthropology emeritus at the University of Chicago and a critic of Confucius Institutes, told Elizabeth Redden in an April 9 article for Inside Higher Ed that he’s been contacted by two U.S. congressional committees that are looking into the institutes.

“In the ironic upshot, as the Texas A&M episode shows, agents and agencies of the American government now mimic the totalitarian actions of the Chinese government by dictating what can and cannot be taught in our own universities,” Sahlins warned.

Whether the pressure exerted by U.S. lawmakers rivals the totalitarian apparatus that China has built, however, is questionable. China, for instance, is known to monitor its citizens who go abroad for university studies, and Confucius Institutes are believed to be at least one tool for this type of surveillance.

In 2008, for example, after a 20-year-old Chinese student at Duke University was “caught up in a pro-Tibetan independence demonstration,” she was labeled a traitor and her parents in China were forced to go into hiding, according to a report in the Strait Times.

Protecting Ourselves Online

While universities may be “ground zero” in foreign attempts to muscle in on policy research and monitor dissidents abroad, U.S. universities can also be a testing ground for solutions to keep data secure.

As Powers noted, universities conduct a lot of research, which results in a lot of intellectual property.

“It’s much easier to lose this, or have it stolen, especially in the digital age,” Powers said.

The need to protect intellectual property, together with the perceived threats from China, Russia or other actors covertly gaining access to U.S. computer systems, is one reason why data privacy has become a priority among the many cybersecurity-related issues that Congress may finally tackle in the coming months.

“To the extent that cybersecurity is taken up in this session, it will be in a privacy bill,” said Michael Kans, an attorney who specializes in technology, cybersecurity and defense contracts.

But the effort will be complicated by state efforts at writing their own data privacy provisions, as seen in a sweeping bill being debated in California and a proposed Privacy Act in Washington state, Kans told The Diplomat.


But the fact that states are moving on their own also lends urgency to the task of creating nationwide data privacy regulations. A patchwork of laws could end up giving residents of one state different data privacy guarantees than residents of another state.

“It would be good if we had something consistent in the U.S. that everyone could follow,” Powers said.

The European Union’s General Data Protection Regulation (GDPR), which guarantees EU citizens an array of data privacy rights, has also intensified calls in the U.S. for a similar national solution to keep internet users’ private data secure. U.S. companies operating in Europe must comply with the GDPR, which went into effect in May 2018, but only for customers in Europe.

Support for a U.S. version of the GDPR has grown in light of the cascade of high-profile security breaches in recent years, from the Equifax data breach in 2017, which exposed the personal information of 143 million Americans, to the damning revelations that Facebook has sold access to consumers’ data to third parties.

Powers suggested a framework similar to the GDPR — which gives users more control over their data and holds companies more accountable for breaches — but less “draconian” and still focused on protecting consumers’ personal information. A particularly contentious rule in the GDPR, for example, is the “right to be forgotten,” which allows individuals to have all of their personal data erased — a demand that may not be feasible given the interconnected nature of the internet.

Powers argues that companies that collect people’s private information should be the ones responsible for protecting it. But critics say tech companies, guided by profit, have been unable and unwilling to police themselves, and that some form of government regulation is long overdue.

Yet no one at the federal level has been able to agree on what that regulation should look like, and there is still a long cybersecurity “to-do list” facing lawmakers. For one, Congress still has not passed comprehensive election security legislation to protect voting machines from foreign hacking, as reported by The Diplomat ahead of the 2018 midterms.

The Cybersecurity and Infrastructure Security Agency (CISA), housed in the Department of Homeland Security, was originally hailed by some members of Congress as a central organizing hub that would allow the government to better coordinate and beef up its response to cybersecurity concerns.

But a March report by the Homeland Security inspector general found that CISA is “not adequately staffed” and could be doing more to secure voting machines, according to a report by Zack Whittaker for TechCrunch.

While the new agency addresses some organizational issues, the federal government still has a “fractured response” to cybersecurity, with jurisdictions bumping up against each other from the FBI, U.S. Cyber Command, the NSA, the Secret Service and other agencies, Kans told The Diplomat.

CISA did not return numerous requests for comment from CISA’s director, Christopher Krebs, for this story.

On a broader level, lawmakers have struggled to come up with a unified response to the wave of tech scandals that have tarnished the reputation of Silicon Valley — including foreign manipulation of social media to divide and dupe American voters; the enormous clout of tech giants such as Amazon and whether they should be treated as monopolies and broken up; and growing privacy concerns as people put more and more of their lives online.

In response to the uproar, Congress is in the process of exploring various privacy proposals. Shortly after the 2018 election, Democrats for instance proposed a so-called “Internet Bill of Rights” to protect people’s privacy. It mirrors many of the requirements set out by Europe’s GDPR and includes guidelines such as the right “to have access to and knowledge of all collection and uses of personal data by companies;” putting the onus on companies to first obtain permission from consumers before using their personal data, i.e. an “opt in” system over the current “opt out” system; and timely notifications of breaches.

Whether this bill of rights goes anywhere, however, is anyone’s guess. While there is bipartisan consensus that the Wild West days of unregulated growth for tech companies are over, reaching an agreement on a universal set of rules to protect people’s data and protect the country against cyber hacks has so far proven elusive.

Campuses as Cybersecurity Incubators

When it comes to cybersecurity, though, it may be universities that help make headway on the issue.

The UMass network of campuses has launched a number of programs to train the next generation of cybersecurity professionals, including UMass-Amherst’s Cybersecurity Institute and its Center for Data Science, founded in 2015.

Boston College’s graduate program in cybersecurity policy may also offer a model for how universities can be a part of developing cybersecurity solutions alongside government.

The students in the program include FBI agents, bankers, lawyers and software engineers — a cross-section of the various industries that confront cybersecurity challenges on a daily basis.

The college also hosts Boston’s annual Cyber Security Conference in partnership with the FBI.

Former FBI Director James Comey and current Director Christopher Wray have both spoken at the conference in recent years.

“The whole idea [of the program] is that cybersecurity can’t be siloed,” said Powers, arguing that a coordinated response will require buy-in from different sectors and actors.

He said government, industry and academia have to work together on finding solutions to cyber threats and adapting to the realities of a complex new online world.

About the Author

Ryan R. Migeed (@RyanMigeed) is a freelance writer based in Boston.