[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
SCHOLARS OR SPIES:
FOREIGN PLOTS TARGETING AMERICA'S
RESEARCH AND DEVELOPMENT
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT &
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
APRIL 11, 2018
__________
Serial No. 115-54
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
29-781PDF WASHINGTON : 2018
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California ZOE LOFGREN, California
MO BROOKS, Alabama DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon
BILL POSEY, Florida AMI BERA, California
THOMAS MASSIE, Kentucky ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma MARC A. VEASEY, Texas
RANDY K. WEBER, Texas DONALD S. BEYER, JR., Virginia
STEPHEN KNIGHT, California JACKY ROSEN, Nevada
BRIAN BABIN, Texas JERRY McNERNEY, California
BARBARA COMSTOCK, Virginia ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana BILL FOSTER, Illinois
DANIEL WEBSTER, Florida MARK TAKANO, California
JIM BANKS, Indiana COLLEEN HANABUSA, Hawaii
ANDY BIGGS, Arizona CHARLIE CRIST, Florida
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
------
Subcommittee on Oversight
RALPH LEE ABRAHAM, Louisiana, Chair
FRANK D. LUCAS, Oklahoma DONALD S. BEYER, Jr., Virginia
BILL POSEY, Florida JERRY McNERNEY, California
THOMAS MASSIE, Kentucky ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia EDDIE BERNICE JOHNSON, Texas
ROGER W. MARSHALL, Kansas
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
LAMAR S. SMITH, Texas
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois ELIZABETH H. ESTY, Connecticut
STEPHEN KNIGHT, California JACKY ROSEN, Nevada
RALPH LEE ABRAHAM, Louisiana SUZANNE BONAMICI, Oregon
DANIEL WEBSTER, Florida AMI BERA, California
JIM BANKS, Indiana DONALD S. BEYER, JR., Virginia
ROGER W. MARSHALL, Kansas EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
C O N T E N T S
April 11, 2018
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Ralph Lee Abraham, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 5
Written Statement............................................ 7
Statement by Representative Donald S. Beyer, Jr., Ranking Member,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 9
Written Statement............................................ 11
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 13
Written Statement............................................ 15
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 17
Written Statement............................................ 18
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 20
Written Statement............................................ 22
Witnesses:
The Honorable Michael Wessel, Commissioner, U.S.-China Economic
and Security Review Commission
Oral Statement............................................... 24
Written Statement............................................ 27
The Honorable Michelle Van Cleave, former National
Counterintelligence Executive
Oral Statement............................................... 39
Written Statement............................................ 42
Mr. Daniel Golden, Author, Spy Schools
Oral Statement............................................... 50
Written Statement............................................ 53
Mr. Crane Hassold, Director of Threat Intelligence, PhishLabs
Oral Statement............................................... 68
Written Statement............................................ 70
Discussion....................................................... 104
Appendix I: Answers to Post-Hearing Questions
The Honorable Michael Wessel, Commissioner, U.S.-China Economic
and Security Review Commission................................. 128
The Honorable Michelle Van Cleave, former National
Counterintelligence Executive.................................. 130
Mr. Daniel Golden, Author, Spy Schools........................... 131
Mr. Crane Hassold, Director of Threat Intelligence, PhishLabs.... 132
Appendix II: Additional Material for the Record
Documents submitted by Representative Donald S. Beyer, Jr.,
Ranking Member, Subcommittee on Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 134
SCHOLARS OR SPIES:
FOREIGN PLOTS TARGETING AMERICA'S
RESEARCH AND DEVELOPMENT
----------
WEDNESDAY, APRIL 11, 2018
House of Representatives,
Subcommittee on Oversight and
Subcommittee on Research and Technology
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 10:01 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Ralph
Abraham [Chairman of the Subcommittee on Oversight] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Good morning. The Subcommittee on
Oversight and Research and Technology will come to order.
Without objection, the Chair is authorized to declare
recess of the Subcommittee at any time.
This hearing will be entitled ``Scholars or Spies: Foreign
Plots Targeting America's Research and Development.'' I'm going
to recognize myself for five minutes for an opening statement.
Again, good morning. Welcome to the joint Oversight and
Research and Technology hearing ``Scholars or Spies: Foreign
Plots Targeting America's Research and Development.'' This
hearing is an opportunity to address the vulnerability of U.S.
academic institutions to the threat of foreign exfiltration of
valuable science and technology research and development.
Exfiltration is a new word being used to describe the
surreptitious removal of data, as well as R&D, both of which
we'll discuss today. We look forward to hearing from former
government and private sector experts about the magnitude and
consequences of this threat. We are also interested in learning
what actions must be taken to prevent or mitigate this threat
in the future without stifling the collaborative research
activities that are critical to the United States academic
sector.
Over the past few years, case after case has been reported
at our universities and colleges, all with similar themes.
After obtaining access to data and other valuable information,
individuals, including professors, students, researchers and
visitors--some with strong ties to a foreign nation--attempt to
take that knowledge to foreign governments, universities, or
companies.
As a medical doctor myself, I found one case particularly
concerning. A former associate professor at New York
University, specializing in MRI technology, had been working on
research sponsored by a grant from the National Institutes of
Health. According to prosecutors in the initial charges, this
individual colluded with representatives from a Chinese-
sponsored research institute and concealed the fact that he
patented technology developed with NIH funds for the purpose of
licensing it to a Chinese medical imaging company for literally
millions of dollars.
This case and others demonstrate the targeting of the
innovation and intellectual property from our country's
greatest minds and institutions and, in some cases, the ability
for foreign nations to gain easy access by exploiting the lax
security posture of our academic institutions.
The Science Committee has continuously engaged in vigorous
oversight of federally funded basic research and technology,
particularly research with a clear path to commercialization
and a direct benefit for U.S. businesses and government. A
significant amount of academic research and development is
funded by the American taxpayers. Just last year, the Federal
Government spent approximately $1.5 billion on research and
development, in addition to the even larger amount of funding
provided by private sector U.S. companies and universities.
If this nefarious activity is aimed at recipients of
federal grant programs, then it is the American taxpayers that
are unwittingly funding the technological advancements and
innovative breakthroughs that allow foreign nations to
improperly gain a competitive economic advantage.
China has publicly proven itself to be the most aggressive
in the targeting of U.S. research over the past decade. China
has heavily invested increasing amounts of financial and
physical resources to support a science and technology industry
that is based on the transfer of basic science, which allows
that country to prioritize advanced development and
commercialization over basic and fundamental research.
Essentially, China steals our fundamental research and quickly
capitalizes by commercializing the technology.
While much of the discussion and examples used in today's
hearing may focus on China, I want to be clear that this
committee is very concerned about all foreign nations and
agents that are inappropriately attempting to take advantage of
America's research and development. China's efforts in
particular have provided useful examples to analyze, mainly
because of their open and aggressive tactics. However, the
recent DOJ charges based on Iran's actions are further
confirmation that this problem is not confined just to China,
and we should assume a number of other bad actors are also
making similar attempts.
Taking that into account, bolstering the cybersecurity of
federal information systems has been among the Committee's top
priorities. I am hopeful that the discussion here today will
highlight efforts to accomplish this objective and make
prevention a priority of all recipients of taxpayer dollars.
Whether physical or cybersecurity threats, it is clear that our
academic institutions are not taking all the necessary steps to
adequately protect this vital research.
I look forward to the insight of our witnesses today, which
will help us assess these important issues and determine
whether additional questions need to be asked of our partners
in the executive branch, as well as in academia. We hope to
better understand the next steps that must be taken to
safeguard the competitiveness and security of federally funded
research and development, especially the role of U.S. academic
institutes.
[The prepared statement of Chairman Abraham follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. I now recognize the Ranking Member of the
Oversight Committee, the gentleman from Virginia, Mr. Beyer,
for an opening statement.
Mr. Beyer. Thank you, Mr. Chairman. I'd like to thank you
and Chairwoman Comstock for holding this hearing.
Vigilance against espionage threats is important on all
fronts from cybersecurity breaches to intelligence gathering by
covert operatives on the ground.
As a committee, we've conducted numerous bipartisan
investigations into cyber breaches. Our June hearing on
WannaCry, for instance, gave us context into the recent Iranian
attacks on hundreds of domestic and foreign universities.
Hacking, however, is but one tool in a suite of techniques used
by intelligence agencies to target U.S. universities.
In cases of academic-related espionage, student researchers
are recruited by a foreign government to study or do research
at an American institution and pass along sensitive scientific
research and technology to the foreign government. American
universities play a critical role in driving fundamental
research and developing innovative technologies for our nation.
The loss of this sort of data can have tremendous economic
consequences, endanger our national security, and diminish our
technological lead in critical technologies.
Although an essential tenet of academia is this open
pursuit of scientific research professors, students, university
scientists need to understand the potential value of their
research to foreign adversaries. They should be properly
educated about potential espionage threats and trained on how
to take appropriate security measures, whether they're online
or at an international conference presenting their research
findings.
What I do not believe what we want to do, however, is pull
the welcome mat from under the more than 1 million foreign
students to come to America to study every year, contributing
more than $36 billion to our economy annually, and creating
hundreds of thousands of U.S. jobs and contributing to
America's academic leadership. And having just finished paying
for the third college education, I'm so grateful for the full
tuitions that foreign students pay, holding down at least a
little bit the price that we have to pay.
The media has recently painted a poor picture of the
academic community being disinterested or naive about the
potential security threats they face. I'm not sure this is an
accurate portrait. The higher education community has several
vehicles they use to identify threats and train their members
to take actions to mitigate their vulnerabilities to attack.
These include the Research and Education Network, Information
Sharing and Analysis Center, the Higher Education Information
Security Council, and the newly formed Omni Security Operations
Center described as, quote, ``a pioneering initiative that
helps higher education institutions reduce the impact of
cybersecurity threats.'' The new group that's based in Indiana
University includes collaboration with Northwestern University,
Purdue University, Rutgers, and the University of Nebraska
Lincoln.
Cooperation in the security arena is critical, and I'm glad
to see this sort of cooperation emerging between universities.
However, these universities also need the cooperation from the
law enforcement and the intelligence community to help ensure
that they're apprised of specific threats or risks.
In 2005, to help foster better lines of communication
between the FBI and the U.S. academic community, the FBI
created the National Security Higher Education Advisory Board
originally composed of 15 Presidents and Chancellors of leading
universities. But, unfortunately, this past February, the
members of this board received a letter from the FBI announcing
their decision to disband it. The letter praised the
cooperation between intelligence agencies, law enforcement, and
academia and said the FBI was exploring the creation of a new
board. Officials in the academic community, however, believe
the board played an important role in helping universities
understand the intelligent risks they face and were both
surprised and disappointed this board was disbanded with no
clear plan to replace it.
So, Mr. Chairman, I'm attaching this letter to my
statement, as well as a letter from the Association of American
Universities, the Association of Public and Land Grant
Universities, the American Council on Education, and the
Council on Governmental Relations all regarding this important
issue.
Chairman Abraham. Without objection.
Mr. Beyer. Thank you.
[The information appears in Appendix II]
Mr. Beyer. Balancing legitimate security risks with
international scientific cooperation is critical to ensure that
we address real risks appropriately and thoroughly while not
diminishing the benefits we have obtained by opening our doors
to foreign students and collaborating with international
partners. We don't stop using computers because they're
vulnerable; we take steps to make them safer. Likewise, we
cannot let concern over academic espionage crowd out the
multitude of benefits from the international exchange of
scholarship.
America's leadership in science and technology is highly
dependent upon its openness to scholars from around the globe.
Any action we take to respond to the threat of academic
espionage must take into account the value of cooperation. The
intelligence community and the academic community should not be
at odds but rather working together to secure our sensitive
research.
So I'm looking forward to hearing from our witnesses today
about how we can balance these two important issues regarding
security and scholarship. Thank you, Mr. Chairman. I yield
back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you. And I now recognize the
Chairman of the full committee, the gentleman from Texas, Mr.
Lamar Smith.
Chairman Smith. Thank you, Mr. Chairman. Also, I want to
thank Chairwoman Comstock for letting me jump in ahead of her.
I have a bill before the Judiciary Committee this morning
that's being marked up, so I'm going to need to excuse myself
shortly, but I will be back to ask questions.
Mr. Chairman, foreign countries' attempts to access and
steal U.S. research and development pose an acute risk to our
national and economic security. In recent months, the public
has become aware that we are under attack from foreign
governments that want to steal our technological secrets and
scientific discoveries and use them for their own purposes.
Just last month, the U.S. Department of Justice showed how
serious the threat is. DOJ indicted nine Iranian nationals for
breaking into university computer systems and stealing
information and intellectual property worth billions of
dollars. This brazen theft was on behalf of the Iranian
government and universities in Iran. This was a widespread and
concentrated campaign. Attackers hacked nearly 4,000 accounts
of professors across 144 U.S. universities. According to
informed sources, the attackers specifically targeted
universities engaged in science, technology, and medical
research.
According to the Justice Department, U.S. universities
spent more than $3.4 billion on creating and developing the
scientific information, academic data, and intellectual
property that was stolen. Nearly $3.5 billion of U.S. research,
some of which was funded by American taxpayers, was illegally
taken and is now in the hands of a hostile foreign nation. This
is just one example.
Unfortunately, Iran is not the only threat. China has
actively and aggressively targeted research and development at
U.S. academic institutions for years. The Chinese Government
has been very clear about its long-range plans for achieving
global domination in critical areas of science and technology.
China, however, has been less than forthright about its
methods, which include theft of confidential information and
technological secrets from U.S. companies, cyber attacks, and
other forms of spying to undermine our national security and
putting sleeper agents at our own research universities to
steal our scientific breakthroughs.
Chinese efforts are concentrated in the areas that it has
prioritized: artificial intelligence, medical science, and
national security. By understanding China's priorities and the
lengths to which it is prepared to go, we can adopt an
effective approach, but the first step is recognizing the risks
we face.
The intelligence community has warned about these threats
for years, ranging from cyber attacks to human manipulation to
break-ins. We know that foreign agents routinely target
American students and educators in their priority areas.
Faculty and administrators must be alert and educated to spot
the warning signs of foreign operations. But many in academia
have been unwilling to accept reality and unwilling to take any
defensive measures to protect their researchers' work, their
universities' scientific assets, and taxpayers' investments.
The University of Texas recently rejected funding from the
China-United States Exchange Foundation, a China-based and
government-connected foundation. The foundation is registered
as a foreign agent representing China. The idea of a university
taking significant funding from an organization controlled by a
foreign government would be contrary to the independence and
safeguards needed in academia. This action by the University of
Texas was appropriate and the type of proactive oversight that
needs to occur at other colleges.
The National Science Foundation's grant guidance is clear:
As grant recipients, universities bear full responsibility for
the management and results of federally funded projects. The
recent indictments of Iranian student-spies and other incidents
are clear warnings about the need for swift, strong action.
This includes improved cybersecurity, educating researchers to
anticipate attempts to steal their work, and more careful
screening of those who come to the United States to study.
I also look forward to hearing from our experts about how
we can build appropriate defenses. On the one hand, we must
maintain the open and collaborative nature of academic research
and development. On the other, we must protect our research and
development from actors who seek to do us harm.
Thank you, Mr. Chairman. I yield back.
[The prepared statement of Chairman Smith follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you. I now recognize the Ranking
Member of the full committee, Ms. Johnson, for an opening
statement.
Ms. Johnson. Thank you very much, Chairman Abraham and
Chairwoman Comstock, for convening this hearing today, and
thanks to the panel that agreed to appear before us.
America's superior academic institutions have drawn the
best and the brightest from around the world, and we have
benefited greatly from their contributions. From 1960 to 2017,
foreign immigrants who settled in America won 81 Nobel Prizes
in chemistry, medicine, and physics. In 2016, all six Americans
who won Nobel Prizes in chemistry, physics, and economics were
immigrants. Many of these immigrants came here as international
students.
Academic and intellectual openness are key to the success
of American higher education and America's leadership in
science and technology. However, we do face legitimate and
serious threats from foreign adversaries. They are targeting
our scientific innovations and advanced technologies whether at
our government-funded laboratories, in our industries, or on
the campuses of our universities. The theft of--plunder of our
critical technologies must be clearly addressed and prevented.
Our counterintelligence community must work hand-in-hand
with research institutions to help mitigate the risk of these
threats. These institutions need to be engaged in applying best
practices in their approach to security and know how to
identify acts of espionage. Professors and researchers should
learn more about intelligence activities carried out through
social engineering, networking, and conference participation.
Now is not the time for the counterintelligence community to
reduce its outreach to research colleges and universities.
These bonds should be growing and strengthening. It is vital to
our national security.
However, we need to be careful that any security measures
do not stifle the benefits our country realizes from legitimate
international academic collaboration. At the same time, we
should also examine the reasons why universities find
international students so attractive. Part of the reason is
economic. Nationwide, States have reduced levels of financial
support to our respective public institutions of higher
learning. Universities have responded by cutting financial aid
and raising tuition fees. International students who usually
pay full tuition have helped make up this reduction in funding
and have helped universities balance their books.
This also makes the allure for foreign funding from
students of foreign institutions such as China's Confucius
Institute that offer hundreds of thousands and occasionally
millions of dollars for academic programming very enticing. We
need to make sure that state and federal support for higher
education meets the needs of these vital institutions. It is
vital to our national security.
I look forward to hearing from our witnesses today, and I
yield back the balance of my time.
[The prepared statement of Ms. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Ms. Johnson.
I now recognize the Chair of the Research and Technology
Subcommittee, Mrs. Comstock, for an opening statement.
Mrs. Comstock. Thank you, Chairman Abraham, for holding a
hearing on this important and serious issue. It would be easy
to think about the theft of information from American
universities by foreign students to be the topic of a modern-
day spy novel, but in fact it is a very real problem and,
sadly, not a new one. My predecessor in the House,
Representative Frank Wolf, also worked on this important issue.
Academic institutions in the United States are valued for
their openness, innovation, and collaboration with domestic and
international scientists. Our nation has long been a leader in
science and technology research and development, and
consequently, a magnet for foreign scholars and scientists
seeking to learn from and collaborate with the best.
Unfortunately, various immoral actors have sought to
exploit our openness to steal American ingenuity and innovation
and undermine our system. Such thefts can enable foreign
nations to save themselves billions in research and development
costs and support technological advances that they may
otherwise be unable to make on their own in order to gain an
industrial or, even more troubling, a military advantage.
The FBI has been warning our academic community about these
threats for years, while also urging measures be taken to guard
against such activity. Since much of the stolen information
comes from research funded by federal agencies, these nations
are ultimately stealing ideas and innovations from American
taxpayers like you and me, undermining the policy intent of
federal funding for such research in the first place. It is
imperative that our academic institutions not close their eyes
to the very real threat posed by foreign intelligence spies.
They cannot be blinded by naivete or ignorance when
distinguishing between friend and foe.
But to be clear, the solution is not to shutter the doors
of American universities and colleges to students, researchers,
and professors from foreign nations. The vast majority of
scholars who come to the United States do so to work with our
citizens on scientific discoveries and breakthroughs based on
an open exchange of ideas to benefit the scientific community
and the world.
Finding an appropriate balance between scientific openness
and security concerns is not new, nor is it easy, but it's
essential. As our world continues to be increasingly connected
electronically, with more devices that can be used to covertly
take pictures or scans, it is getting easier for foreign
criminals to steal our information. Other committees just today
are talking to major players on that front, as we know. That is
why hearings like this are important, as they shine a light on
the problem and provide a venue to engage with stakeholders to
identify potential solutions.
I look forward to hearing what our witnesses have to say
and hope they have some advice on how to better distinguish
between scholar and spy so that we may find the balance between
open scientific collaboration and protecting America's research
and development.
As I mentioned, we do have some headline-grabbers here
today, as you might know in the Capitol, but I think this issue
is every bit as important, and I thank the witnesses for being
here today. And I yield back.
[The prepared statement of Mrs. Comstock follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Mrs. Comstock.
Let me introduce the witnesses now. Our first witness today
is Honorable Michael Wessel, a Commissioner of the U.S.-China
Economic and Security Review Commission. Mr. Wessel previously
worked for the Federal Trade Deficit Commission in 1999 and
2000. He's spent more than 2 decades as a staffer for former
House Democratic leader Richard Gephardt. Mr. Wessel currently
works for the Alliance for American Manufacturing; Wessel
Group, Inc.; and Goodyear Tire & Rubber Company. He holds a
bachelor of arts degree and a juris doctor degree from George
Washington University.
Our second witness is Honorable Michelle Van Cleave, the
former National Counterintelligence Executive. Ms. Van Cleave
is a former staffer of the Science, Space, and Technology
Committee, serving as Counsel in 1989. More recently, she was
Special Assistant to the Under Secretary for Policy and Senior
Advisor to the Secretary of the Army for Homeland Defense
within the Department of Defense from 2001 to 2003 before
becoming the national Counterintelligence Executive under
George W. Bush. Ms. Van Cleave received both her bachelor's and
master's of arts degrees in international relations from the
University of Southern California. She also earned her juris
doctor from the University of Southern California School of
Law.
Our next witness is Mr. Daniel Golden. He's an author of
the book Spy Schools. Mr. Golden is a Pulitzer Prize-winning
writer with his work regarding admissions preferences at
prominent American universities when he worked at the Wall
Street Journal. He is currently a Senior Editor with ProPublica
and previously worked at Bloomberg News from 2009 to 2016. He
received a bachelor's degree from Harvard University. It's good
to have a Pulitzer Prize winner among us.
Our fourth witness is Mr. Crane Hassold, Director of Threat
Intelligence at PhishLabs. Mr. Hassold previously worked for
the Federal Bureau of Investigations from 2004 to 2015 in a
variety of analyst positions. Since that time, he had been
working with PhishLabs in a threat research role. He holds a
bachelor of science degree from James Madison University.
I now recognize Honorable Michael Wessel for five minutes
to present his testimony.
TESTIMONY OF THE HONORABLE MICHAEL WESSEL,
COMMISSIONER, U.S.-CHINA ECONOMIC
AND SECURITY REVIEW COMMISSION
Mr. Wessel. Thank you, Chairs Abraham, Comstock, and Smith,
Ranking Members Beyer, Lipinski, and Johnson. It's great to be
here before the committee, and it's an honor to appear before
you.
My name is Michael Wessel, and I'm a Commissioner on the
U.S.-China Economic and Security Review Commission. While
appearing before you in my capacity as a Commissioner, the
views I express are my own, although of course my views are
informed by the work I and my colleagues do.
This hearing is particularly timely in light of the
President's actions to confront China's policies in the
intellectual property arena. China has stolen, coerced, and
subsidized the massive transfer of intellectual property to
their country from the United States. These efforts have
advanced their economic and military power.
Clearly, not everything is a zero-sum game. Advancements in
science, medicine, technology, and innovation can improve the
lives of all people around the globe, but China is not as
interested in advancing global interests as much as their own.
China has made their priorities public. Most important for
this hearing is China's Made in China 2025 Initiative, which
identified 10 key sectors the government would support to be
global leaders in, which have significant economic and national
security implications. They range from new energy vehicles to
biotech, robotics, next-generation information technology, and
high-tech ships. China is using an all-of-government approach
to stakeout dominant positions in the global market in these
technologies with the commitment of hundreds of billions of
dollars. China will do whatever it takes legally or illegally
to achieve its goals.
My colleagues will talk about many of the illegal means. I
will focus on some of China's key public programs and their
targeting. Perhaps the most well-known program is the
propagation and funding of Confucius Institutes all over the
globe with roughly 100 here in the United States, as was noted
earlier. They are purported to teach Chinese language, culture,
and history. As Politico noted earlier this year, the Confucius
Institutes' goals are little less wholesome and edifying than
they sound, and this by the Chinese Government's own account.
China is willing to influence the current and future
generations of American leaders, their views, and their
research. Last week, Texas A&M terminated its Confucius
Institute after Congressman McCaul and Cuellar wrote that,
quote, ``These organizations are a threat to our nation's
security by serving as a platform for China's intelligence
collection and political agenda.''
Another significant program is known as Project 111. Under
that program was the Thousand Talents program, which is
designed to recruit foreign experts in strategic sectors from
the world's top universities to come to China to assist in
achieving their goals. The target is now 4,000 participants.
Participants receive extensive benefits, including a bonus
payment of roughly $158,000, in addition to salaries based on
previous levels.
The FBI's Counterintelligence Strategic Partnership has
warned that these programs pose a threat to our nation's
academic community. And I quote, ``Chinese talent programs pose
a serious threat to U.S. businesses and universities through
economic espionage and theft of intellectual property.'' The
different programs focus on specific fields deemed critical to
China to boost China's national capability in S&T fields.
The size of the foreign student population of the United
States is significant and raises interest--issues that merit
attention. Of the more than 1 million international students
studying here, China accounted for 32.5 percent of the total or
roughly 350,000. Chinese students have a significant presence
on many campuses and in many labs where critical research is
being done. Many of these labs receive significant federal
funding from the Department of Defense or the National Science
Foundation. At the Berkeley Artificial Intelligence Research
Lab, roughly 20 percent of the Ph.D. students are PRC
nationals. At the University of Maryland's Bing Nano Research
Group, 30 of the 38 postdoctoral researchers and graduate
students are from China. Every one of the visiting researchers
and professors utilizing J visas are from China. The lab
receives support from 15 different federal agencies, including
NASA, DARPA, the Air Force Office of Scientific Research, and
the Department of Energy.
Bilateral scientific cooperation programs also bear
attention as there are questions about the real value of some
of those programs to us. Sunlight is a great disinfectant, and
today's hearing is an important step in that process. Raising
awareness to the potential risks associated with China's
academic activities vis-a-vis U.S. interests is key. In my
prepared testimony, I provided a number of recommendations
about actions that could be considered. In questions and
answers I would be happy to talk about any of them.
We cannot allow the debate and actions on this issue to
fuel the targeting of Chinese people--citizens or people of
Chinese descent. I believe that there can be broad bipartisan
support for commonsense approaches that recognize the diversity
strengthens, not weakens us. Thank you, Mr. Chairman.
[The prepared statement of Mr. Wessel follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Mr. Wessel.
I now recognize Honorable Michelle Van Cleave for five
minutes to present her testimony.
TESTIMONY OF THE HONORABLE MICHELLE VAN CLEAVE,
FORMER NATIONAL COUNTERINTELLIGENCE EXECUTIVE
Ms. Van Cleave. Thank you so much, Mr. Chairman, and
Members of the Committee.
I had the honor of serving as the first national head of
U.S. counterintelligence. I was appointed by President Bush in
2003, and I have spent the years since leaving office with a
continuing sense of gratitude for the honor of having served in
that capacity and a continuing sense of obligation to share
what I learned. I'm especially grateful, therefore, for the
opportunity to be here this morning to share some of these
insights with you as they pertain to the subject of today's
hearing.
The United States is a spy's paradise. Our free and open
society is tailor-made for clandestine operations. As this
committee is so well aware, American R&D, the engine for raw
ideas and products and capabilities and wealth, is
systematically targeted by foreign collectors to fuel their
business and industry and military programs at our expense.
China and Russia both have detailed shopping lists of
targeted U.S. technologies and specific strategies for
clandestine acquisition, ranging from front companies to joint
R&D projects to cyber theft to old-fashioned espionage. U.S.
academic institutions with their great concentration of
creative talents and cutting-edge research and open engagement
with the world of ideas are an especially attractive
environment for these kinds of activities.
Let me say the numbers are frankly staggering. For every
dollar we invest, some $510 billion annually, we lose most if
not all of that equivalent amount to these kinds of illicit
activities every year. Each year, reports out of U.S.
counterintelligence show numbers that are worse than the year
before. Losses are growing, numbers of foreign collectors are
growing, vulnerabilities are growing, and the erosion of U.S.
security and economic strength is also growing.
So why don't we do more to disrupt these operations before
adversaries make off with our trade secrets, our national
security secrets, and other valuable information? Let me ask
you to hold that thought.
The last time I sat in this witness chair was five years
ago at another Oversight hearing on this very subject. In fact,
Mr. Chairman, as we were sitting here having that hearing, the
case that you referenced, the MRI exfiltration at NYU, there
were surveillance cameras watching them at that very moment.
And toward the end of that hearing, one of the members asked me
very pointedly, ``Isn't there a way we can go on offense? Isn't
there a way?'' ``Yes,'' I answered, ``there is, but national
security leadership must be prepared to change the way we do
the counterintelligence business if we are going to do that.''
So today, I'd like to pick up at that bottom line and get to
that point.
Unlike most other nations in the world, the United States
has never had a national counterintelligence service. Instead,
counterintelligence grew up as part of the distributed
responsibilities of the three operational agencies--the FBI,
whose principal responsibility is to find the spies here and
put them in jail; the CIA, whose job is to make sure that their
clandestine collection operates securely in all the realms in
which it is asked to operate; and the military services, who
have to be worried about foreign intelligence threats to our
military operations abroad.
And they're all very good at what they do. But throughout
our history, most of our history, there was no national head of
counterintelligence to integrate all of these various
activities or to provide a common picture of the threat or to
identify gaps or to warn of these activities. And 16 years ago,
the Congress took a look at this and said this isn't working
right. We have got to make some changes.
The Counterintelligence Enhancement Act of 2002 was passed
to create a national head of counterintelligence to integrate
all these things--to provide warning of foreign intelligence
threats to the United States, to find ways of filling in the
seams so that foreign espionage couldn't exploit those seams,
and to make sure that we were aware of these kinds of strategic
threats to our activities, these kinds of R&D exfiltration, and
broader threats to the United States, information threats,
cyber exploitation, influence operations. These were the things
that the office that I headed was asked to worry about.
And when I served in that job, we took a look at how CI was
distributed in this country, and we said, you know, tinkering
around the edges isn't going to do. We need to make substantial
changes in the way we do these operations. We need to have a
strategic counterintelligence program that knits together
different activities, that characterizes a threat, that gets
ahead of the threat, by understanding how these foreign
intelligence services operate, how they are structured, how
they're tasked, and and what their vulnerabilities are so that
we can get inside of them and stop them before they hurt us.
Unfortunately, the strategy that President Bush issued to
go forth and do these things in a proactive way was never
implemented. Now, why is that? Well, it was signed in 2005.
That was the same year that the Director of National
Intelligence Office was first created. There was a lot of new
bureaucracy and many new priorities, which pulled away
resources and direction from what we were trying to do.
At the same time, the bigger problem was there was no real
strategic counterintelligence program that the new law
mandated, so it was easy not to follow through on these things
because there was no requirement in fact to do that.
I know my time is short, but I do want to urge that we
spend a little time talking more about what can be done and how
effective we could be if we worked our counterintelligence as a
strategic tool of the nation's national security strategy. That
possibility is open to us. And I will suggest to you that if we
continue to just go along with the old business model of how
we've been working case by case by case instead of going after
the service proactively as a target, as I know our professional
community in fact could do if national leadership gave them
that direction, we will continue to have these unacceptable
losses to our nation. Changes are possible. Good things can
happen, but leadership is required. Thank you.
[The prepared statement of Ms. Van Cleave follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Ms. Van Cleave.
I now recognize Mr. Daniel Golden for five minutes.
TESTIMONY OF MR. DANIEL GOLDEN,
AUTHOR, SPY SCHOOLS
Mr. Golden. Thank you. I'd like to thank the Committee for
inviting me and----
Chairman Abraham. Mr. Golden, if you will push that button
and put that mic on.
Mr. Golden. Thank you. Thanks very much to the Committee
for inviting me. I'm delighted to be here with such
distinguished fellow panelists. In fact, Michelle, I quote her
prior congressional testimony in my book Spy Schools.
My book examines both foreign and domestic espionage
activity at U.S. universities, but my testimony today will
focus on foreign theft of federally funded academic research.
The number of foreign students and faculty has mushroomed
over the past 40 years. In 2016, the number of international
students at U.S. universities topped 1 million for the first
time, almost seven times the total in 1975 and more than double
the 2000 figure. And of course they were basically no Chinese
students here before 1978.
The number of foreign-born scientists and engineers working
at U.S. colleges and universities rose 44 percent between 2003
and 2013, and in key technical fields like engineering and
computer science, American universities award more than half of
their doctorates to international students.
Educational globalization has many benefits: diverse
perspectives in the classroom cross-cultural understanding,
skilled labor for research, collaboration of the world's best
minds, and the advancement of learning. But there is an
alarming side effect. Globalization has transformed American
universities into a frontline for espionage. Some small but
significant percentage of international students and faculty
come to help their countries gain recruits for clandestine
operations, insights into U.S. Government plans, and access to
sensitive military and civilian research. Academic solicitation
defined as the use of students, professors, scientists, and
researchers as collectors tripled from eight percent of all
foreign efforts to obtain sensitive or classified information
in fiscal year 2010 to 24 percent in 2014, according to the
Defense Security Service.
For foreign intelligence services, a university offers a
valuable and lightly guarded target. They can exploit the
revolving door between academia and government. Today's
Professor of International Relations is tomorrow's Assistant
Secretary of State. They can recruit naive students and guide
them into the federal agency of their choice.
Academic research offers a vulnerable and low-risk target
for foreign espionage. University laboratories are often less
protected than their corporate counterparts, reflecting a
culture oriented toward collaboration. Typically, university
researchers aren't required to sign nondisclosure agreements,
which run counter to the ethic of openness. Open campuses also
make it simple to gather intelligence. Spies with no academic
affiliation can slip unnoticed into seminars, student centers,
libraries, and cafeterias and befriend the computer scientist
or Pentagon advisor sitting beside them.
And academia's old-fashioned gentlemanly culture abets
espionage. All it takes for professors in different countries
to agree to collaborate on research is a phone call, an email,
or perhaps a handshake at a conference. There's not necessarily
a contract that explicitly spells out what data or equipment
each side has access to. Many science students and faculty are
unfamiliar with intellectual property safeguards.
University administrations largely overlook this threat in
part for financial and reputational reasons. They're ramping up
enrollment of full-paying international students an opening
campuses abroad, which are often subsidized by the host
countries.
The story of one Chinese graduate student at Duke
University illustrates how vulnerable academic research is to
foreign raiders and how little universities do to protect it. I
came across this saga when, through a public records request, I
obtained the agenda of an October 2012 meeting of the National
Security Higher Education Advisory Board, which I heard today
was recently disbanded. One agenda item stated that Duke
University Professor David Smith, quote, ``will discuss how,
without his knowledge, a Chinese national targeted his lab and
published and exploited Dr. Smith's research to create a mirror
institute in China.'' The episode cost Duke significantly in
licensing, patents, and royalties, and kept Smith from being
the first to publish groundbreaking research.
I soon learned that Smith was a renowned researcher who had
helped launch the fast-growing field of meta-materials,
artificial materials with properties not found in nature. His
lab had invented the first invisibility cloak ala Harry Potter,
although it only concealed objects from microwaves, not the
human eye, and that his lab had Pentagon funding to develop
ways of making weapons invisible.
And I identified the Chinese national as Ruopeng Liu, a
former graduate student in Smith's lab. Through interviews with
Smith and other lab members, I discovered that Liu had left a
trail of specifics suspicious behavior, arranging for Chinese
scientists to visit the Duke lab and photograph its equipment,
passing them data and ideas developed by unwitting colleagues
at Duke, deceiving Smith into committing to work part-time in
China by enlisting him under false pretenses to participate in
the brain-game program called Project 111 that Michael
mentioned, and secretly starting a Chinese website based on the
work at Duke.
After numerous warnings from other members of the lab and
questions from the Pentagon, Smith finally began to suspect Liu
and took away his key to the lab, but Duke still gave him a
doctorate. Liu noted in an interview for my book that the
invisibility research was considered basic but the are
advantages even to stealing open research, mainly saving time
and avoiding mistakes. With a mole in a U.S. university
laboratory, researchers overseas can publish and patent an idea
first, ahead of the true pioneers, and enjoy the consequent
acclaim, funding, and surging interest from top students and
faculty. In fact, a foreign government may be eager to scoop up
a fundamental breakthrough before its applications become so
important that it's labeled secret and foreign students lose
access to it.
Universities should be more smarter and more sophisticated
about the intelligence ramifications of research
collaborations, student and faculty exchanges, academic
conferences, and international admissions. I'd like to see more
training and courses in intellectual property rights,
contractual agreements for cross-border collaborations that
spell out each side's access to data and equipment, and
orientation sessions for conferences on study-abroad programs
that include tips on recognizing come-ons from intelligence
agencies. And if students or alumni are exposed as foreign
spies, universities should deny or revoke their degrees rather
than looking the other way.
As Americans, we're all concerned and rightly so about
foreign intelligence services interfering in our elections.
Like democratic elections, a robust, open, and intellectually
curious system of higher education is a hallmark of our society
we should take pains to protect it as well. Thank you.
[The prepared statement of Mr. Golden follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Mr. Golden.
Mr. Hassold, five minutes, sir.
TESTIMONY OF MR. CRANE HASSOLD,
DIRECTOR OF THREAT INTELLIGENCE, PHISHLABS
Mr. Hassold. Thank you. Chairs Abraham and Comstock,
Ranking Members Beyer and Lipinski, and Members of the
Committee, thank you for the opportunity to appear before you
today. My name's Crane Hassold, and I'm the Director of Threat
Intelligence at PhishLabs, a cybersecurity company based in
Charleston, South Carolina. The purpose of my testimony today
is to discuss my research and observations on the threat
foreign actors pose to American academic institutions through
the theft of research as a result of cyber attacks.
For background on who PhishLabs is and what we do, we were
founded in 2008, and one of our primary missions is to
identify, understand, and mitigate cyber attacks where the
primary attack vector is phishing. In 2017, we analyzed more
than 1.3 million confirmed phishing sites and shut down more
than 12,000 phishing attacks each month.
For more than 90 percent of targeted cyber attacks, the
initial attack vector is phishing. Phishing is effective
because it takes advantage of emotional responses that are
inherent to human behavior such as fear, anxiety, and
curiosity. Through phishing, threat actors can compromise
personal and financial information, steal data or intellectual
property, and extort victims for financial gain.
Relevant to today's discussion, universities are
particularly susceptible to risks associated with phishing
attacks due to the sheer volume of users that interact with our
network. In December 2017, I identified a series of malicious
domains hosting phishing sites, targeting various universities
in the United States and other countries. Unlike most other
university phishing sites, these were uniquely crafted to mimic
the login pages of university libraries.
Using a combination of technical analysis and open-source
research, I identified hundreds of other phishing sites linked
to the same threat actors that had targeted other universities
around the world. To date, I've identified nearly 800 distinct
phishing attacks linked to this group, which we refer to by the
name Silent Librarian dating back to September 2013. These
attacks, which are significantly more sophisticated than most
phishing attacks I've seen, have targeted 300 different
universities in 23 countries, including 174 institutions in the
United States. It is clear the universities targeted by this
group are not randomly selected. Targets in these phishing
campaigns are generally prominent research technical or medical
universities.
In addition to universities, I also observed other notable
nonacademic American institutions targeted by the group such as
Los Alamos National Laboratory, the Electric Power Research
Institute, and multiple major medical centers. Based on my
research, the purpose of these attacks is to compromise
university credentials and use those credentials to access and
exfiltrate data from university resources such as academic
research databases.
I also identified one Iranian website that was used to
monetize the stolen credentials, which has been in operation
since at least 2015 and, based on data shown from the site, has
been visited more than 1 million times.
Since the beginning of my research into this group and
their attacks, I have worked closely with the FBI to provide
intelligence into the group's tactics and motivations. I have
also partnered with REN-ISAC, an information-sharing
clearinghouse for higher education institutions to notify
targeted universities of imminent or recent phishing campaigns.
As referenced by a few members already, on March 23, 2018,
the Department of Justice indicted nine Iranians associated
with a company named the Mabna Institute. According to the
indictment, this group allegedly conducted phishing attacks
against more than 100,000 targets at international universities
and private sector companies to steal more than 31 terabytes of
academic data and intellectual property. The cost spent by
American universities to procure resources compromised by the
group is reportedly in excess of $3 billion.
The DOJ also alleges in the indictment that much of this
malicious activity was conducted at the direction of the IRGC,
one of the Government of Iran's primary intelligence collection
entities. Based on the evidence detailed in the indictment, it
is likely that the Mabna Institute and Silent Librarian and are
the same group.
It is also important to note that the indictment has not
seemed to deter the group from continuing their malicious
activities. As of the date of this testimony, I've observed 27
new phishing sites created by the group since the indictment
targeting 20 different universities, 10 of which are located in
the United States.
Based on my analysis of these attacks and conversations
I've had with members of the university security community,
there are a range of ways academic institutions can better
prepare and respond to the cyber threats posed by malicious
threat actors. Universities should accept credential phishing
as a significant threat and focus on identifying ways to better
protect their users against them.
Users--universities should place more of a focus on fully
mitigating phishing sites targeting their users rather than
implementing quick responses like simply blocking access to
malicious websites on an internal network that still leave open
the opportunity for further compromise. And, like other
institutions, universities should also invest more in security
training that raises the awareness of students and faculty to
potential cyber threats.
Thank you again for the opportunity to testify before you
today, and I look forward to answering any questions.
[The prepared statement of Mr. Hassold follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Mr. Hassold.
I thank all the witnesses for their testimony. I'm going to
recognize myself for five minutes for questioning.
Mr. Wessel, Ms. Van Cleave, and Mr. Hassold, I think these
questions will go to you. Is it fair to say that the open and
collaborative nature of U.S. academic institutions make them
inherently vulnerable to the threat of foreign exfiltration?
And if so, how do we strike that balance in protecting our
research and our systems while ensuring collaboration? Mr.
Wessel, I'll start with you.
Mr. Wessel. Thank you, Mr. Chairman. I think, as I pointed
out in my testimony, we can identify what some of the high-
value targets are and focus on those first so that we can look
at critical areas of research that relate not only to the
economic domain but China's national security desires, other
countries' national security desires. One can do a gap analysis
to determine whether, for example, China needs hot engine
technology to be able to develop jet engines for their
fighters.
We can then net back and look at some of those cooperative
research programs, the labs here in the United States that are
doing work with cleared defense contractors or doing it on
their own and try and upscale what the systems in place are to
ensure that our systems are secure, to assess foreign students
who are part of those labs, and make sure we're doing better
analysis of their visas and the connections they have, and to
try and track where the information may or may not be going. So
it's threat analysis and using that to try and identify gaps
and go forward. We also have a lot more to do beyond that.
Chairman Abraham. Ms. Van Cleave?
Ms. Van Cleave. Mr. Chairman, clearly, the academic
community, as you describe it, is open and free, and value the
free exchange of ideas and interaction of all peoples and
that's the way to advance our knowledge and understanding.
Academia is very rich. It is very rich in creative people, it
is very rich in people who are going to have significant
relationships with other creative people throughout the
country. And so from the standpoint of a foreign intelligence
service, here's an opportunity to do the basics of espionage.
It is the opportunity to spot potential sources, to evaluate
those sources, to find people who know other people that can
introduce them to significant potential sources. So for an
espionage service, is academia a great place to operate?
Absolutely, it's a great place to operate.
My point--my principal point to you is to say, look, yes,
we need to have awareness. And awareness is significantly
important, and the more that all Americans can understand the
extent to which they don't want to be taken advantage of by
foreign actors, that is excellent. But we have more to do as a
government as well. It is clear to me that the advantage lies
in being able to see inside of what the foreign intelligence
service is after in the first place. If we know who their
people are and where they are and how they're operating and we
know they're at this university but not that university, we
have the advantage to protect ourselves and to disrupt what
they're doing much more effectively than if all of our eggs are
in the defense basket.
Chairman Abraham. Mr. Hassold, your take?
Mr. Hassold. Thank you. I think from a traditional
counterintelligence perspective, collaboration allows for
things like source recruiting and things like my panelists
previously have said, but from a cyber perspective, I believe
that collaboration centralizes the information that's used by
universities from a research perspective that allows for an
inherent risk by pooling all of the data and research into one
location that can be accessed by foreign adversaries. So I
think from a cyber perspective it's more of a sense of
centralizing the data and making the data more vulnerable for
attackers.
Chairman Abraham. All right. Thank you.
Mr. Wessel, in your testimony you stated that we needed to
act to preserve our own technology and confront China's
predatory and protectionist actions to ensure the existence of
the global commons. Has the U.S. Federal Government taken steps
to confront this at our academic institutions? How would you
suggest we confront China's actions? And what consequences do
we take the appropriate action to do so?
Mr. Wessel. Thank you, Mr. Chairman. Although that probably
would take me a day or two to respond, I don't think we've done
enough to send a message that--both to the Chinese and other
nations but also to players here about the seriousness. As you
probably recall, in May 2014, five PLA hackers were indicted
for going into a number of our major companies here, not
universities but major companies. There's no follow-up action
to that. The indictment was sealed. Those five PLA hackers may
not be able to come to Disneyland, but they're doing quite
well. So there have been few costs to the Chinese or other
nations for what they're doing.
You talked about indictments, et cetera. There are some
one-offs. We have to do a much better job of identifying the
critical technologies that China and other nations want and
enhancing the safeguards around those. And, as the President is
doing now in terms of the theft and coercive taking of
intellectual property by the Chinese is make sure that there
are sanctions that are effective and people understand that the
overall framework has to change. Sanctions to respond to the
illegal activities need to be upgraded. They need to be much
more public. We also need to do a much better job of training
those people here as to what the risks are.
Chairman Abraham. Thank you. My time is up.
Ms. Esty, you're recognized for five minutes.
Ms. Esty. Well, thank you very much.
Again, I want to thank all of you for joining us here
today. This is an extremely important topic.
I represent Connecticut. I have Yale just to the south of
me, UConn Medical Center to the north of me, and so these are
very serious issues for the research institutions that I'm
honored to represent.
To all of you, and based on the anecdotes you shared with
us here today, it seems like there's a very serious lack of
situational awareness of people in the academy. I have a
husband who's not in this field but has a lot of foreign
students. He has grad students. We increasingly in the STEM
fields have--the vast majority of our students are foreign-
born. We have benefited enormously by that openness, but that
makes us extremely vulnerable.
Can you try to drill down for us a little bit on what you
think we can do to raise that level of awareness within
institutions that allows them the freedom that they are going
to want to have and need to have to share widely--that
collaboration is important--but to be aware that with that
openness comes a responsibility to be more on guard? And I
think frankly we have not been. People are becoming aware of
the phishing risks, but maybe not this broader one, don't
really think that it's possible that you might actually have
spies. It's sort of not in the mindset of the academics. So how
do we preserve that openness but raise that awareness?
And if you have thoughts of appropriate ways for us to do
that, I think it's really important because it's not always
laws that we need to be passing. A lot of times it's actually
helping people do the right thing and being aware of what the
risks are. Thank you.
Mr. Golden. I'll mention one or two things. Intellectual
property courses are, at most universities, confined to law
schools, so there's generally not access for, you know, science
students to take them, and, as a result, studies have shown
that relatively few graduates in fields like engineering or the
sciences understand concepts like what is a trade secret. So I
think having those kind of courses or training more broadly.
And the other point I'd make is that, you know,
universities have security people and research security people,
but they tend to be, you know, dependent on professors and
people in the classroom to report something that they see that
might, you know, seem amiss.
And, you know, in fact one case that did happen that I
looked at in my book where there were two scholars visiting
Boston from a university in China that's partly run and funded
by China's intelligence ministry and the scholars were just
kind of visiting all these different universities. They didn't
really have an office at UMass Boston; they were just dropping
in wherever they felt like it, the Northeastern research
security people got a tip and, you know, recognized that we
better monitor what these two people are doing. So--but they're
dependent on professors and grad students to let them know, and
so training or understanding would be of great benefit there.
Ms. Esty. Does anyone have courses already developed and is
that something you could maybe--may be that's something that
needs to be done to do a mini course. Having been a law
student, a lot of law students don't take intellectual property
courses, so I think you're going to need to have something
that's a mini version that's accessible to people but to
realize that these things have real value. You have a
responsibility to safeguard it, and that's part of your
basically fiduciary duty as a researcher and as a student to be
aware of that. And that if you see something, say something
notion. I think there's a lot of times people don't know. And
something may strike them as a little odd but they don't
realize like that could mean something.
And so maybe that's something you can follow up with us
with some suggestions about developing curricula and things
that we could try to get help from the National Science
Foundation and others to work with our research institutions
large and small to have them be more aware of these are the
kinds of things you might see and you should be equipping your
faculty to be aware because, again, I think we're concerned
about clamping down on academic freedom, and so this may lend
itself to awareness at the very least. So----
Mr. Golden. Definitely. I'd be glad to.
Ms. Esty. Well, thank you. I appreciate that. And I see my
time is almost up. Thank you, and I yield back.
Mr. Wessel. If I could just add quickly because it's been
noted by you, Mr. Chairman, and others that much of this
research is federally funded. It's our--your constituents' tax
dollars. There can be ties to that with the universities to
make sure they are putting in place the kind of
counterintelligence and other systems and education in place to
make sure that their professors, their researchers, their
students have a better understanding of what the threat factors
are.
Chairman Abraham. Thank you. Mrs. Comstock?
Mrs. Comstock. Thank you.
The Iran case demonstrates that nefarious foreign actors
use cyber means to access valuable research and development,
and numerous case studies in China, as was detailed, reveal
that human intelligence is used to gain access. And the FBI has
recognized two methods: seeding operations and recruitment
operations. So could you discuss, any of you, any specific
cases that fall into each of these and the methods or means
utilized by the foreign agents to access and exfiltrate
valuable R&D?
Ms. Van Cleave. Well, I suspect Dan has a long list of
particular cases that he can cite, but I just want to confirm
that those methodologies, as well as others, are used
systematically by foreign intelligence services not only on our
campuses but, you know, elsewhere in the country to go after
the things that they are interested in. And it isn't casual.
Sometimes there's a misunderstanding that, you know, maybe it's
just a casual undertaking. That's not the case.
China, for instance, and Russia as well, have very
sophisticated, which is to say highly developed, acquisition
strategies for where they're going, the things that they want,
how they're going to get them. The cyber opportunities
certainly are tremendous now, but old-fashioned espionage is
still very much a part of these activities. And what that says
to me as a counterintelligence professional is that we have an
opportunity. If we can gain the intelligence insights into what
they're doing and how they're doing it, then we have the chance
to get inside of those operations in order to be able to
degrade them or stop them or better protect ourselves.
So whether it's cyber operations that would influence our
democratic institutions and processes or whether it's
espionage, going after our national security secrets or our
laboratories or the research activities in academia, getting
inside of those operations gives us the advantage. And that's
where we've been falling short.
Mrs. Comstock. Okay. And are these actors being recruited
and then sent to the United States to infiltrate in some way
when it's actual people or are they being recruited by other--
you know, here trying to get--what is the recruitment process
when it's human intelligence?
Ms. Van Cleave. All of the above.
Mrs. Comstock. Right.
Ms. Van Cleave. Again, it looks at where are the
opportunities, so you----
Mrs. Comstock. They target--they go for what they want to
access first----
Ms. Van Cleave. Right.
Mrs. Comstock. --and they build the plan----
Ms. Van Cleave. Right.
Mrs. Comstock. --around that?
Ms. Van Cleave. So put yourself in their place. So if you
are a Chinese Government entity that is looking to develop
next-generation ASAT capability and you know that these
specific kinds of technologies are the subject of research at
particular universities here or in laboratories, what do you
want to do? You want to be able to get close to the people who
are close to that. You want to find other ways in to try to
acquire these technologies, and so you're going to use all of
the means at your disposal in order to do that. But it isn't
casual. You're very serious about your objectives, and you know
that this works quite well. The Russians, the same. They used
to build in--and they probably still do--the acquisition of
Western technologies into their design plans for weapons
systems. They knew they could get what they needed here, and so
that would be part of their planning activity. So that very
much is still going on.
Mrs. Comstock. Thank you. Mr. Golden?
Mr. Golden. I could speak to this issue a little bit. I
could give you any number of cases. They're not always where
the government directly sends somebody or recruits somebody. As
Michael mentioned, China has these very aggressive brain-game
programs that provide incentives for particularly researchers
in the United States of Chinese descent to come home and--with
research that they might not have come by honestly. And those
programs have not succeeded in recruiting sort of tenured
professors at top-notch American institutions. They don't
really want to go back to China no matter what the offer is. So
they tend to appeal to sort of fringe professors at lesser
institutions, maybe they don't have tenure, and the message to
them is kind of don't come home empty-handed. So there's kind
of an incentive for them to bring something back.
There was a case involving a research assistant at Medical
College of Wisconsin. Hua Jun Zhao, he basically--his professor
had invented kind of a cancer-fighting compound, and he applied
for one of these brain-game programs saying that he was the
inventor. And the application he sent was basically a duplicate
of a grant proposal that his professor had filed. So there's
that kind of case.
In the Duke case I mentioned, it's not clear if Ruopeng Liu
was actually working for the Chinese Government. More likely,
he was on his own knowing, that this would be welcomed when he
got home. You know, and in fact it was. He got heavily
subsidized by the government and he set up a business and an
institute, you know, but it still kind of, you know, theft of
an American research that he was enterprising enough to go
after essentially.
Mrs. Comstock. Thank you, Mr. Chairman.
Chairman Abraham. Thank you, Mrs. Comstock.
Mr. Beyer, five minutes.
Mr. Beyer. Mr. Chairman, thank you very much. And look,
before I dive into this, I just want to take a moment to again
implore this committee to provide oversight to EPA
Administrator Pruitt. Administrator Pruitt's alleged unethical
behavior, his wasteful use of taxpayer money, his ongoing
efforts to undermine the EPA's mission to protect our
environment and our public health, this warrants serious
Congressional oversight.
I previously requested that Chairman Smith bring
Administrator Pruitt before the Science Committee to testify as
to standard practice, and now, amid daily and abundant
scandals, this is more crucial than ever.
Administrator Pruitt's predecessor, Gina McCarthy, Mr.
Chairman, as you know well, testified before this committee
again and again and again, once just on text messages to her
husband. Administrator--in contrast, Administrator Pruitt has
been confirmed 14 months ago and he has yet to appear before
the committee that has oversight. He cannot be allowed to
continue to sell our nation's clean air and water to special
interests without consequences even without our questions.
And if the President refuses to hold him accountable, then
Congress has to do its job. Science, Space, and Technology
Committee needs to do its job and conduct meaningful oversight.
Thank you, Mr. Chairman, for that digression.
Mr. Golden, your book gives lots of examples about how
foreign intelligence agencies especially from China attempt to
use various methods to obtain sensitive research and technical
information through the use of human sources, spies. Given the
increasing power of digital tools to wage cyber warfare and
collect colossal amounts of data, for example, Mr. Zuckerberg,
who's over at the House Energy and Commerce Committee this
morning, why do foreign intelligence agencies need human
resources at all anymore?
Mr. Golden. Thank you. That's a good question and I don't
have a definitive answer, but I think that cyber and human
intelligence gathering should be seen as complementary rather
than sort of as in competition. I mean, there are insights you
can gain, secrets you can find out that are not necessarily in
the digital world so that, you know, there's a certain body of
information that cyber and data hacking or gathering is vital
to gain, but there's still, you know, many things that people
don't, you know, confide to email, don't put down in writing,
and can be gained by recruiting a source. And other things can
also be done by human intelligence but not by cyber. For
example, recruiting a graduate student and steering him to
apply for a job in a given federal agency is not something that
you can do with a cyber attack, you know?
Mr. Beyer. Do you see any difference in the trade craft,
for example, between China and Russia?
Mr. Golden. I'm not sort of an expert more broadly beyond
academia, but I would say that the China--most of the examples
you find in China or most of what I've learned have to do often
with targeting research, and the Russian examples more often
have to do with seeking political or economic secrets.
Mr. Beyer. Thank you very much.
Mr. Wessel, in your testimony you talked about the National
Security Higher Education Advisory Board created in 2005. And
we learned earlier the FBI disbanded it. Do you think when it
existed that it served a useful function, and how important is
it to have this regular communication between the law
enforcement intelligence communities on the one hand and the
academic communities on the other?
Mr. Wessel. I think that is vital and it should be
reinstated, and I think we need to find other ways of
communicating and collaborating with our universities,
especially, again, those with high-value targets--that are
high-value targets. There are lists of those universities that
are engaged in classified research as it relates to defense
contracts, et cetera. There are some critical areas of cutting-
edge research that we view as the future of America's economy
and our success. And the collaboration is vital. If we view the
academic institutions as a principal threat vector, the
government needs to be doing much more to make sure that our
universities are playing their role.
Mr. Beyer. To continue--thank you, Mr. Wessel--you
suggested that the Confucius Institute, their personnel should
be required to register as foreign agents under the Foreign
Agents Registration Act. How does the Confucius Institute
differ from the Goethe-Institut, the British Institute,
Alliance Francaise?
Mr. Wessel. I can't say that I know all of those other
entities, so I'm not sure I'm qualified to answer other than
the Confucius Institutes have a very clear role in extending
China's soft power at a time when we find them to be
challenging us on many fronts both in terms of such issues as
the South China Sea and geopolitical issues but also again
militarily and economically. So with my work on the China
Commission, that's what I focus on, not what some of the other
countries are doing, so I'll have to get back to you on that.
Mr. Beyer. Okay. All right.
Mr. Golden. I could speak to the--that issue a little bit.
Mr. Beyer. Mr. Golden, only if the Chair--the new Chair--
perhaps we will cycle back to it because my time is up.
Mr. Golden. It's okay.
Mr. Beyer. Thank you very much.
Mr. Higgins. [Presiding] Thank you. And the Chair--my
Chairman has excused himself for a moment, so I'm going to
recognize myself for five minutes of questioning.
Ms. Van Cleave, just to clarify for the American people
whom we serve, we're understanding today, and based upon
research of myself and my colleagues prior to this hearing,
that the American people are funding, through university
grants, the Federal Government harvests treasure from the
American people to fund university grants that go to research
and development programs at our universities. Those research
and development programs designed to enhance the economic
strength of America and the military might of America, the
predominance of American university-level research, and that
research is being stolen and harvested by foreign nationals and
brought to their own nations in order to give those nations
predominance, as paid for by the American people. So
essentially the American people are funding the predominant
position of foreign nations, is that correct?
Ms. Van Cleave. Very well put, Mr. Chairman.
Mr. Higgins. Let me ask you, regarding university grant
applications for research and development, do those
applications include any verification of policies or procedures
that are in place at that university to protect intellectual
properties and to confirm that they have cybersecurity systems
in place and even general security systems in place? Does a
grant application right now include any sort of confirmation
that that university has the ability or even the intent to
protect the research and development that we would fund through
that grant?
Ms. Van Cleave. Certainly through classified research
grants, I know very careful restrictions like that are in
place. I think some of my other panelists can speak to open
grants.
Mr. Higgins. Comment?
Mr. Wessel. Just----
Mr. Higgins. Mr. Wessel?
Mr. Wessel. Just as it relates to nonpublic meaning, you
know, when a pharmaceutical company goes to a research
institute for collaborative research on, you know, cancer
drugs, et cetera, there are extensive documents about what
security measures they may--they must put in place,
nondisclosure agreements, et cetera. My understanding is for a
number of federal programs that does not exist.
Mr. Golden. When research is export-controlled, you know,
then it's limited to certain countries so students need
approval and some that can't get approval sometimes. Basic
research, I don't think there's many security provisions,
although on the Duke case I mentioned, when they then published
an article that showed that some of the funding was from the
Chinese Government on this invisibility research, you know, the
Pentagon funders got upset and contacted the professor and--who
put a--who ended that, so there are some monitoring there.
Mr. Higgins. Thank you for those answers. In my opinion, to
my colleagues I suggest that grant applications should include
some verification of the levels of training and awareness that
we are certainly highlighting today.
Mr. Hassold, through your work, you found that at least 144
universities were breached by Iranian hackers over the last
five years. These hackers took 31 terabytes--that's my
understanding--31 terabytes of R&D-related materials. Were
these universities being targeted specifically because of the
research conducted there?
Mr. Hassold. So those numbers came from the DOJ indictment.
The numbers that I have found is 174 American universities that
have been targeted by this group. The firsthand observations
I've been able to see is that the purpose of that targeting was
to get access to the centralized academic databases that most
American and most Western universities have access to to
exfiltrate research articles from those databases. Of course,
the--one of the clear indications based on the targets that
have been selected in those attacks is the possibility that
research specific to certain universities is exfiltrated. When
you look at some of the targets, some of the high-profile
targets that the U.S. Government works with, there's that
possibility. I think that's hinted at in the indictment but
that is secondhand information that I have.
Mr. Higgins. And do you agree that universities should
provide proper training for their professors, researchers, and
staff to defend against cyber threats? Do you agree with that
assessment?
Mr. Hassold. Absolutely 100 percent.
Mr. Higgins. I would suggest to my colleagues that today's
hearing has made clear the extent to which our nation's
research and development is targeted and exposed, and witness
testimony confirms this threat is real. We must ensure that
universities are taking this threat seriously and understand
the precautions being taken to safeguard their equities. I
believe we would greatly benefit as a nation by hearing from
our universities on this matter, and I hope this committee
continues to take action on this issue.
My time is expired. The Chair recognizes Ms. Bonamici from
Oregon for five minutes.
Ms. Bonamici. Thank you very much, Mr. Chairman, and thanks
to the Chairs and the Ranking Members and our witnesses for
testifying today. I appreciate the concerns of course that were
raised in the testimony and by our colleagues, but I also want
to acknowledge the immense benefits economically, socially, and
academically of welcoming foreign students to our academic
institutions. This is about finding the right balance.
When informed of this hearing, my alma mater, the
University of Oregon, was proud to point out that they have
long sought international students not only for the
intellectual and cultural diversity they bring but also for the
opportunity to encourage American students to be more globally
aware and engaged. With that in mind, I hope our focus today
can be finding that appropriate balance to make sure that our
universities are secure and vigilant but also accessible hubs
of learning and creative exchange.
And I want to thank Ranking Member Beyer for asking about
the National Security Higher Education Board. It seems that
that is something that we could work on together to make sure
that that is reconvened and operating because I know it's been
beneficial to universities in my home State and across the
country. That's been a useful venue for the academic and
security communities to discuss those challenges.
I wanted to ask, we know that there are many American
students who study abroad and academics as well working abroad
who could be vulnerable to recruitment or unwitting involvement
in espionage by a foreign actor. So could any of you describe
what, if anything, we're doing to protect and prepare our
students, professors, and researchers from being exploited when
they are abroad? Mr. Golden, you look like you are turning on
your microphone.
Mr. Golden. Good observation. The--thanks. You know,
there's one renowned case in this field of Glenn Duffie Shriver
who had been a student at Grand Valley State and soon after he
graduated he went to China--he went to China first in college
in a study-abroad program and right after--and was recruited by
Chinese intelligence and they--you know, they paid him to take
the foreign service exam but he failed and then they paid him
to try and enter the CIA and he was caught and imprisoned. And
the FBI made a video about it called Game of Pawns and----
Ms. Bonamici. Widely panned I might----
Mr. Golden. Yes, it wasn't that well-received but it also--
you know, they tried to get universities to show it in their
orientations for study-abroad programs, and the universities, a
lot of them objected. They felt they had limited orientation
time. There's a lot of things to orient the students about, you
know, local conditions, what do you do if you're ill, stay away
from drugs, whatever, and so most of them did not show it. Now
that might have been a good decision on aesthetic grounds, but,
you know, there probably could be some, you know, discussion of
some kind of orientation for students before they go overseas,
as well as for the professors----
Ms. Bonamici. Right.
Mr. Golden. --who lead those trips and because they are,
you know, playing in the other country's territory and they are
potential targets.
Ms. Bonamici. I believe that was back in 2014 that video
was made. That could be something that we could discuss as well
to make sure that there is something meaningful.
Last December, the White House released its national
security strategy that indicated that the Trump Administration
plans to consider restrictions on foreign STEM students from
designated countries to ensure that intellectual property is
not transferred to our competitors. Mr. Golden, you were quoted
in an Inside Higher Education article responding to when FBI
Director Christopher Wray testified, and you said, quote, ``The
vast majority of Chinese students are just here to learn and
maybe do research and they bring energy and intelligence and
fresh perspective to American higher education. They're quite
valuable. It would be wrong and unfair to assume that some very
large proportion of them are here for clandestine purposes.''
And I appreciate that, and again, this is about finding the
balance.
Can you talk about the concerns or the problems that might
come from casting an entire group of students, researchers, and
professors from a particular country as a danger to national
security based on that country of origin, and how might that
hinder our ability to attract the brightest minds around the
world to study, conduct research, and work here in the United
States?
Mr. Golden. Sure. Yes, in general, the globalization of
higher education I think is a wonderful thing, and the
advantages outweigh the drawbacks. And the students from China
and other countries, they come and, you know, many of them are
extremely bright and wonderful researchers and contribute to
research done in the United States. And in fact, you know, the
great majority--although the percentage has gone down some, the
great majority who come over as graduate students or get their
doctorates here stay here for, you know, at least five to ten
years after or make their whole careers here. And then, you
know, the research they do, you know, redounds the benefit to
the United States rather than China.
I mean, particularly since Tiananmen Square, that's been
the case. And if you look at it in that light, China almost
has--you know, they're losing so much talent that that's why
they're having these aggressive brain-drain programs and that's
why they feel probably pressure to use espionage because, you
know, so many of their best and brightest are making their
greatest discoveries in the United States for the benefit of
American universities and the American economy and the American
Government.
So, you know, I think it would be a mistake to, you know,
turn off the faucet of bringing Chinese students to this
country, and instead, that's why we ought to look for more--
other things such as, as I mentioned, intellectual property
classes, more collaboration agreements that spell out what can
and can't be done on each side and those kinds of things
because, you know, foreign students contribute a great deal to
the United States in any number of ways.
Ms. Bonamici. Thank you. I see my time is expired, but as I
yield back, I want to note that there have been several topics
here that we could work on on a bipartisan basis to make sure
that we're protecting our universities and our data. And thank
you very much. I yield back.
Mr. Higgins. I thank my colleague.
And Mr. Loudermilk from Georgia is recognized for five
minutes for questions.
Mr. Loudermilk. Thank you, Mr. Chairman. And I agree with
Ms. Bonamici. This is something that should be bipartisan. It
is something definitely concerning to me, and it should be to
not only every member of this committee but Congress and those
in the universities. This is a meeting of two areas of which I
have experience and a great interest working in intelligence
and technology in the Air Force.
I was greatly concerned when it was mentioned that Sandia
Labs has been a target. Working with Sandia Labs in the past I
know the type of research and development they do, and it is
definitely of a national security concern with me and even with
other research institutions that I work with in this capacity
and that I have in my 20 years in the IT sector. This is an
area that should have much more attention than we are giving it
right now.
And, Mr. Golden, I want to congratulate you. There is a
waiting list for your book at the Library of Congress, which I
am on, so apparently it is beginning to grow.
Mr. Hassold, as you've mentioned, you've conducted
extensive work on the Iranian breach at these institutions and
provided the FBI with your findings. Can you walk us through
how the Iranians were able to breach these university systems?
Mr. Hassold. Sure. So with any phishing attack, it always
starts with the lure that is generally email-based. All of
these attacks were--had email-based lures. So they were sent
out to a number of different students and faculty. Some were
very targeted, as is referenced in the indictment from a couple
weeks ago. Some were more general, sent to a wider range of
students and faculty. When you look at those lures, they are
incredibly sophisticated. The spelling, grammar, the things
that you traditionally look for to identify potentially
malicious emails, everything there has been perfect.
And one of the--I think the interesting and notable aspects
of them is that they have barely evolved over time. If you look
at a lure from three years ago, I had--I found a lure from
three years ago that targeted American University, and I found
another lure targeting an Australian university just 3 or 4
months ago. The content of those emails were exactly the same.
And I think one of the interesting parts of that is sort of it
denotes the probable success rate that the threat actors had
with using those lures.
So the lures were very sophisticated. They--if you look at
some of the information that was contained within them, it's
clear that they did probable manual reconnaissance to collect
information that is targeted to the university specifically
that makes them more persuasive. From the lures, you go to the
phishing sites themselves. The content of the phishing sites is
a near replica of the legitimate login pages that someone would
see if they're going to the actual site. The URLs were
patterned to look extremely similar to the actual login page.
And then after someone enters information into those phishing
pages, they would generally be sent off to what we would call a
drop email account, which is generally a temporary email
account where the compromise credentials are received.
Mr. Loudermilk. Okay. And if we could bring up--I've got a
couple of slides--screenshots of the landing page.
[Slide.]
[GRAPHIC] [TIFF OMITTED] T9781.091
Mr. Loudermilk. The one on the top is the actual University
of Pennsylvania library page. Actually, the top one is the
phishing site. I'm correct--corrected, and at the bottom is the
actual. This is incredible. I mean, this is highly
sophisticated. It indicated to me, looking at this, that this
is not just a rogue actor. This has state sponsorship. There is
a lot of work gone into this, which, from the technology
standpoint or an IT standpoint, you're only going to put this
type of effort to go after a highly valued target and--which is
really concerning.
And based on your experience with this and the other work
that you're doing, how vulnerable are these institutions as
compared to, let's say, our business community or corporations?
Are they more--is academia more vulnerable or less?
Mr. Hassold. I think one of the primary vulnerabilities for
the academic community is not that--is not that different than
the--than most other industries and most other businesses. I
think the challenge, as I said in my testimony, is that you
have a number of different components that feed into the
university network. You have students, you have faculty, and
then you have employees--
Mr. Loudermilk. Right.
Mr. Hassold. --and each of those need to have awareness and
training. And by nature of the academic community, a lot of
those members are transient, so the ability to train them and
give them like fully--a full awareness of the actual risks is
much more challenging than some other businesses where most of
the employees are sort of centralized and you have a better
opportunity to train them.
Mr. Loudermilk. Are they a softer target? And then a lot of
times we look at often more effort is put into going after--
well, if you have two targets of high-value, you're going to
put more effort in the softer target than the harder. Are the
universities a softer target than, let's say, the corporations
because of the--what you just laid out for us?
Mr. Hassold. I think that they hold sort of like--sort of
like you mentioned, they hold specific value to the people who
are targeting them, so I don't think they are softer and the
technical defenses are that much worse than general businesses,
but I think they hold a certain value to the people who are
targeting them that's much different than you look at the
reasons that generally--general businesses are being targeted.
Mr. Loudermilk. Okay. I do have several other questions but
I see my time is expired, so if we do a second round or if
somebody else yields any, I'll have a couple other questions
for you.
With that, Mr. Chairman, I yield back.
Mr. Higgins. I thank my colleague.
And Mr. Lipinski from Illinois is recognized for five
minutes for questions.
Mr. Lipinski. Thank you, Mr. Chairman.
And I want to thank the Chairman and Ranking Member for
holding this hearing. Certainly this is a very important issue.
I have been very outspoken about the theft of intellectual
property, especially by Chinese actors, but others around the
world. It's a great threat to our economic security. I, though,
think that we need to make sure that we're using a scalpel and
not an ax to this problem.
I appreciate Mr. Golden's comments about the value of
having foreign nationals come to study here in the United
States. So many Chinese have come here, as you mentioned, Mr.
Golden, and have contributed to the United States not just both
research-wise and also in regard to helping economically our
nation.
As an academic, I understand that, you know, my impression
is that there is a lot more that can be done in order to make
sure that our academic researchers are aware of the threats
that are out there, nothing that I was doing--when I was doing
my research was--would've been of interest to anyone
economically for espionage, but--or for any reason like that,
but I know Mr. Golden had mentioned a few things that you think
should be done to improve security at universities and
awareness by professors and students of potential intelligence
threats they face.
I want to know if there's anything else that any of our
panelists wanted to add that can be done that you think
universities should be doing, and is there any way to encourage
universities to do more of improving awareness of faculty
members, staff, and students at universities? Ms. Van Cleave?
Ms. Van Cleave. Congressman, I understand that within the
56 field offices of the FBI one of their responsibilities is to
be able to work with universities within their jurisdictions to
be able to raise awareness. So to have good relations between
the field offices of the FBI and the universities is something
where one would encourage university leadership to take
advantage of that kind of awareness opportunity that the Bureau
represents, and we've asked them to take on the job.
But I'd also like to interject something to sort of round
out the picture here. We've talked about the value--the
extraordinary value of having international students here on
our campuses, and it's good for us, it's good for our student
population, it's good for America generally to have them here.
And we've also said it's good for the foreign students who come
here. Their lives are enriched, and especially those who are
coming from countries that may be closed or may not have our
freedoms and liberties.
And we are welcoming them here and showing them perhaps a
different way, a new way of life, which leads me to interject
this: The foreign intelligence presence on our universities is
not limited to trying to develop sources or trying to access
our research. There is yet a third purpose behind their
presence on our university campuses. For some countries that
purpose is to enforce their security concerns about their
foreign nationals who are present there. So look at it from the
standpoint of those young students who may be here experiencing
new things, while at the same time, they know they're being
watched. And that is something that I find to be troubling. So
I think we should be also aware of that purpose of the foreign
intelligence presence on our universities.
Mr. Golden. That's actually--I think Michelle makes a very
good point there because there's always--there's been a feeling
at several universities I think that in some classes Chinese
students may be afraid to speak candidly for fear that other
students are keeping an eye on them and reporting back. You
know, and there's been recent publicity about--I think it's
called the Chinese Student and Scholars Association and its
connection to the Chinese Embassy. And I spoke to Derek Bok,
the former President of Harvard, for my book and he said that a
professor at Harvard Law School at one point had come to him
and said Chinese students were telling them they couldn't speak
candidly in class because of that fear. And Harvard tried to
figure out what it could do about it and couldn't come up with
anything.
Mr. Lipinski. Well, I was going to ask, what can be done
about that?
Mr. Golden. Yes, he said they just didn't have the capacity
to try and investigate that on their own. Harvard didn't know
what to do, so I don't think they did much of anything. But it
is another concern of students feeling like they don't have the
freedom to speak up.
Mr. Lipinski. And anyone else, any suggestions,
recommendations, incentives that we could give to universities
to make sure that they are, you know, paying attention to all
of these issues?
Mr. Hassold. I think one of the things that--one of the
focuses is--that we talked about today is cooperation between
universities and law enforcement. I think there also needs to
be more cooperation between universities themselves. Mr. Beyer
earlier brought up REN-ISAC, which is an absolutely fantastic
resource that universities have access to. It's very much a
centralized repository of knowledge specifically for cyber
attacks targeting universities. As I understand it, I've gotten
to know the folks over there pretty well over the course of my
research. Their operational team is only about a half dozen
people at this point, and they handle about, you know, a couple
hundred institutions. Those types of entities are--would be
much more valuable to the university as a whole so they
understand what's going on, targeting other universities and
not just what's going on targeting their own university.
Mr. Lipinski. Very good. Thank you. Thank you, Mr.
Chairman, for the extra time.
Mr. Higgins. I thank my colleague, and I recognize Mr.
Marshall from Kansas for five minutes for questioning.
Mr. Marshall. Thank you, Mr. Chairman. My first question is
for Ms. Van Cleave.
Ms. Van Cleave, I'm a freshman Congressman, and one of my
jobs is trying to prioritize and figure out how big problems
are. There's plenty of problems for us to solve. You know, our
trade deficit was a $575 billion problem. I've been told that
this intellectual theft may be worth $500 billion, $1 trillion.
Can you kind of put a number to it or just a wild guess on how
much is this impacting our country every year?
Ms. Van Cleave. So the Intellectual Property Commission
headed up by Admiral Blair and Ambassador Huntsman first met in
2013 and issued a landmark report. They updated it just last
year, and their estimate is $510 billion roughly in
intellectual property theft in the last year.
Mr. Marshall. And all that could basically buy down our
trade deficit. That's amazing.
I think I'll go to Mr. Wessel next. Mr. Lipinski talked
about using a scalpel. I would talk about using a laser. If you
were to focus on the companies that are the bad actors, the
cheaters, the people that are basically robbing our banks, what
are we doing now to punish them? What could we do? Why aren't
we punishing these people that are trying to steal--and
stealing the bigger companies? Is anything happening?
Mr. Wessel. There are some things happening at--you know,
the problem, as identified by the Commission and many others is
ongoing and, you know, there's no way to get your hands around
it all the time. But the failure to have significant ongoing
sanctions has sent a message that much of what goes on you can
get away with.
You may recall that President Xi and President Obama signed
a memorandum of understanding on the use of cyber espionage for
economic gain. The problem was that the Chinese don't view
economic gain as, you know, a separate inbox on the President's
desk. Economic and national security are inextricably
intertwined. So part of the problem is making sure we define
the issue, we have coherent responses, and that there are real
sanctions and costs for what happened.
I mentioned earlier about the indictments of the five PLA
hackers for going into five U.S. companies, Westinghouse, a
number of others. The indictment was sealed. There's been no
follow-up action.
Mr. Marshall. And when you say sanctions, can we do
sanctions just on companies rather than entire countries?
Mr. Wessel. Yes, you can. I mean, we've had--there--in
those--that situation there was a tasking, meaning that certain
companies ask the Chinese Government for information or work
with them to get it. The information was obtained through five
PLA hackers and transferred back to the companies. And then
that was utilized. U.S. Steel filed a case at the ITC on this
trying to have a sanction that was ultimately ruled--the case
was thrown out. There are ways of looking at what has been
taken, what has been applied in the market and sanctioning
specific companies where also a broader problem that's going to
need a more general solution to.
Mr. Marshall. Give me an example of something that we as
Americans would consider intellectual theft that the Chinese
wouldn't, that it's okay? That--you kind of mentioned something
there that I didn't quite follow that.
Mr. Wessel. No, when they were--after they signed the
agreement, there was this view that China was going to limit
its cyber incursions into the United States and the prohibition
or the agreement was it was not going to affect economic
issues. They wouldn't do it for economic gain. But China views
their economic progress, their security, their growth rate as
part of their national security. If they can't----
Mr. Marshall. So their means justifies the ends? It's
okay----
Mr. Wessel. Correct.
Mr. Marshall. --to cheat as long as it benefits----
Mr. Wessel. Correct. Their----
Mr. Marshall. --their national security so to speak?
Mr. Wessel. Correct. And a different definition. They
didn't view it as economic espionage; they viewed it as----
Mr. Marshall. Yes.
Mr. Wessel. --enhancing their national security.
Mr. Marshall. Mr. Golden, what would you do to microfocus,
to laser in on the companies that are cheating?
Mr. Higgins. Would the gentleman turn his mic on, please?
Mr. Marshall. Okay.
Mr. Golden. So I focused--my book is about espionage in
academia and higher education----
Mr. Marshall. So, great. So people are espionaging
intellectual property from universities. What would you do to
punish them? What are we not doing? Why do we just turn her
head and say it's okay?
Mr. Golden. Well, yes, that's a good question Congressman,
and I can speak to that. You're right; there has been a number
of examples where, you know, people have been caught spying,
and the universities have not really punished them. For
example, the case a few years ago of the Russian illegals in
the United States, the 10 Russian illegals----
Mr. Marshall. Right.
Mr. Golden. --the case that gave rise to the show The
Americans, seven or eight of them had been in U.S. universities
and one of them had gone to Columbia Business School, and
evidence came out that her role there had been to recruit
classmates and professors, and yet Columbia didn't revoke her
degree when it came out that she wasn't Cynthia Murphy, she was
Lydia Guryeva and she was working for Russia.
Mr. Marshall. We're over my time. I'm sorry. I yield back
the rest of my time. Thank you.
Ms. Van Cleave. Mr. Chair, if I might interject, I need to
correct the record of an answer I just gave a moment ago. The
$510 billion figure which I cited in fact is the amount that we
annually invest in R&D, but consulting my notes of the
Huntsman-Blair Commission report, they had this to say last
year: ``We estimate that at the low end the annual cost to the
U.S. economy of several categories of IP theft exceeds $225
billion with the unknown cost of other types of IP theft almost
certainly exceeding that amount and possibly as high as $600
billion annually.''
Mr. Marshall. Six hundred billion?
Ms. Van Cleave. Yes.
Mr. Marshall. Yes, thank you.
Mr. Higgins. I thank my colleagues, and if our panelists
will accommodate us, we'll have a second round of questioning
if you can all stay. Thank you. I recognize myself for five
minutes for questioning.
Mr. Wessel and Ms. Van Cleave, the China-United States
Exchange Foundation, a China-based and government-connected
foundation, is registered as a foreign agent representing
China. Do you find it concerning that some universities in the
United States have accepted funding from this foreign agent,
and how should universities handle outside organizations like
this when it comes to potential funding? Mr. Wessel?
Mr. Wessel. I find it very troubling and talk about that
briefly in my testimony. It's a function of a number of things,
including the funding problems I think was referred to earlier
that we face with higher education. They are seeking these
funds. They are seeking foreign students who often pay the full
boat when they're applying.
I think, number one, we should be monitoring their
activities. Number two, we should be requiring that students
who attend those programs be informed of the nature of the
sponsorship. The curriculum, the personnel are chosen by the
Chinese Government or those working for the Chinese Government,
and their materials should have a disclaimer on it so people
understand that this is an attempt to influence and it's
essentially propaganda.
Mr. Higgins. Ms. Van Cleave?
Ms. Van Cleave. It's hard to add to that statement. I fully
endorse what Michael said. This is a serious concern. Of
course, it is also an opportunity when we know that there's a
specific foreign interest in a particular university. From a
counterintelligence perspective, it shines a light that that
nation-state has a particular interest here and is willing to
invest money in it, but it's small compensation for the risk
presented.
Mr. Higgins. Is there enhanced vetting at the federal level
for a foreign exchange student out of a potential threat
nation-state like China where there's examples of intellectual
property theft? Is there enhanced vetting at the federal level
right now prior to the university level?
Ms. Van Cleave. Not that I am aware of. Others on the panel
may have a different insight on that----
Mr. Higgins. I think they should be.
Ms. Van Cleave. --but as long as they're meeting the
requirement for the visa to be issued and they have the support
of the university, we are a very open and welcoming country.
Mr. Higgins. Let me ask you each this question. How can the
United States universities vet or conduct due diligence on
potential Chinese or other foreign partners that may have
access to our laboratories and in our universities?
Mr. Wessel. My view of that is that's primarily a
governmental role and not the universities' but that--where
there are--again research that's going on either with cleared
defense contractors with governmental agencies where there's
federal money, there should be a certain level of scrutiny.
And to your earlier question, one of the problems we found
at the China Commission was that foreign students were coming
in under visas, for example, to study liberal arts, and once--
and they would change a semester later to physics, to computer
sciences, et cetera, where there may be threats that we want to
look at. Universities should be responsible when the terms of a
student's participation at the university has changed, to talk
to the authorities, inform them, and then leave it to the
authorities as to whether there should be follow-up.
Mr. Higgins. Do you believe vetting at the federal level
should be tied to the intended course of study for foreign
exchange students?
Mr. Wessel. I believe the--for the target of the research--
and so I'm focused more on the laboratory work that's done
rather than just the general teaching at a university, so a
computer science course is one thing, but if that person goes
into computer science lab where there may be work on
encryption, for example, that should have higher scrutiny.
Mr. Higgins. And for federally funded university
laboratories, should there not be a responsibility to report
that adjustment of that student's intended course of study?
Mr. Wessel. Yes. As I said earlier, if they change the
terms of their visas when they came here and what the situation
they were supposed to enter, if that changes, there should be
information to the Federal Government.
Mr. Higgins. Thank you for your answers.
I recognize my colleague, Mr. Beyer, for five minutes for
questions.
Mr. Beyer. Thank you, Mr. Chairman, very much.
You know, the National Science Board recently released its
biennial Science and Engineering Indicators report, and the
basics is that federal investment in basic research and
development vis-a-vis the United States, the Chinese are
rapidly gaining ground on us. I talked to many of my friends in
the medical field, and they just talk about how much more
they're investing than we are. And of course this is
unacceptable if we want to maintain our leadership in science
and engineering.
But to the point of this commission, what role does
persistent flat funding of U.S. science research have on our
reliance on cost-sharing with international partners or give us
additional vulnerabilities in terms of espionage? Anyone want
to grapple with that question?
Mr. Wessel. I think it makes us vulnerable. There have been
instances in the past, again, from the China perspective where
there have been investments by or attempted investments by
Chinese entities, government-affiliated in our universities and
those that have, you know, stable funding in States where
they're a public university where there have been budget cuts
for any of a number of reasons, and there has been greater
receptivity to those investments. That of course then opens up
the underlying research to advantage other players. That has a
serious cost to it.
Mr. Beyer. Great. Mr. Golden, some half-hour ago you wanted
to jump in on the Goethe-Institut vis-a-vis--well, the
Confucius Institute vis-`-vis Goethe, et cetera.
Mr. Golden. Yes, thank you, Congressman, for giving me that
opportunity. Well, one difference between the Confucius
Institutes and these arms of other nations is that they tend to
be on campus, whereas the institutes of the French, German,
British Governments tend to be off-campus. And, you know, the
Confucius Institute courses at many universities they are not
for academic credit but at some universities they are, so
they're more, you know, integrated for whatever reason kind of
into the academic environment and thus, you know, might be
potentially more influential. And of course they're also
accompanied in some cases by quite a bit of money to the
university.
I was also going to say about them, you know, there was
mentions of the foundation that is part of the Chinese
Government. The Confucius Institute for all intents and
purposes are an arm of the Chinese Government. They're from an
affiliate of the Education Ministry. And the research for my
book indicated that they're not intended as an arm of espionage
because it's the Education Ministry, but at times, the--China's
Intelligence Ministry does approach Directors and staff of
Confucius Institute and ask them to gather information. And the
FBI does as well. Both China and the United States are
interested in using Confucius Institute personnel as
intelligence assets because they're so well-positioned.
Mr. Beyer. Okay. Thank you very much. You know, the
National Science Foundation has had a long-standing policy of
rarely doing direct support for foreign organizations and that
when they did, it would have to be allocated only to the U.S.
portion of a project. But in January this year, they revised
its quote/unquote ``proposal and award policies and procedures
guide'' to address all the international branches of American
universities which are springing up around the world. And
another revision calls for funding for a collaborative project
involving foreign organizations, and they both now require the
proposal requesting funds for an international branch or for a
foreign organization to justify why the research activities
cannot be performed on a U.S. campus or by a U.S. organization.
Do you have any thoughts on National Science Foundation's
policy change from rarely doing it out of the United States to
just now allowing it for foreign organizations and for--or for,
say, the George Mason campus in Qatar? Any thoughts?
Mr. Wessel. My thought is I'd prefer--vastly prefer that it
be occurring on U.S. university campuses, and if there's a gap
here that our government, NSF, and others work to fill that gap
here rather than through a foreign university collaboration.
Mr. Beyer. Yes. Well, thank you. You know, that's sort of
the half-point I wanted to make. On the one hand, the previous
question, we want a--we keep hearing again and again that the
National Science Foundation is able to award an ever-smaller
percentage of its excellent proposals with money because
there's just not enough research money with this interesting
change in policy, suggesting that they're going to invest
overseas rather than here. So--anyway, thank you very much.
Mr. Chair, I yield back.
Mr. Higgins. I thank my colleague and recognize Mr.
Loudermilk for five minutes for questions.
Mr. Loudermilk. Thank you, Mr. Chairman. I appreciate the
additional time.
Mr. Hassold, I kind of want to circle back to where we left
off in the previous questioning regarding the Iranian attacks
on our universities. We were discussing whether or not they
were softer targets, and you explained that there's more
transition within the universities and a lot of corporate
businesses. A follow-up on that is did these Iranian actors
have the same success rate with non-academic organizations,
institutions as they did the academic?
Mr. Hassold. The outcomes of the attacks is something I do
not have insight into, as well as I believe the private
organizations that were targeted is something that's only--that
I only know of through the FBI--or the DOJ indictment.
Mr. Loudermilk. Okay. I appreciate that. Of the 31
terabytes that's been reported that was stolen, what type of
data was contained in that?
Mr. Hassold. That's also something that's--that I don't
have specific knowledge into. I just know that they--that the
targeting that I observed was the academic research databases.
I'm assuming that much of that 31 terabytes came from that
exfiltration data.
Mr. Loudermilk. Okay. And from what I've read, a lot of it
is medical research and R&D-type information. How do these
universities respond? When you notify them or when they realize
that they've been a target of a phishing attack or an outside
breach into their systems, how have they responded to these,
specifically, the Iranian attack?
Mr. Hassold. So since I've started researching the group
and their attacks, every time I've identified a new American
university that's been targeted, I have both contacted REN-ISAC
to let them filter the information through their specific
context for universities, as well as when I've been able to
identify a specific point of contact at a university, I
directly informed them of potential phishing attack. REN-ISAC
has been fantastic. They have--we've been in communication a
significant amount, and they have confirmed that notifications
have gone out.
I haven't gotten response back from universities based on
my communications. However, I wouldn't really expect that. I
would really more expect them to take the information and try
to mitigate on their side. From what I understand with most
phishing attacks, the way a lot of universities deal with them
is that they block the malicious sites and most infrastructure
on their internal networks, which is a quick way to deal with
them. However, one of the issues with that is if there is a
user that is not network that tries to access the malicious
sites, that same protection is not afforded to them. So things
like actually trying to mitigate the actual sites and shutting
those sites down is an additional step that could be done to
help prevent the damage caused by these types of attacks.
Mr. Loudermilk. Well, have you seen, are they reporting
these IP addresses to have them blacklisted or do they
communicate with other universities? I mean, the strength of
these research universities is the collaboration on their
research and development. Are they collaborating with one
another to highlight that, you know, we've been subjected to a
phishing attack, we've been--data has been breached? Are they
going outside of their own infrastructure? I mean, I commend
them. You know, you go into your gateway, your firewall, you
block that IP address, but from an IT perspective, there seems
to be so many more things that could be done, hiding your page
such as this so it's not available to the public to replicate
that, that you have to be interior to the network to actually
get to that page, reporting to your internet provider to have
the IP blacklisted, I mean, that's one step that--of course,
they can change their IP addresses, but also education and
collaborating with other universities. I mean, do you see that
they're doing this and what other steps could they or should
they be taking?
Mr. Hassold. I'm sure every university is different
specifically how they deal with these types of attacks. There
are resources like REN-ISAC, which I've mentioned multiple
times, that sort of is that central place for intelligence and
information-sharing that they can use. I don't know how much
universities directly interact with one another, especially--I
would assume that there would be some sort of interaction.
There are some other defensive tactics that would probably
stem the effectiveness of these types of attacks like
multifactor authentication that a lot of schools don't utilize.
And from what I've learned with my discussions with university
partners, as well as some of the folks at REN-ISAC, the cost
associated with implementing multifactor authentication is
pretty significant, and a lot of universities don't have the
sources of funding to be able to pay for things like that. But
something like multifactor authentication would be able to
prevent some of these types of attacks after the fact by not
allowing foreign actors to be able to login to the actual
legitimate pages.
Mr. Loudermilk. I appreciate that. And so as with any
attack, it appears this could have been prevented by, you
know--and hindsight is 20/20, but it could have been prevented.
Last question. Are the universities taking this serious
enough to prevent it from happening in the future? And I'll
open that up to anybody on the panel.
Mr. Hassold. That's a good question. That would be a
question I think would be better suited to be answered by the
actual universities. I think they would probably have better
insight into it. But I think this--these--this type of threat
is so sophisticated that dealing with it would take significant
resources to do and a significant planning and collaboration
amongst the entire academic institution.
Mr. Loudermilk. Thank you. Anyone else care to--all right.
Well, Mr. Chairman, thank you. I yield back.
Mr. Higgins. I thank my colleague.
This has certainly been an enlightening conversation we've
engaged in today. I thank the witnesses for their valuable
testimony and the Members for their questions. The record will
remain open for two weeks for additional comments and written
questions from Members.
The Science, Space, and Technology Oversight Subcommittee
and Research and Technology Subcommittee joint hearing is
adjourned.
[Whereupon, at 12:01 p.m., the Subcommittees were
adjourned.]
Appendix I
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]